Karl Fosaaen
Karl specializes in network and web application penetration testing. Karl holds a BS in Computer Science from the University of Minnesota and has over a decade of consulting experience in the computer security industry. In that time, he has worked with a variety of industries; including financial services, health care, and retail. Karl holds the Security+, CISSP, and GXPN certifications. In his spare time, Karl has volunteered at conferences including DEF CON, THOTCON, and AppSec USA. Karl has previously spoken at BsidesPDX, THOTCON, AppSec California, and DerbyCon.
August 17th, 2020
Lateral Movement in Azure App Services
We test a lot of web applications at NetSPI, and as everyone continues to move their operations into the cloud, we’re running into more instances of applications being run on Azure App Services. Whenever we run into an App Services application with a serious vulnerability, I’ll frequently get a ping asking about next steps to […]
July 29th, 2020
Get-AzPasswords: Encrypting Automation Password Data
Get-AzPasswords is a function within the MicroBurst toolkit that’s used to get passwords from Azure subscriptions using the Az PowerShell modules. As part of this, the function supports gathering passwords and certificates that are attached to automation accounts. These credentials can be stored in a few different ways: Credentials – Username/Password combinations Connections – Service […]
July 16th, 2020
Azure File Shares for Pentesters
For many years, pentester-hosted SMB shares have been a common technology to use during internal penetration tests for getting tools over to, and data off of, target systems. The process is simple: share a folder from your testing system, execute a “net use z: \\testingbox\tools” from your target, and run your tools from the share. […]
June 25th, 2020
Bypassing External Mail Forwarding Restrictions with Power Automate
During a recent Office 365 assessment, we ran into an interesting situation where Exchange was configured to disallow any external domain forwarding rules. This configuration is intended to prevent attackers from compromising an account and setting up forwarding for remote mail access and persistence. Part of this assessment was to validate that these configurations were […]
May 12th, 2020
Attacking Azure Container Registries with Compromised Credentials
Azure Container Registries are Microsoft’s solution for managing Docker images in the cloud. The service allows for authentication with AzureAD credentials, or an “Admin user” that shares its name with the registry. For the purposes of this blog, let’s assume that you’ve compromised some Admin user credentials for an Azure Container Registry (ACR). These credentials […]
April 16th, 2020
Gathering Bearer Tokens from Azure Services
In the previous Azure Managed Identities blog, we covered some simple proof of concept examples for using Azure Virtual Machine Managed Identities to escalate privileges in an Azure subscription. The example code relied on Azure OAuth bearer tokens that were generated from authenticating to the Azure metadata service. Since posting that blog, we’ve found a […]
February 20th, 2020
Azure Privilege Escalation Using Managed Identities
Azure Managed Identities are Azure AD objects that allow Azure virtual machines to act as users in an Azure subscription. While this may sound like a bad idea, AWS utilizes IAM instance profiles for EC2 and Lambda execution roles to accomplish very similar results, so it’s not an uncommon practice across cloud providers. In my […]
December 10th, 2019
Azure Privilege Escalation via Cloud Shell
TLDR; By default, Azure Subscription Contributors have access to all storage accounts in a subscription. These storage accounts can contain Azure Cloud Shell storage files (Linux home directories) that can contain sensitive information. By modifying these Cloud Shell files, an attacker can execute commands in the Cloud Shell sessions of other users. This can lead […]
September 12th, 2019
Maintaining Azure Persistence via Automation Accounts
In every penetration test that involves Azure, we want to escalate our privileges up to a global administrator of the tenant. Once we’ve escalated our privileges in an Azure tenant, we want to have the ability to maintain our access to each subscription and the tenant as a whole. Aside from the benefits of controlling […]