BSides NYC 2025: Inside Cloud Attack Paths End-to-End Adversary Simulation
mvelazco
11 views
33 slides
Oct 20, 2025
Slide 1 of 33
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
About This Presentation
Adversaries map and navigate cloud attack paths by chaining misconfigurations, over-privileged principals, and exposed secrets in pursuit of privilege escalation and broader objectives. In this talk, we explore core attack primitives in Azure, Entra ID, and Microsoft 365, demonstrate how to simulate...
Slide Content
Inside Cloud Attack Paths:
End-to-End Adversary
Simulation
Mauricio Velazco
Bsides NYC 2025
End-to-End Adversary
Simulation
Mauricio Velazco
Bsides NYC 2025
#whoami
✘Security Research @ Microsoft
✘@mvelazco
✘github.com/mvelazc0
✘Security Research @ Microsoft
✘@mvelazco
✘github.com/mvelazc0
1
introduction
introduction
“
A cloud attack path is the chain
of steps an adversary follows by
compromising identities and
abusing legitimate
configurations to reach a goal
A cloud attack path is the chain
of steps an adversary follows by
compromising identities and
abusing legitimate
configurations to reach a goal
How Are Cloud Attack Paths created
✘Security Principals (who):
Users - App Registrations/ Service Principals -
Managed Identities
✘Permissions (what):
Direct Object Permissions - Entra ID Roles -
Azure RBAC - API Permissions - OAuth Scopes
✘Targets (where):
EntraID Tenants - Azure Subscriptions - Key
Vaults - Storage Accounts - Databases -
Exchange Online - OneDrive - SharePoint
✘Security Principals (who):
Users - App Registrations/ Service Principals -
Managed Identities
✘Permissions (what):
Direct Object Permissions - Entra ID Roles -
Azure RBAC - API Permissions - OAuth Scopes
✘Targets (where):
EntraID Tenants - Azure Subscriptions - Key
Vaults - Storage Accounts - Databases -
Exchange Online - OneDrive - SharePoint
How Are Cloud Attack Paths created
✘Security Principals (who):
Users - App Registrations/ Service Principals -
Managed Identities
✘Permissions (what):
Direct Object Permissions - Entra ID Roles -
Azure RBAC - API Permissions - OAuth Scopes
✘Targets (where):
EntraID Tenants - Azure Subscriptions - Key
Vaults - Storage Accounts - Databases -
Exchange Online - OneDrive - SharePoint
User
Bob
✘Security Principals (who):
Users - App Registrations/ Service Principals -
Managed Identities
✘Permissions (what):
Direct Object Permissions - Entra ID Roles -
Azure RBAC - API Permissions - OAuth Scopes
✘Targets (where):
EntraID Tenants - Azure Subscriptions - Key
Vaults - Storage Accounts - Databases -
Exchange Online - OneDrive - SharePoint
User
Bob
How Are Cloud Attack Paths created
✘Security Principals (who):
Users - App Registrations/ Service Principals -
Managed Identities
✘Permissions (what):
Direct Object Permissions - Entra ID Roles -
Azure RBAC - API Permissions - OAuth Scopes
✘Targets (where):
EntraID Tenants - Azure Subscriptions - Key
Vaults - Storage Accounts - Databases -
Exchange Online - OneDrive - SharePoint
User
Bob
PrivEsc
App
ACME
✘Security Principals (who):
Users - App Registrations/ Service Principals -
Managed Identities
✘Permissions (what):
Direct Object Permissions - Entra ID Roles -
Azure RBAC - API Permissions - OAuth Scopes
✘Targets (where):
EntraID Tenants - Azure Subscriptions - Key
Vaults - Storage Accounts - Databases -
Exchange Online - OneDrive - SharePoint
User
Bob
PrivEsc
App
ACME
How Are Attack Paths created
✘Security Principals (who):
Users - App Registrations/ Service Principals -
Managed Identities
✘Permissions (what):
Direct Object Permissions - Entra ID Roles -
