Katie Knowles
@_sigil
Followers
2K
Following
2K
Media
144
Statuses
1K
Senior Security Researcher @ Datadog. 🐕 Head in the (Azure) clouds. Sometimes blogging, always curious. Aim to be, rather than to seem.
Toronto, Ontario
Joined September 2010
🕵️♀️ Looking to escalate privileges with a first-party Microsoft app? How do federated domain backdoors work? And what's an app reg, really? All this and more in our new @datadoghq Security Labs post:.
securitylabs.datadoghq.com
Backdooring Microsoft's applications is far from over. Adding service principal credentials to these apps to escalate privileges and obfuscate activities has been seen in nation-state attacks, and...
0
25
60
RT @Frichette_n: 😭 Old and busted: Cloud attackers making noisy List/Describe calls. 🔥 New hotness: Laundering enumeration calls through a….
securitylabs.datadoghq.com
Discover how attackers could quietly enumerate AWS resources via Resource Explorer, and how Datadog and AWS worked together to close the visibility gap.
0
9
0
🎉 Exciting news: The Office 365 Exchange Online SP privilege escalation we documented in "I SPy" is no longer possible! We've updated the post to reflect this. Thanks to Eli Guy for the tip on this one:.
securitylabs.datadoghq.com
Backdooring Microsoft's applications is far from over. Adding service principal credentials to these apps to escalate privileges and obfuscate activities has been seen in nation-state attacks, and...
0
8
29
RT @SpecterOps: Why should Microsoft's Nested App Authentication (NAA) should be on your security team's radar? @Icemoonhsv breaks down NAA….
specterops.io
In depth walkthrough for using nested app authentication (NAA), or BroCI, for offensive engagements to access information and resources.
0
21
0
RT @netbiosX: Consent & Compromise: Abusing Entra OAuth for Fun and Access to Internal Microsoft Applications
research.eye.security
The Eye Security Research team has uncovered a new critical misconfiguration that exposed sensitive data at internal Microsoft applications.
0
5
0
RT @TomerNahum1: Today, together with Jonathan Elkabas, we're releasing EntraGoat - A Deliberately Vulnerable Entra ID Environment. Your o….
0
230
0
RT @chrispy_sec: If anybody is interested in Azure DevOps and how attackers might go about abusing OIDC connections used in pipelines then….
labs.reversec.com
Workload Identity Federation - is it all it makes out to be? Does it really prevent attackers from extracting credentials from pipeline identities that use modern authentication technique?
0
6
0
Excited to see folks at DEFCON next week!! Ready to see some great talks and get those conference steps in. 👟.
0
1
11
We're looking for a curious AI security researcher to join us! 👀.
Join my team! We’re looking for a Senior Security Researcher specializing in Generative AI. You’ll have the opportunity to be a part of one of the leading security research organizations in the industry and shape Datadog’s security products! A 🧵.
0
2
7
This is a great point! Ensuring your cloud admins aren't synced users will prevent the federated domain takeover scenario, as only synced users are vulnerable.
@_sigil Nice talk Katie!.The easiest way to prevent the attack you demonstrated is to avoid giving admin permissions to synced users (=no ImmutableID).
0
0
4
☁️ My fwd:cloudsec talk, "I SPy: Rethinking Entra ID research for new paths to Global Admin", is up! Learn what a service principal is, how Microsoft's first-party apps could be backdoored, and one weird trick they haven't fixed yet:
3
31
77
Thank you for a great week, @fwdcloudsec!! So many fantastic conversations and sessions. See you next year!
1
0
15
RT @chrispy_sec: My talk was published mega quickly as its own video by @fwdcloudsec (thanks btw!). So feel free to check it out if you wan….
0
12
0
Thanks for joining!.
It’s a packed house over at @_sigil talk on Azure Service Principals, a history on backdooring them, and more!
0
1
14
When the hotel has a free drink for your panic rehearsals. Looking forward to @fwdcloudsec! 🥂
3
0
40
RT @_dirkjan: Since several people already asked: the slides from @fabian_bader and myself for @WEareTROOPERS are available! "Finding Entra….
dirkjanm.io
0
88
0
RT @fabian_bader: One of the results of the joined research with @_dirkjan is . Basically the yellow pages for Micr….
0
69
0
RT @ericonidentity: At @WEareTROOPERS I dropped new research on #nOAuth, an abuse of #EntraID that allows you to spoof users in vulnerable….
semperis.com
Think nOAuth abuse is old news? We wish. Our recent testing shows that nearly 10% of apps in the Microsoft Entra Gallery remain vulnerable.
0
39
0