Modern Adventures in Azure Privilege Escalation

The increase in hybrid cloud adoption over the last decade has extended traditional Active Directory domain environments into the Azure (and Entra ID) cloud. During that time, penetration tests and red team assessments have also been bringing Azure tenants into engagement scopes. Less experienced testers are often finding themselves with an initial foothold in Azure, but lacking in experience on what an escalation path would look like. This talk will cover all the steps along the way from initial access through persistence. Attendees should walk away with some new techniques, along with a handful of potential escalation paths for furthering access in an Azure tenant. In addition to this, we will cover some techniques for maintaining privileged access after an initial escalation. Finally, we will be introducing a new resource for identifying attack paths for specific Azure services.

Starting off with some basics, attendees will get a brief lesson on the fundamental concepts that support Azure tenants. Building on that foundation, we will explain what privilege escalation looks like in Azure, as compared to a traditional on-prem environment. Often in the cloud, there can be a blending of concepts that result in escalation, lateral movement, and persistence. With all of these in mind, we will then go over the escalation and lateral movement options for multiple Azure resource types. These will be focused on the permissions a user may have available, and how those permissions can be abused. We will also cover escalations from the Entra ID side and explain why that’s fundamentally different from the Azure resource level escalations. Finally, we will wrap things up with a few persistence concepts in Azure and provide some resources to help with escalations.