Azure RBAC - API Permissions - OAuth Scopes
✘Targets (where):
EntraID Tenants - Azure Subscriptions - Key
Vaults - Storage Accounts - Databases -
Exchange Online - OneDrive - SharePoint
User
Bob
PrivEsc
App
ACME
SP
acme-sp
RunsAs
✘Security Principals (who):
Users - App Registrations/ Service Principals -
Managed Identities
✘Permissions (what):
Direct Object Permissions - Entra ID Roles -
Azure RBAC - API Permissions - OAuth Scopes
✘Targets (where):
EntraID Tenants - Azure Subscriptions - Key
Vaults - Storage Accounts - Databases -
Exchange Online - OneDrive - SharePoint
User
Bob
PrivEsc
App
ACME
SP
acme-sp
RunsAs
How Are Attack Paths created
✘Security Principals (who):
Users - App Registrations/ Service Principals -
Managed Identities
✘Permissions (what):
Direct Object Permissions - Entra ID Roles -
Azure RBAC - API Permissions - OAuth Scopes
✘Targets (where):
EntraID Tenants - Azure Subscriptions - Key
Vaults - Storage Accounts - Databases -
Exchange Online - OneDrive - SharePoint
User
Bob
PrivEsc
App
ACME
SP
acme-sp
VMContri
butor
HasRole
RunsAs
✘Security Principals (who):
Users - App Registrations/ Service Principals -
Managed Identities
✘Permissions (what):
Direct Object Permissions - Entra ID Roles -
Azure RBAC - API Permissions - OAuth Scopes
✘Targets (where):
EntraID Tenants - Azure Subscriptions - Key
Vaults - Storage Accounts - Databases -
Exchange Online - OneDrive - SharePoint
User
Bob
PrivEsc
App
ACME
SP
acme-sp
VMContri
butor
HasRole
RunsAs
How Are Cloud Attack Paths created
✘Security Principals (who):
Users - App Registrations/ Service Principals -
Managed Identities
✘Permissions (what):
Direct Object Permissions - Entra ID Roles -
Azure RBAC - API Permissions - OAuth Scopes
✘Targets (where):
EntraID Tenants - Azure Subscriptions - Key
Vaults - Storage Accounts - Databases -
Exchange Online - OneDrive - SharePoint
User
Bob
PrivEsc
App
ACME
SP
acme-sp
VMContri
butor
HasRole
RunsAs
CanExec
VM:
Gibson01
✘Security Principals (who):
Users - App Registrations/ Service Principals -
Managed Identities
✘Permissions (what):
Direct Object Permissions - Entra ID Roles -
Azure RBAC - API Permissions - OAuth Scopes
✘Targets (where):
EntraID Tenants - Azure Subscriptions - Key
Vaults - Storage Accounts - Databases -
Exchange Online - OneDrive - SharePoint
User
Bob
PrivEsc
App
ACME
SP
acme-sp
VMContri
butor
HasRole
RunsAs
CanExec
VM:
Gibson01
How Are Attack Paths created
✘Security Principals (who):
Users - App Registrations/ Service Principals -
Managed Identities
✘Permissions (what):
Direct Object Permissions - Entra ID Roles -
Azure RBAC - API Permissions - OAuth Scopes
✘Targets (where):
EntraID Tenants - Azure Subscriptions - Key
Vaults - Storage Accounts - Databases -
Exchange Online - OneDrive - SharePoint
User
Bob
PrivEsc
App
ACME
SP
acme-sp
VMContri
butor
HasRole
RunsAs
CanExec
VM:
Gibson01
CanRead
StoreA:
sensitive
✘Security Principals (who):
Users - App Registrations/ Service Principals -
Managed Identities
✘Permissions (what):
Direct Object Permissions - Entra ID Roles -
Azure RBAC - API Permissions - OAuth Scopes
✘Targets (where):
EntraID Tenants - Azure Subscriptions - Key
Vaults - Storage Accounts - Databases -
Exchange Online - OneDrive - SharePoint
User
Bob
PrivEsc
App
ACME
SP
acme-sp
VMContri
butor
HasRole
RunsAs
CanExec
VM:
Gibson01
CanRead
StoreA:
sensitive
Attack Primitives
✘Definition
A reusable capability (configuration, permission, or credential) that an adversary abuses within
an attack path to move laterally, escalate privileges or access data inside a tenant.
