banner
LightNews
kfosaaen.bsky.social
Karl Fosaaen
@kfosaaen.bsky.social
210 followers 160 following 16 posts
VP of Research - @netspi Co-author of “Penetration Testing Azure for Ethical Hackers” (http://amzn.to/3GOvW3A). @kfosaaen on most other platforms
amzn.to
Posts Media Videos Starter Packs
kfosaaen.bsky.social
Karl Fosaaen @kfosaaen.bsky.social · Jul 24
And finally here's a direct link to the tool -
github.com/NetSPI/Micro...
MicroBurst/Az/Get-AzWebAppTokens.ps1 at master · NetSPI/MicroBurst
A collection of scripts for assessing Microsoft Azure security - NetSPI/MicroBurst
github.com
kfosaaen.bsky.social
Karl Fosaaen @kfosaaen.bsky.social · Jul 24
Cody really did all the heavy lifting here with figuring out the decryption. I just automated that process into a tool. Make sure to read his blog on that process - dazesecurity.io/blog/abusing...
Continuous Testing
dazesecurity.io
1
kfosaaen.bsky.social
Karl Fosaaen @kfosaaen.bsky.social · Jul 24
Building off of @codyburkard.com's prior work, I put together a tool for automating the decryption of Entra ID application tokens from Azure App Services resources.
Here's a blog that outlines the tooling:
www.netspi.com/blog/technic...
Automating Azure App Services Token Decryption | Tech Blog - NetSPI
Discover how to decrypt Azure App Services authentication tokens automatically using MicroBurst’s tooling to extract encrypted tokens for security testing.
www.netspi.com
1
kfosaaen.bsky.social
Karl Fosaaen @kfosaaen.bsky.social · Jul 18
I'm very excited to share that Thomas Elling and I will be presenting "We Know What You Did (in Azure) Last Summer" at the DEF CON @cloudvillage-dc.bsky.social this year (Friday - 10 AM). We will go over some techniques that can be used to find the owners of multiple types of Azure resources.
2 5
Reposted by Karl Fosaaen
netspi.bsky.social
NetSPI @netspi.bsky.social · Jul 8
NetSPI Principal Security Consultant Jason Juntunen recently published findings on a Remote Code Execution vulnerability in SailPoint's IQService component.

👉 Read the full technical breakdown: ow.ly/GbT150WmgRg

#proactivesecurity #VulnerabilityResearch
Set Sail: Remote Code Execution in SailPoint IQService via Default Encryption Key
NetSPI discovered a remote code execution vulnerability in SailPoint IQService using default encryption keys. Exploit details, discovery methods, and remediation guidance included.
www.netspi.com
2 1
kfosaaen.bsky.social
Karl Fosaaen @kfosaaen.bsky.social · Jul 1
New Function (Get-AzLoadTestingData) was also added to MicroBurst to automate this attack
github.com/NetSPI/Micro...
MicroBurst/Az/Get-AzLoadTestingData.ps1 at master · NetSPI/MicroBurst
A collection of scripts for assessing Microsoft Azure security - NetSPI/MicroBurst
github.com
1
kfosaaen.bsky.social
Karl Fosaaen @kfosaaen.bsky.social · Jul 1
TL;DR
The service allows you to run JMeter load tests.
It supports Managed Identities and Key Vaults.
You can get code execution on the service to extract tokens, vault secrets and certs
1
kfosaaen.bsky.social
Karl Fosaaen @kfosaaen.bsky.social · Jul 1
I have a new post out on the @netspi.bsky.social blog today. This one is on extracting sensitive information from the Azure Load Testing service. www.netspi.com/blog/technic...
Extracting Sensitive Information from Azure Load Testing
Learn how Azure Load Testing's JMeter JMX and Locust support enables code execution, metadata queries, reverse shells, and Key Vault secret extraction vulnerabilities.
www.netspi.com
1 2 3
Reposted by Karl Fosaaen
nullbind.bsky.social
Scott Sutherland @nullbind.bsky.social · Apr 2
I had a great time at #socon2025! Big thanks to the SpecterOps crew for hosting. Slides for my "Hunting SMB Shares" talk are below for those who are interested.

Slides
github.com/NetSPI/Power...

PowerHuntShares
github.com/NetSPI/Power...
2 3
Reposted by Karl Fosaaen
k8em0.bsky.social
Katie Moussouris (she/her/she-hulk/she-ra)🌻 @k8em0.bsky.social · May 1
If you’re on the fence about signing on to that @eff.org letter to support @thekrebscycle.bsky.social , please consider doing it sooner rather than later.

Don’t wait until there’s no one left to speak for you. #RSAC2025

www.cnn.com/2025/04/30/p...
Chris Krebs kicked off CBP’s Global Entry program | CNN Politics
Chris Krebs’, President Donald Trump’s former director of the Cybersecurity and Infrastructure Security Agency, membership in Global Entry has been revoked. Krebs, who has repeatedly attested to the s...
www.cnn.com
2 25 59
kfosaaen.bsky.social
Karl Fosaaen @kfosaaen.bsky.social · Feb 27
If anyone wants to help out on a (hopefully) easy update for some functions in MicroBurst, we will need to make some adjustments for "Get-AzAccessToken" token output switching to a SecureString in Az PS 14.0.0
github.com/NetSPI/Micro...
Changes to Get-AzAccessToken token output (String to SecureString) · Issue #46 · NetSPI/MicroBurst
The Get-AzAccessToken cmdlet token output will be switching to a SecureString in version 14.0.0. There are currently several MicroBurst functions that make use of this cmdlet to get tokens. We will...
github.com
1
kfosaaen.bsky.social
Karl Fosaaen @kfosaaen.bsky.social · Feb 11
Quick addition to Get-AzPasswords in MicroBurst - Azure OpenAI keys

