https://kidtronnix.com/tags/bsides/Recent content in BSides on Simon Maxwell-StewartHugo -- gohugo.ioen-usWed, 26 Feb 2025 11:07:55 -0800https://kidtronnix.com/post/bsides-dublin-2025/Wed, 26 Feb 2025 11:07:55 -0800https://kidtronnix.com/post/bsides-dublin-2025/<img src="https://upload.wikimedia.org/wikipedia/commons/6/60/Trinity_Business_School_bilingual_sign%2C_Pearse_Street_Dublin_%282024%29.jpg" alt="Featured image of post BSides Dublin 2025" /><p>I&rsquo;m super excited to be speaking at <a class="link" href="https://www.bsidesdub.ie/" target="_blank" rel="noopener" >BSides Dublin 2025</a>.</p> <p><img src="https://kidtronnix.com/img/bsides-dublin-2025.png" loading="lazy" alt="session details" ></p> <h2 id="restless-guests">Restless Guests </h2><h3 id="from-subscription-to-backdoor-intruder">From Subscription to Backdoor Intruder </h3><p>Through novel research our team uncovered a critical vulnerability in Azure&rsquo;s guest user model, revealing that guest users can create and own subscriptions in external tenants they&rsquo;ve joined—even without explicit privileges. This capability, which is often overlooked by Azure administrators, allows attackers to exploit these subscriptions to expand their access, move laterally within resource tenants, and create stealthy backdoor identities in the Entra directory. Alarmingly, Microsoft has confirmed real-world attacks using this method, highlighting a significant gap in many Azure threat models. This talk will share the findings from this first of its kind research into this exploit found in the wild.</p> <p>We&rsquo;ll dive into how subscriptions, intended to act as security boundaries, make it possible for any guest to create and control a subscription undermines this premise. We&rsquo;ll provide examples of attackers leveraging this pathway to exploit known attack vectors to escalate privileges and establish persistent access, a threat most Azure admins do not anticipate when inviting guest users. While Microsoft plans to introduce preventative options in the future, this gap leaves organizations exposed to risks they may not even realize exist––but should definitely know about!</p>https://kidtronnix.com/post/owasp-global-appsec-eu-2025/Wed, 26 Feb 2025 11:07:55 -0800https://kidtronnix.com/post/owasp-global-appsec-eu-2025/<img src="https://upload.wikimedia.org/wikipedia/commons/7/74/Sagrada_Familia_March_2015-10a.jpg" alt="Featured image of post OWASP Global Appsec EU 2025" /><p>I&rsquo;m super excited to be speaking at <a class="link" href="https://owasp.glueup.com/event/owasp-global-appsec-eu-2025-123983/" target="_blank" rel="noopener" >OWASP Global Appsec Eu 2025</a>.</p> <h2 id="restless-guests">Restless Guests </h2><h3 id="from-subscription-to-backdoor-intruder">From Subscription to Backdoor Intruder </h3><p>Through novel research our team uncovered a critical vulnerability in Azure&rsquo;s guest user model, revealing that guest users can create and own subscriptions in external tenants they&rsquo;ve joined—even without explicit privileges. This capability, which is often overlooked by Azure administrators, allows attackers to exploit these subscriptions to expand their access, move laterally within resource tenants, and create stealthy backdoor identities in the Entra directory. Alarmingly, Microsoft has confirmed real-world attacks using this method, highlighting a significant gap in many Azure threat models. This talk will share the findings from this first of its kind research into this exploit found in the wild.</p> <p>We&rsquo;ll dive into how subscriptions, intended to act as security boundaries, make it possible for any guest to create and control a subscription undermines this premise. We&rsquo;ll provide examples of attackers leveraging this pathway to exploit known attack vectors to escalate privileges and establish persistent access, a threat most Azure admins do not anticipate when inviting guest users. While Microsoft plans to introduce preventative options in the future, this gap leaves organizations exposed to risks they may not even realize exist––but should definitely know about!</p>https://kidtronnix.com/post/bsides-seattle-2025/Wed, 26 Feb 2025 11:07:33 -0800https://kidtronnix.com/post/bsides-seattle-2025/<img src="https://upload.wikimedia.org/wikipedia/commons/3/30/Building92microsoft.jpg" alt="Featured image of post BSides Seattle 2025" /><p>I&rsquo;m super excited to be speaking at <a class="link" href="https://www.bsidesseattle.com/" target="_blank" rel="noopener" >BSides Seattle 2025</a>.</p> <p><img src="https://kidtronnix.com/img/bsides-seattle-2025.png" loading="lazy" alt="session details" ></p> <h2 id="restless-guests">Restless Guests </h2><h3 id="from-subscription-to-backdoor-intruder">From Subscription to Backdoor Intruder </h3><blockquote> <p>Discover a critical vulnerability in Azure&rsquo;s guest user model that enables attackers to create and control subscriptions in external tenants—without explicit privileges. This overlooked capability lets adversaries expand access, move laterally, and plant stealthy backdoors in Entra directories. With confirmed real-world attacks exploiting this gap, our first-of-its-kind research reveals how attackers leverage these pathways, why this undermines Azure&rsquo;s security assumptions, and what organizations must do to protect themselves before Microsoft&rsquo;s fixes arrive.