harmj0y Dec 21, 2022
Andy Robbins

New blog post out: Passwordless Persistence and Privilege Escalation in Azure.

Link: https://posts.specterops.io/passwordless-persistence-and-privilege-escalation-in-azure-98a01310be3f

In this blog post I explain how new passwordless authentication mechanisms like Azure's Certificate Based Authentication can be subverted by adversaries to establish long-term stealthy persistence, and explain a built-in privilege escalation primitive that exists in CBA.

Passwordless Persistence and Privilege Escalation in Azure

Adversaries are always looking for stealthy means of maintaining long-term and stealthy persistence and privilege in a target environment. Certificate-Based Authentication (CBA) is an extremely…

Posts By SpecterOps Team Members
Dec 21, 2022 at 4:52pmWeb
Show threadFabian BaderDec 21, 2022

@wald0
Great post and attack path 👏 always a treat.

You might consider adding Authentication strength as an additional defensive method, as you could restrict CBA for certain roles this way.

Show threadAndy RobbinsDec 21, 2022
@fabian_bader Excellent suggestion, I will add that to the post as soon as I can.
Show threadNeuromancerDec 28, 2022
@wald0 There is an inconstancy between this post and an earlier talk at Ekoparty regarding the parmissions required to add a root CA cert to an AAD tenant. Which is correct?
Show threadAndy RobbinsDec 29, 2022
@Neuromancer The blog post is correct, I made an error in the slide deck.
Show threadNeuromancerDec 30, 2022
@wald0 thank you :)