2025-09-15 –, Main Room
Microsoft claims "Azure Arc is a bridge that extends the Azure platform to help you build applications and services with the flexibility to run across datacenters, at the edge, and in multicloud environments." While Azure Arc is not installed by default, Microsoft is pushing the service heavily via numerous channels. Vulnerabilities in products which aim to integrate on-premise and cloud infrastructure could open the doors for lateral movement between the two, and increase the blast radius of a given breach. While Azure Arc makes it easier to use the power of Azure within on-premise infrastructure, it also makes life easier for threat actors. So, what if we find ourselves with a foothold on a server with Azure Arc Installed?
In this talk I will cover my experiences investigating the Azure Arc Agent. Under the right circumstances, exploiting Azure Arc would allow pivoting from an on-premise server to the cloud. This presentation will consist of a high-level introduction of Azure Arc, its configuration, the research path and other observations. We will look at a chain of misconfigurations used to hijack a server enrolled in one tenant to be temporarily enrolled in another, attacker-controlled tenant to escalate privileges on the local host. The talk will highlight as to why security teams, cloud architects and system administrators should pay attention to their Azure Arc configuration and implement potential detection capabilities for these exploits.
Sharan is a Security Consultant at Reversec with a specialty in infrastructure Security. Anything netsec gets him excited, but for a change, he is currently focusing on cloud and enterprise software research