https://kidtronnix.com/tags/microsoft/Recent content in Microsoft on Simon Maxwell-StewartHugo -- gohugo.ioen-usThu, 28 May 2026 11:00:00 -0800https://kidtronnix.com/post/troopers-2026/Thu, 28 May 2026 11:00:00 -0800https://kidtronnix.com/post/troopers-2026/<img src="https://cdn12.picryl.com/photo/2016/12/31/stormtrooper-star-wars-lego-dfb382-1024.jpg" alt="Featured image of post Troopers 2026" /><p>I&rsquo;m super excited to be speaking at <a class="link" href="https://troopers.de/troopers26/talks/3retq9/" target="_blank" rel="noopener" >Troopers 2026</a>, June 24th - 26th.</p> <h2 id="popping-microsofts-sandbox">Popping Microsoft&rsquo;s Sandbox </h2><h3 id="what-falls-out-of-a-dataverse-container">What Falls Out of a Dataverse Container </h3><p>Microsoft Dataverse runs customer code inside process-isolated containers that are supposed to keep tenants safely separated. In this talk I&rsquo;ll share research from BeyondTrust&rsquo;s Phantom Labs where we deployed a custom .NET plugin into the sandbox and walked out with system credentials, cryptographic keys, proprietary DLLs, and customer data.</p> <p>By decompiling ~14,000 C# source files we reverse-engineered the internal gRPC protocol, documented 27 unauthenticated methods across three services, and explored what cross-tenant code execution actually looks like in practice.</p> <h3 id="details">Details </h3><p>What we&rsquo;ll cover:</p> <ul> <li>Standard Dataverse plugin deployment mechanics</li> <li>Escalation to SYSTEM privileges via a single command</li> <li>Extraction of LSASS dumps, registry hives, and process memory (400+ MB total)</li> <li>Recovery of production TLS private keys and 52 customer organization identifiers</li> <li>gRPC protocol analysis and custom tooling development</li> <li>Cross-tenant execution scenarios and their limitations</li> <li>Sandbox defense mechanisms that succeeded versus those that failed</li> <li>Disclosure timeline and Microsoft&rsquo;s response</li> </ul>