Skip to content

Additional Info

Credits

As noted on the EWB home page, this workshop is based on a series of bonus labs from the SANS course SEC530: Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise.1 Those labs were in turn based on a SANS blog post by Jason Ostrom,2 and uses Jason's PurpleCloud tool.3 Jason has continued to do great work

More on Service Principal Abuse

For further reading on service principal abuse pathways, check out the excellent research authored by Andy Robbins4 and Dirk-jan Mollema5.

SEC530: Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise

Course Description

This course is designed to help students build and maintain a truly defensible security architecture, while taking them on a journey towards implementing Zero Trust principles, pillars and capabilities. There will be a heavy focus on leveraging current infrastructure and investment. Students will learn how to assess, re-configure and validate existing technologies to significantly improve their organizations' prevention, detection and response capabilities, augment visibility, reduce attack surface, and even anticipate attacks in innovative ways. The course will also delve into some of the latest technologies and their capabilities, strengths, and weaknesses. You will come away with recommendations and suggestions that will aid in building a robust security infrastructure, layer by layer, across hybrid environments, as you embark on a journey towards Zero Trust.1

  1. SANS Institute. (n.d.) SEC530: Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise. SANS. Retrieved May 18, 2024 from https://www.sans.org/cyber-security-courses/defensible-security-architecture-and-engineering/

  2. Ostrom, Jason. (2021, June 3). Build, Hack, and Defend Azure Identity - An Introduction to PurpleCloud Hybrid + Identity Cyber Range PurpleCloud is a Hybrid + Identity Cyber Security Range built for Azure Cloud with automated deployment scripts. SANS. Retrieved May 18, 2024 from https://www.sans.org/blog/build-hack-defend-azure-identity/

  3. Ostrom, Jason. (2024, February 18; commit ec010a6a8b0979f2b63e909b3662ce557cc57615). PurpleCloud. Retrieved May 18, 2024 from https://github.com/iknowjason/PurpleCloud

  4. Robbins, Andy. (2021, October 12). Azure Privilege Escalation via Service Principal Abuse. Medium. Retrieved May 18, 2024 from https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5 

  5. Mollema, Dirk-jan. (2019, September 16). Azure AD privilege escalation - Taking over default application permissions as Application Admin. Retrieved May 18, 2024 from https://dirkjanm.io/azure-ad-privilege-escalation-application-admin