</p> </blockquote> <h2 id="details">Details </h2><blockquote> <p>Through novel research our team uncovered a critical vulnerability in Azure&rsquo;s guest user model, revealing that guest users can create and own subscriptions in external tenants they&rsquo;ve joined—even without explicit privileges. This capability, which is often overlooked by Azure administrators, allows attackers to exploit these subscriptions to expand their access, move laterally within resource tenants, and create stealthy backdoor identities in the Entra directory. Alarmingly, Microsoft has confirmed real-world attacks using this method, highlighting a significant gap in many Azure threat models. This talk will share the findings from this first of its kind research into this exploit found in the wild.</p> <p>We&rsquo;ll dive into how subscriptions, intended to act as security boundaries, make it possible for any guest to create and control a subscription undermines this premise. We&rsquo;ll provide examples of attackers leveraging this pathway to exploit known attack vectors to escalate privileges and establish persistent access, a threat most Azure admins do not anticipate when inviting guest users. While Microsoft plans to introduce preventative options in the future, this gap leaves organizations exposed to risks they may not even realize exist––but should definitely know about!</p> </blockquote>https://kidtronnix.com/post/bsides-slc-2025/Wed, 26 Feb 2025 11:06:57 -0800https://kidtronnix.com/post/bsides-slc-2025/<img src="https://upload.wikimedia.org/wikipedia/commons/1/1e/Salt_Lake_City_-_July_16%2C_2011.jpg" alt="Featured image of post BSides SLC 2025" /><p>I&rsquo;m super excited to be speaking at <a class="link" href="https://www.bsidesslc.org/" target="_blank" rel="noopener" >BSides SLC 2025</a>.</p> <p>Date: Friday, 11 Apr 2025 Time: 1:30 pm - 2:20 pm (50 minutes)</p> <p>Experience Level: Intermediate-Advanced</p> <h2 id="restless-guests">Restless Guests </h2><h3 id="from-subscription-to-backdoor-intruder">From Subscription to Backdoor Intruder </h3><p>Through novel research our team uncovered a critical vulnerability in Azure&rsquo;s guest user model, revealing that guest users can create and own subscriptions in external tenants they&rsquo;ve joined—even without explicit privileges. This capability, which is often overlooked by Azure administrators, allows attackers to exploit these subscriptions to expand their access, move laterally within resource tenants, and create stealthy backdoor identities in the Entra directory. Alarmingly, Microsoft has confirmed real-world attacks using this method, highlighting a significant gap in many Azure threat models. This talk will share the findings from this first of its kind research into this exploit found in the wild.</p> <p>We&rsquo;ll dive into how subscriptions, intended to act as security boundaries, make it possible for any guest to create and control a subscription undermines this premise. We&rsquo;ll provide examples of attackers leveraging this pathway to exploit known attack vectors to escalate privileges and establish persistent access, a threat most Azure admins do not anticipate when inviting guest users. While Microsoft plans to introduce preventative options in the future, this gap leaves organizations exposed to risks they may not even realize exist––but should definitely know about!</p> <h3 id="details">Details </h3><p>Outline: Introduction to the Vulnerability</p> <ul> <li>Overview of Azure&rsquo;s guest user model.</li> <li>The discovery: guest users can create and own subscriptions in external tenants without explicit privileges.</li> <li>Implications of the Vulnerability</li> </ul> <p>Why subscriptions are assumed to act as security boundaries.</p> <ul> <li>How this capability undermines that security premise.</li> <li>Attack Techniques and Real-World Exploits</li> </ul> <p>Examples of how attackers escalate privileges using these guest-controlled subscriptions.</p> <ul> <li>Real-world cases confirmed by Microsoft showcasing the severity of this exploit.</li> <li>Impact on Organizations</li> </ul> <p>Risks of lateral movement and persistent access.</p> <ul> <li>Common oversights in Azure threat models related to guest users.</li> <li>Microsoft&rsquo;s Response and Future Preventative Options</li> </ul> <p>Planned fixes and their anticipated timeline.</p> <ul> <li>Current gaps that leave organizations exposed.</li> <li>Actionable Takeaways for Defenders</li> </ul> <p>Immediate steps Azure admins can take to mitigate the risk.</p> <ul> <li>Long-term strategies to strengthen tenant security against such exploits.</li> </ul>