Edward Landers (0xflagplz) ; Josh Huff (Skytalks)
Edward Landers:
Humana - Senior Offensive Security Engineer
Edward is a red teamer and former offensive security consultant focused on adversary simulation, malware development, and social engineering. He works on bypassing security controls, evading detection, and testing the limits of modern defenses. When he’s not on an engagement, he’s refining techniques, building tools, and keeping up with the ever-changing security landscape.
Josh Huff:
Senior Red Team Operator @Fortune 50 Company
Josh
Josh is an offensive security professional with more than 10 years in Information Security. He has an Associate's Degree in Computer Forensics and Security, as well as several certifications. He began his professional career in IT as a contractor for the US Army Corps of Engineers before moving to his current company where he has held roles both on the defensive and offensive sides of security.
When not in the office Josh satisfies his curiosity exploring Red Team Infrastructure and Open Source Intelligence. He is a husband, father of two, and enjoys playing multiple instruments. Want an OSINT challenge - see if you can find his account for live streaming music.
Currently Josh is Senior Red Team Operator at a fortune 50 insurance company.
Session
We have exposed offensive capabilities in the azbridge tool, which has been available in Azure's GitHub repository since 2018. This tool is a utility connecting isolated assets. Our research demonstrates how an attacker can weaponize this tool.
azbridge supports attackers in establishing covert C2 channels, exfiltrating data, and enabling lateral movement while evading scrutiny by perimeter defenses. It leverages back-end services that serve Azure Relay endpoints (*.servicebus.windows.net) and encapsulates malicious traffic in TLS-encrypted connections to *.cloudapp.azure.com endpoints, defeating egress filtering and proxy inspection.
We demonstrate how attackers can use it to maintain persistent network access, bypass network security controls, and conduct post-exploitation using Microsoft's tool. More sophisticated adversaries can re-implement the functionality of this tool in their tradecraft (e.g., implants). We provide initial recommendations for our defensive side friends on recognizing these techniques to defend against adversaries exploiting legitimate infrastructure.
While not a 0-day, as of 03/14/2025, there are no reports of adversaries using azbridge, and no researchers have reported this tool's potential for abuse. Therefore, we believe it is a novel use case, or at least one that has not been publicly discussed.