Lightnews — Scholar-powered news

Reposted by Katie Knowles

Nick Frichette @frichetten.com · Aug 19

Old and busted: Cloud attackers making noisy List/Describe calls.

New hotness: Laundering enumeration calls through an AWS service silently.

Or at least, that used to work, until @datadoghq.com partnered with AWS to close this gap. Read more here:
securitylabs.datadoghq.com/articles/enu...

Enumerating AWS the quiet way: CloudTrail-free discovery with Resource Explorer | Datadog Security Labs

Discover how attackers could quietly enumerate AWS resources via Resource Explorer, and how Datadog and AWS worked together to close the visibility gap.

securitylabs.datadoghq.com

4 10

Katie Knowles @siigil.bsky.social · Aug 14

I think @dirkjanm.io may have initiated the extra pressure this one needed. 😁 Still excited about the outcome!

3

Katie Knowles @siigil.bsky.social · Aug 14

🎉 Exciting news: The Office 365 Exchange Online SP privilege escalation we documented in "I SPy" is no longer possible! We've updated the post to reflect this. Thanks to Eli Guy for the tip on this one:
securitylabs.datadoghq.com/articles/i-s...

I SPy: Escalating to Entra ID's Global Admin with a first-party app | Datadog Security Labs

Backdooring Microsoft's applications is far from over. Adding service principal credentials to these apps to escalate privileges and obfuscate activities has been seen in nation-state attacks, and led...

securitylabs.datadoghq.com

1 1 11

Reposted by Katie Knowles

Hope Walker @1cemoon.bsky.social · Aug 13

Check out my new blog on nested app authentication.

SpecterOps @specterops.io · Aug 13

Why should Microsoft's Nested App Authentication (NAA) should be on your security team's radar? @1cemoon.bsky.social breaks down NAA and shows how attackers can pivot between Azure resources using brokered authentication. ghst.ly/45h2Zw3

Going for Broke(ring) – Offensive Walkthrough for Nested App Authentication - SpecterOps

In depth walkthrough for using nested app authentication (NAA), or BroCI, for offensive engagements to access information and resources.

ghst.ly

5 6

Katie Knowles @siigil.bsky.social · Jul 31

Excited to see folks at DEFCON next week!! Ready to see some great talks and get those conference steps in. 👟

3

Katie Knowles @siigil.bsky.social · Jul 28

Congrats!! Sounds like a fun (& wild!) opportunity.

Katie Knowles @siigil.bsky.social · Jul 16

🕵️‍♀️ Looking to escalate privileges with a first-party Microsoft app? How do federated domain backdoors work? And what's an app reg, really? All this and more in our new @securitylabs.datadoghq.com post:
securitylabs.datadoghq.com/articles/i-s...

I SPy: Escalating to Entra ID's Global Admin with a first-party app | Datadog Security Labs

Backdooring Microsoft's applications is far from over. Adding service principal credentials to these apps to escalate privileges and obfuscate activities has been seen in nation-state attacks, and led...

securitylabs.datadoghq.com

4

Reposted by Katie Knowles

Nick Frichette @frichetten.com · Jul 9

Join my team! We’re looking for a Senior Security Researcher specializing in Generative AI. You’ll have the opportunity to be a part of one of the leading security research organizations in the industry and shape Datadog’s security products! A 🧵
careers.datadoghq.com/detail/70312...

Senior Security Researcher - GenAI | Datadog Careers

We're building a platform that engineers love to use. Join us, and help usher in the future.

careers.datadoghq.com

1 6 4

Katie Knowles @siigil.bsky.social · Jul 3

☁️ My fwd:cloudsec talk, "I SPy: Rethinking Entra ID research for new paths to Global Admin", is up! Learn what a service principal is, how Microsoft's first-party apps could be backdoored, and one weird trick they haven't fixed yet:
www.youtube.com/watch?v=oNpw...

I SPy: Rethinking Entra ID research for new paths to Global Admin

YouTube video by fwd:cloudsec

www.youtube.com

5

Reposted by Katie Knowles

Eric Woodruff @ericonidentity.com · Jun 25

At @wearetroopers.bsky.social I dropped new research on #nOAuth, an abuse of #EntraID that allows you to spoof users in vulnerable SaaS applications. The attack is still alive and well.

You can read all about it here:

#Entra #M365 #infosec

www.semperis.com/blog/noauth-...

New nOAuth Abuse Alert: Entra Cross-Tenant Saas Apps at Risk

Think nOAuth abuse is old news? We wish. Our recent testing shows that nearly 10% of apps in the Microsoft Entra Gallery remain vulnerable.

www.semperis.com

1 1

Katie Knowles @siigil.bsky.social · Jun 25

Enjoy! ☀️ Ignore my drooling over here. :)

1

Katie Knowles @siigil.bsky.social · Jun 24

My RSAC virtual session is up! Catch "Persisting Unseen: Attacker Methods of Infesting Entra ID" here: youtu.be/ngSFP-tgupM?...

Companion blog: kknowl.es/posts/defend...