✘Examples
Service Principal Credential Injection: Abuse a permission (Entra ID Role or direct Owner
assignment) create client secrets or upload certifications for any app registration.
MailBox Access: Abuse the Graph Mail.Read Application permission to exfiltrate mailbox contents
via Microsoft Graph API.
KeyVault Secret Access: With Key Vault Contributor on the vault scope, modify access policies so
an a new identity can read secrets.
✘Definition
A reusable capability (configuration, permission, or credential) that an adversary abuses within
an attack path to move laterally, escalate privileges or access data inside a tenant.
✘Examples
Service Principal Credential Injection: Abuse a permission (Entra ID Role or direct Owner
assignment) create client secrets or upload certifications for any app registration.
MailBox Access: Abuse the Graph Mail.Read Application permission to exfiltrate mailbox contents
via Microsoft Graph API.
KeyVault Secret Access: With Key Vault Contributor on the vault scope, modify access policies so
an a new identity can read secrets.
2
Provisioning Attack
Paths
Provisioning Attack
Paths
Requirements
✘Security Principals (who):
Users - App Registrations/ Service Principals -
Managed Identities (Azure Resources)
✘Permissions (what):
Direct Object Permissions - Entra ID Roles -
Azure RBAC - API Permissions - OAuth Scopes
✘Targets (where):
EntraID Tenants - Azure Subscriptions - Key
Vaults - Storage Accounts - Databases -
Exchange Online - OneDrive - SharePoint
✘Security Principals (who):
Users - App Registrations/ Service Principals -
Managed Identities (Azure Resources)
✘Permissions (what):
Direct Object Permissions - Entra ID Roles -
Azure RBAC - API Permissions - OAuth Scopes
✘Targets (where):
EntraID Tenants - Azure Subscriptions - Key
Vaults - Storage Accounts - Databases -
Exchange Online - OneDrive - SharePoint
✘Leverages Python & Terraform to
automate the setup of EntraID
tenants & Azure subscriptions.
✘Creates random identities,
resources, assignments and
permissions.
✘Injects configurable attack
paths to enable attack path
research
BadZure
https://github.com/mvelazc0/BadZure
automate the setup of EntraID
tenants & Azure subscriptions.
✘Creates random identities,
resources, assignments and
permissions.
✘Injects configurable attack
paths to enable attack path
research
BadZure
https://github.com/mvelazc0/BadZure
BadZure
✘Flexible
configuration
through a YAML
file.
✘Flexible
configuration
through a YAML
file.
Attack Path 1
User:
Bob
IsOwner
App:
Acme
SP:
Acme
Priv
Role
Adm
RunsAs
HasRole
User:
Bob
IsOwner
App:
Acme
SP:
Acme
Priv
Role
Adm
RunsAs
HasRole
Attack Path 2
User:
Alice
IsOwner
App:
Omni
SP:
Omni
AppRoleA
ssignmen
t.ReadWri
te.All
RunsAs
HasAPI
User:
Alice
IsOwner
App:
Omni
SP:
Omni
AppRoleA
ssignmen
t.ReadWri
te.All
RunsAs
HasAPI
Attack Path 3
User:
Paul
HasKvCo
KV:
AppSec
App:
Atlas
Mail.Read
HasCred
HasAPI
SP:
Atlas
RunsAs
User:
Paul
HasKvCo
KV:
AppSec
App:
Atlas
Mail.Read
HasCred
HasAPI
SP:
Atlas
RunsAs
Attack Path 4
User:
Tom
CanExec
VM:
HR01
Managd
Identity
App:
Corex
Contains
SA:
CrtStor
CanRead
ContainCert
RunsAs
SP:
Corex
HasApi
Files.Read
All
User:
Tom
CanExec
VM:
HR01
Managd
Identity
App:
Corex
Contains
SA:
CrtStor
CanRead
ContainCert
RunsAs
SP:
Corex
HasApi
Files.Read
All
Provisioning Attack Paths with BadZure
Demo 1
Demo 1
3
Navigating Attack Paths
Navigating Attack Paths
msInvader
✘Adversary simulation tool
designed to automate the
execution of attack paths
against EntraID, M365 & Azure.
