We have created this fun lab to highlight alternate forms of credential that can be abused to get access and move laterally in Azure. Get ready to leverage service principals, web app managed identities and administrative units as we look to go from external access to the top of the tree!

On a red team engagement for our new client, Mega Big Tech, we have a mission to try and infiltrate their Azure environment and access sensitive data. Let's show what we can do!

• Basic Windows command line knowledge
• Familiarity with Azure
• Basic website enumeration

• Use certificate-based authentication to access service principal
• Leverage Website Contributor role to get command execution using the CLI
• Move laterally from compromised web app to configured managed identity
• Enumerate Azure and Entra ID resources
• Leverage administrative unit permissions for lateral movement

Credentials are often not plaintext passwords but instead can be keys, certificates and credential derivatives such as hashes and tokens. This lab showcases certificate based authentication and tokens in additional to plaintext credentials. Executive accounts are often a key target for threat actors, as seen in the Midnight Blizzard breach that targeted Microsoft. Additionally, rather than exploiting CVEs we will look to harness existing system functionality to move laterally and vertically.