BEGIN:VCALENDAR
VERSION:2.0
PRODID:Data::ICal 0.24
BEGIN:VEVENT
DESCRIPTION:   'Title: ExploitIfNotExists: Privilege Escalation & Persisten
 ce with\n   Azure Policy\n   When: Friday\, Aug 9\, 13:00 - 13:25 PDT\n   
 Where: LVCC West/Floor 1/Hall 2/HW2-09-01 - [1]Map\n\n   Description:\n   
 The Microsoft Azure threat matrix contains a mysterious and almost\n   emp
 ty item: AZT508 - Azure Policy\, which suggests this service can\n   break
  bad but gives almost no details as to how. To quote Microsoft:\n   “Azu
 re Policy helps to enforce organizational standards and to\n   assess comp
 liance at-scale.“ How does this banal sounding service\n   come to be us
 ed for attacking Azure users?\n\n   This talk aims to fill in the picture.
  We will explore the Azure\n   Policy service and how it can be used for b
 adness: punching holes in\n   acls\, creating persistent backdoors on virt
 ual machines\, assigning\n   attacker controlled roles to resources\, modi
 fying database encryption\,\n   etc. I will demo an abuse scenario\, and d
 iscuss others that can be\n   used for privilege escalation and persistenc
 e. I will also discuss a\n   confused deputy attack on this service. Final
 ly\, I will share\n   detection and control recommendations.\n\n\n   Talk 
 Outline:\n   -------------\n\n   The Azure Policy service (3 mins): - What
  it is\, how it works\, and how\n   it is intended to be used. This servic
 e is billed as an integral part\n   of the Azure compliance story. Policie
 s examine resources and can\n   block or alert on non-compliance. - Introd
 uce the components at play\n   and lay the groundwork for understanding la
 ter abuse. -----There are\n   lots of interlocking pieces to understand. -
  Introducing policy\n   effects which go far beyond normal auditing scope.
  Effects are how\n   policies can make changes to resource configuration.\
 n\n   Establishing the abuse case: (7 mins) - Discussion of evil that can 
 be\n   done with intended functionality including a demo - Policy adds an\
 n   arbitrary script to every VM\, which runs as soon as it starts up\,\n 
   calling a reverse shell home. - Policy turns off database encryption -\n
    Policy to assign an RBAC role to attacker controlled account - What\n  
  privileges and roles are need for the above\n\n   Privesc scenario (7 min
 s) - Policy initiatives - these are higher\n   level groupings of policies
  - Confused deputy attack via initiative -\n   The curious case of append 
 actions - Policies can append an attacker\n   IP to every new ACL in your 
 environment - Adding attacker ssh keys to\n   all VMs\n\n   SpeakerBio:  Z
 ander Mackie\n\n   Zander Mackie is a father\, husband\, security research
 er\, and\n   developer. He’s worked across the stack as a software engin
 eer\, from\n   fixing CSS bugs to writing systems code for container orche
 stration.\n   He’s driven by a relentless need to figure out how things 
 work and\n   fixing bugs is his favorite.\n\n   '\n\n   1. #LVCCW_Level1_H
 all2\n\n\n
DTEND:20240809T202500Z
DTSTART:20240809T200000Z
LOCATION:CLV - LVCC West/Floor 1/Hall 2/HW2-09-01
SUMMARY:ExploitIfNotExists: Privilege Escalation & Persistence with Azure P
 olicy
END:VEVENT
END:VCALENDAR