✘Leverages APIs like MS Graph,
EWS and ARM for comprehensive
simulations and technique
variations.
https://github.com/mvelazc0/msInvader
✘Adversary simulation tool
designed to automate the
execution of attack paths
against EntraID, M365 & Azure.
✘Leverages APIs like MS Graph,
EWS and ARM for comprehensive
simulations and technique
variations.
https://github.com/mvelazc0/msInvader
msInvader
✘Flexible
configuration
through a YAML
file.
✘Flexible
configuration
through a YAML
file.
Attack Path 1
User:
Bob
IsOwner
App:
Acme
SP:
Acme
Priv
Role
Adm
RunsAs
HasRole
User:
Bob
IsOwner
App:
Acme
SP:
Acme
Priv
Role
Adm
RunsAs
HasRole
Attack Path 1
compromised_user
enumerate_users
method: Graph
enumerate_groups
method: Graph
enumerate_applications
method: Graph
enumerate_directory_roles
method: Graph
add_application_secret
method: ARM
get_ms_client_token
assigh_app_role
method: Graph
create_user
method: Graph
assign_entra_role
compromised_user
enumerate_users
method: Graph
enumerate_groups
method: Graph
enumerate_applications
method: Graph
enumerate_directory_roles
method: Graph
add_application_secret
method: ARM
get_ms_client_token
assigh_app_role
method: Graph
create_user
method: Graph
assign_entra_role
Attack Path 3
User:
Paul
HasKvCo
KV:
AppSec
App:
Atlas
Mail.Read
HasCred
HasAPI
SP:
Atlas
RunsAs
User:
Paul
HasKvCo
KV:
AppSec
App:
Atlas
Mail.Read
HasCred
HasAPI
SP:
Atlas
RunsAs
Attack Path 3
compromised_user
enumerate_users
method: Graph
enumerate_groups
method: Graph
enumerate_arm_resources
method: ARM
enumerate_arm_role_assign
method: ARM
list_key_vaults
method: ARM
access_key_vault_item
method:
add_keyvault_access_policy
method: Graph
access_key_vault_item
method: Graph
get_ms_token_clientenumerate_arm_role_assign
method: ARM
ream_email
compromised_user
enumerate_users
method: Graph
enumerate_groups
method: Graph
enumerate_arm_resources
method: ARM
enumerate_arm_role_assign
method: ARM
list_key_vaults
method: ARM
access_key_vault_item
method:
add_keyvault_access_policy
method: Graph
access_key_vault_item
method: Graph
get_ms_token_clientenumerate_arm_role_assign
method: ARM
ream_email
Navigating Attack Paths with MsInvader
Demo 2
Demo 2
https://github.com/mvelazc0/BadZure https://github.com/mvelazc0/msInvader
Resources
✘https://aadinternals.com/
✘https://dirkjanm.io/
✘https://medium.com/@_wald0
✘https://www.netspi.com/authors/karl-fosaaen/
✘https://specterops.io/wp-content/uploads/sites/3/2025/07/StateofAttackPathManagement
-2025-Web.pdf
✘https://cloudbrothers.info/en/azure-attack-paths/
✘https://github.com/SpecterOps/BloodHound/
✘https://aadinternals.com/
✘https://dirkjanm.io/
✘https://medium.com/@_wald0
✘https://www.netspi.com/authors/karl-fosaaen/
✘https://specterops.io/wp-content/uploads/sites/3/2025/07/StateofAttackPathManagement
-2025-Web.pdf
✘https://cloudbrothers.info/en/azure-attack-paths/
✘https://github.com/SpecterOps/BloodHound/
thanks!
Inside Cloud Attack Paths:
End-to-End Adversary
Simulation
Mauricio Velazco
Bsides NYC 2025
End-to-End Adversary
Simulation
Mauricio Velazco
Bsides NYC 2025
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 11
- Slides 33
- Age 42 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views