2025-07-01 –, Room 2
Backdooring Microsoft's applications is far from over. Adding service principal (SP) credentials to these apps to escalate privileges and obfuscate activities has been seen in nation-state attacks, and led to the development of new security controls. Despite these efforts, we uncovered a vulnerable, built-in SP that could have allowed escalation from Application Administrator to any hybrid tenant user (including Global Admin).
Join us for an overview of SPs, app registrations, and the history of backdoor credentials on these identities. This talk will illustrate how building on existing SP research led to a new vulnerability, and cover controls that can help mitigate similar risks. Finally, we'll identify leads for future SP investigations, and how you can use past research to seek your own vulnerabilities.
Katie Knowles is a Security Researcher at Datadog, focused on Azure research. Through her past roles, Katie has had the chance to approach security as both an attacker and defender, from incident response and detection engineering to penetration testing. She holds Azure (AZ-104, AZ-500) and offensive security (OSCP, GPEN) certifications.