This new section will dump any available OpenAI keys from Cognitive Services deployments that your user has list key permissions on.

github.com/NetSPI/Micro...
5
kfosaaen.bsky.social
Karl Fosaaen @kfosaaen.bsky.social · Jan 8
And here's a link to the blog - www.netspi.com/blog/technic...
Hijacking Azure Machine Learning Notebooks (via Storage Accounts)
Abusing Storage Account Permissions to attack Azure Machine Learning notebooks
www.netspi.com
1 2
kfosaaen.bsky.social
Karl Fosaaen @kfosaaen.bsky.social · Jan 8
The tooling was inspired by the research in this talk by Aled Mehta and Christian Philipov - "[D24] Smoke and Mirrors: How to hide in Microsoft Azure" - www.youtube.com/watch?v=uvoV...
1 2
kfosaaen.bsky.social
Karl Fosaaen @kfosaaen.bsky.social · Jan 8
In addition to the blog out today, there's a new tool in MicroBurst - Get-AzMachineLearningCredentials
This one has been in the works for a while, but it's a tool to dump the credentials that are stored by the Azure Machine Learning service. github.com/NetSPI/Micro...
MicroBurst/Az/Get-AzMachineLearningCredentials.ps1 at master · NetSPI/MicroBurst
A collection of scripts for assessing Microsoft Azure security - NetSPI/MicroBurst
github.com
1 3 5
kfosaaen.bsky.social
Karl Fosaaen @kfosaaen.bsky.social · Jan 8
New
@netspi.bsky.social
blog out today on "Hijacking Azure Machine Learning Notebooks (via Storage Accounts)". This is very similar to Storage Account attacks that have been done against Function/Logic Apps and Cloud Shell - www.netspi.com/blog/technic...
Hijacking Azure Machine Learning Notebooks (via Storage Accounts)
Abusing Storage Account Permissions to attack Azure Machine Learning notebooks
www.netspi.com
1 2
kfosaaen.bsky.social
Karl Fosaaen @kfosaaen.bsky.social · Dec 30
A big thank you to MSRC for the 2024 MVR merch! This is a nice way to wrap up the year.
2
Reposted by Karl Fosaaen
netspi.bsky.social
NetSPI @netspi.bsky.social · Dec 16
Balancing usability and security in deployments introduce new and unfamiliar risks to organizations. NetSPI created an open Large Language Model (LLM) framework to help clarify some ambiguity around LLM security.

Read more about this framework in our most recent article: ow.ly/Nhjs50Usaio
Balancing Security and Usability of Large Language Models: An LLM Benchmarking Framework
Explore the integration of Large Language Models (LLMs) in critical systems and the balance between security and usability with a new LLM benchmarking framework.
www.netspi.com
1 2
Reposted by Karl Fosaaen
netspi.bsky.social
NetSPI @netspi.bsky.social · Dec 17
What happens when you prioritize security over usability in AI models—or vice versa? Our Open LLM Security Benchmark dives deep into the trade-offs and implications, showcasing why this balance is critical for the future of AI. Access the paper here: ow.ly/zT2g50UsaZH
GitHub - NetSPI/Open-LLM-Security-Benchmark
Contribute to NetSPI/Open-LLM-Security-Benchmark development by creating an account on GitHub.
ow.ly
1 1
kfosaaen.bsky.social
Karl Fosaaen @kfosaaen.bsky.social · Dec 16
This is some really exciting work from our team. Make sure to check out the benchmark repo on GitHub -https://github.com/NetSPI/Open-LLM-Security-Benchmark/tree/main
netspi.bsky.social
NetSPI @netspi.bsky.social · Dec 16
Balancing usability and security in deployments introduce new and unfamiliar risks to organizations. NetSPI created an open Large Language Model (LLM) framework to help clarify some ambiguity around LLM security.

Read more about this framework in our most recent article: ow.ly/Nhjs50Usaio
Balancing Security and Usability of Large Language Models: An LLM Benchmarking Framework
Explore the integration of Large Language Models (LLMs) in critical systems and the balance between security and usability with a new LLM benchmarking framework.
www.netspi.com
2
Reposted by Karl Fosaaen
nullbind.bsky.social
Scott Sutherland @nullbind.bsky.social · Nov 28
PowerHuntShares.v2: New Sample HTML Report
Here is a sample report for those who wanted it. Enjoy!
raw.githubusercontent.com/NetSPI/PowerHu…
1 1 1
Reposted by Karl Fosaaen
andyrobbins.bsky.social
Andy Robbins @andyrobbins.bsky.social · Nov 20
A quick tour of new functions in BARK that support Azure Key Vault tradecraft research, including a walk-through of how an adversary may chain these functions together as part of an attack path: posts.specterops.io/azure-key-va...
8 17
kfosaaen.bsky.social
Karl Fosaaen @kfosaaen.bsky.social · Nov 18
I had an amazing time last week attending and speaking at the Hybrid Identity Protection conference in New Orleans. There was a really solid line up of presentations and I was honored to be included this year.
2