We are very excited to announce our new tool - ATEAM Thomas Elling and I have been working on this project for the last year and this tool is the result of the research that we presented at the DEF CON Cloud Village this year.

We're starting a new series at @NetSPI where I interview our technical leaders. First up is Patrick Sayler, Director of Social Engineering. If you want to hear some fun Social Engineering stories, check it out on YouTube - https://t.co/EZcOTXu9Cp

For anyone that missed it, here's the blog that explains the Deployment Scripts Managed Identity abuse technique -

Another day, another tool update. We figured out that the Invoke-AzUADeploymentScript MicroBurst function was missed in the "SecureString" token updates, so tokens weren't being extracted. Casting has been fixed and UA-MI tokens are now extracting again! https://t.co/BcMVlhH7jb

Not sure if anyone else has run into tooling issues around this, but Azure App Services (including Function Apps) can now have regionality in the hostname (*.eastus-01.azurewebsites.net). I just added a fix for FuncoPop to address this -

Thanks for reading! Feel free to reach out if you have any thoughts/questions on the blog.

The new MicroBurst scripts that we're releasing with this blog are built off of some previous research (going back to 2018). I highly recommend checking out the previous research section of blog post to see practical examples from other researchers.

The WireServer service has a certificate endpoint that can be used to get the private cert for decryption of the settings, which often contain sensitive info. Although it requires admin/root permissions to access, the service can be really useful in certain situations.

The service provides access to an encrypted copy of VM extension "Protected" settings, that are also (usually) available on the VM already. @NetSPI covered this in a previous blog -

The WireServer service (168.63.129.16) acts like a cloud-local HTTP service (similar to the IMDS), as it's only routable from Azure Virtual Machines. It provides a number of different functions, but the one we focus on for the blog is configuration management for VM extensions.

I have a new @NetSPI blog out today that covers the Azure WireServer service. If you're not familiar with it, I'll provide a brief explainer in the thread -🧵 https://t.co/Lxw6DI1Evt

Want to start your career in #pentesting? Join NetSPI U to get hands-on penetration testing experience and work on web application projects. Apply today: https://t.co/FKNOu1om0o #Portland #Oregon #careers

🎥 Missed the action at @cloudvillage_dc during @defcon ? We’ve got you covered! All Day 1 talks are now live on our YouTube channel 📺 Catch up on the insights, hacks, and cloud security deep dives you might’ve missed! 👉 Watch now: https://t.co/BdfgwntM8x #defcon33 #defcon

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog:

ATEAM - Azure Resource Attribution via Tenant ID Enumeration https://t.co/PHcDqJxtnu #cyber #threathunting #infosec

I’m very honored to have a MicroBurst card in the game. Thanks for including it @BHinfoSecurity!

Slides from our talk can also be found on the GitHub page -

For those that are looking for a direct link to the tool -

I acquired some new DEF CON flair this last weekend.

Consent & Compromise: Abusing Entra OAuth for Fun and Access to Internal Microsoft Applications