Traditional Sessions: RSAC Virtual Seminar: Cloud Security

YouTube video by RSA Conference

youtu.be

2

Katie Knowles @siigil.bsky.social · Jun 24

Excited to watch these! roadoidc was great to play with, thank you for adding it. Been eagerly waiting to hear the full story on this, EAM, and FICs. 😁

1

Katie Knowles @siigil.bsky.social · Jun 17

🕵️‍♀️ I'll be presenting "I SPy: Rethinking Entra ID research for new paths to Global Admin” at fwd:cloudsec June 30-July 1, alongside some fantastic other speakers: fwdcloudsec.org/conference/n...

If you can’t make it, talks are streamed at: www.youtube.com/@fwdcloudsec

fwd:cloudsec 2025 Speaker Bios & Abstracts | fwd:cloudsec

fwd:cloudsec is a non-profit conference on cloud security. At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security...

fwdcloudsec.org

1 5

Katie Knowles @siigil.bsky.social · Jun 5

🥷 Detect & defend vs Entra ID persistence! From my RSAC Cloud Summit talk, I've shared how attackers persist through Entra ID roles, applications, and authentication... and how you can stop them: kknowl.es/posts/defend...

Persisting Unseen: Defending against Entra ID persistence

I recently presented “Persisting Unseen: Attacker Methods of Infesting Entra ID” at RSAC’s virtual Cloud Security seminar. This session introduced some methods attackers may use now or in the near fut...

kknowl.es

1 1

Reposted by Katie Knowles

Greg Foss @gregfoss.com · May 19

Excited to speak at @fwdcloudsec.org in Denver on June 30 with Anthony Randazzo! We’ll share lessons from a year of cloud threat hunting.

Don’t miss other @securitylabs.datadoghq.com talks from @siigil.bsky.social on EntraID escalation and @sethsec.bsky.social on AMI name confusion as well!

fwd:cloudsec 2025 Speaker Bios & Abstracts | fwd:cloudsec

fwd:cloudsec is a non-profit conference on cloud security. At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security...

fwdcloudsec.org

1 7

Katie Knowles @siigil.bsky.social · May 9

🌐 I'll be speaking at RSA Conference's Virtual Seminar on Cloud Security on June 5, 2025! I'll be sharing a technical overview of Entra persistence techniques for all levels. You can sign up to stop by here: www.rsaconference.com/library/virt...

This link will take you to a page that’s not on LinkedIn

lnkd.in

1

Reposted by Katie Knowles

fwd:cloudsec @fwdcloudsec.org · May 7

The CFP for fwd:cloudsec Europe is now open! We're looking for practitioner-focused cloud security content, and we encourage all practitioners to submit, whatever your role or level of experience.

The CFP is open until July 11th. Read more: fwdcloudsec.org/conference/e...

CFP | EU 2025 | fwd:cloudsec

fwd:cloudsec is a non-profit conference on cloud security. At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security...

fwdcloudsec.org

5 6

Katie Knowles @siigil.bsky.social · May 6

👾 It's up!! Everything you ever wanted to know about Entra Administrative Unit (AU) attack paths, from my talk at @specterops.io SO-CON 😁
www.youtube.com/watch?v=oxD7...

Abusing AUs, Confusing the SOC: Entra ID's Administrative Unit Attack Paths | SO-CON 2025

YouTube video by SpecterOps

www.youtube.com

1 3

Reposted by Katie Knowles

SpecterOps @specterops.io · Apr 8

In our latest blog post, @xpnsec.com breaks down how SQL Server Transparent Data Encryption works, shares new methods for brute-forcing database encryption keys, & reveals a default key used by ManageEngine's ADSelfService product backups.

Read more 👉 ghst.ly/4iXFTyF

5 11

Katie Knowles @siigil.bsky.social · Apr 6

Had a fantastic time at @specterops.bsky.social SO-CON and Azure training! So much to learn, and so many incredible people to meet. Feeling excited to apply all this knowledge... time to head home. 😁

4

Katie Knowles @siigil.bsky.social · Mar 31

Excited to be at @specterops.bsky.social SO-CON this week!! If you're around, I'll be presenting "Abusing AUs, Confusing the SOC" tomorrow bright & early:

1 7 15

Katie Knowles @siigil.bsky.social · Mar 28

Enjoy that 2m repeater net gossip! Good + weird memories. 🥹

1

Katie Knowles @siigil.bsky.social · Mar 25

🛡️ We found a bug in restricted AUs that let accounts stay restricted (forever!) without an AU, preventing containment. Glad this is fixed now! More details here: securitylabs.datadoghq.com/articles/cre...

Creating immutable users through a bug in Entra ID restricted administrative units | Datadog Security Labs

Imagine trying to disable a malicious user in your Azure environment, only to find it can't be modified! We recently identified a timing-based bug in Entra ID's restricted administrative units (AUs) t...

securitylabs.datadoghq.com

5 10

Katie Knowles @siigil.bsky.social · Mar 11

Congrats!!

1