Microsoft are improving their cloud platform by providing more log sources that can be consumed to gain visibility into enumeration and data read events. However, due to Azure's complexity, such as different legacy and modern systems, the same objective can be achieved by an attacker through different methods, inherently with different indicators. As a result, the challenges that organisations face, and will continue on facing, are the following:
- Attackers using known and lesser-known APIs to perform activities against a tenant and Azure resources.
- Attackers remaining undetected due to assumptions taken by defensive teams in how specific attacks would be performed.
This talk will aim to build up on publicly available research into undocumented APIs within Azure and present different ways that attackers can use these APIs to gather information about an environment and also perform actions against the estate. With each method that is discussed, the talk will also present what controls exist to try and prevent their abuse within an organisation as well as what telemetry is generated when performing these attacks. Thus, allowing attendees to understand the available attack surface within Azure and help provide guidance on the potential non-typical log sources that should be ingested to improve an attack detection in an estate.
Christian Philipov
Chris is a principal security consultant and leads the Cloud Security capability area within WithSecure Consulting. As part of his day to day he leads the global team that deals with various different types of engagements of both a transactional and more bespoke nature. Chris specialises in Microsoft Azure predominantly with GCP and AWS as an additional background.