Ryan
@Haus3c
Followers
7K
Following
3K
Media
89
Statuses
1K
Former red teamer, current cloud security researcher
Charlotte, NC
Joined November 2015
I merged a PR from @ScoubiMtl that now includes compatibility with BHCE. Thanks @ScoubiMtl !
github.com
Custom Query list for the Bloodhound GUI based off my cheatsheet - hausec/Bloodhound-Custom-Queries
2
32
106
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog:
dirkjanm.io
While preparing for my Black Hat and DEF CON talks in July of this year, I found the most impactful Entra ID vulnerability that I will probably ever find. One that could have allowed me to compromise...
143
906
3K
It's been almost a year since my last blog... So, here is a new one: Extending AD CS attack surface to the cloud with Intune certificates. Also includes ESC1 over Intune (in some cases). https://t.co/Dm1x9ORW7Q Oh, and a new tool for SCEP:
dirkjanm.io
Active Directory Certificate Services (AD CS) attack surface is pretty well explored in Active Directory itself, with *checks notes* already 16 “ESC” attacks being publicly described. Hybrid certif...
8
194
530
Announcing our whitepaper on the future of endpoint security. https://t.co/NogsQiku9B
preludesecurity.com
A research preview of our user-mode Windows agent that comprehensively catches malicious code execution.
6
88
286
Token abuse is finally more easily detectable.
🔥 Security researchers! Microsoft Entra ID’s new linkable token identifiers are a game-changer for tracking identity threats! 🕵️♂️ Correlate auth events across logs (Entra, Exchange, Teams, SharePoint) to hunt attackers. Dive in: https://t.co/vlwq4jgyJ6
0
1
3
New @NetSPI blog out today on "Hijacking Azure Machine Learning Notebooks (via Storage Accounts)". This is very similar to Storage Account attacks that have been done against Function/Logic Apps and Cloud Shell -
netspi.com
Abusing Storage Account Permissions to attack Azure Machine Learning notebooks
3
30
90
Linux sucks as a desktop.
2025 is the year of Linux desktops.🐧
112
18
866
Test-driven development—not just for software engineering. @matterpreter breaks down how applying this logic streamlines how you execute, evaluate, and iterate on your detections to better augment your defensive coverage https://t.co/MOIyRSTk2V
0
6
11
Very happy to see Shiva P from @Microsoft DART blogging about this topic on how to hunt in Graph API logs. Shiva P will also present this topic at @OrangeCon_nl so make sure to check it out! He's a great guy and I'm happy for him!
3
25
85
@PhilipTsukerman @DrAzureAD @_dirkjan I recommend: @kfosaaen - https://t.co/4LkUA1YTVM
@inversecos - https://t.co/NfCd4pv4FE
@mariussmellum - https://t.co/Wj4lHWJrfk
@Haus3c - https://t.co/ULEMQqTart
@abu_conde - https://t.co/vLxvY5ZHq8
@mniehaus -
oofhours.com
Michael Niehaus' technology ramblings
2
1
19
While working at Microsoft, it was somewhat frowned upon to call the baby (Azure logs) ugly. But now I get to call it like it is, so I wrote about trying to make the most out of basically nothing
trustoncloud.com
Whilst researching our ThreatModel for Azure Managed Identity, we discovered some challenges in detecting Managed Identity (MI) abuse that are worth
3
38
120
This is quite frustrating. When viewing managed identity sign in logs via portal, the time stamp differs from Log Analytics. Por que? This fucks with some detection logic I have :(. I know one is in UTC time, but specifically the minute & seconds shouldn't be different.
2
0
4
One thing I'd like to get back to doing is publicizing a lot of my research again. Publishing stuff publicly was almost taboo at MSFT, so I'd like to get back to posting blogs, updating PowerZure more frequently, and bettering the overall Azure security landscape.
2
2
22
ATRM has been handed off to my team and it's ultimately up to them what they want to do with it. It's still an OSS project so PRs are still open, but how quickly it'll be handled is out of my control.
1
0
7
After 3 years at Microsoft I've decided to move on. There are several reasons, which I won't get into here, but I enjoyed my time working on some very cool projects that I learned so much on. I'm now the Principal Lead Researcher for @trustoncloud, handling the Azure practice.
2
2
49
As a follow up on this thread, we have a new @NetSPI blog out today that explains how we were able to get the App Registration certificates for Managed Identities that were attached to Linux Function App containers. https://t.co/BXld6I84vt
A question for my Azure friends: Assume that you have abused an Azure service to compromise the private certificate associated with a Managed Identity's Service Principal and can now authenticate (off the resource) as that Managed Identity. How serious do you think this is?
2
15
38