2026-06-25 –, Track 2
The increase in hybrid cloud adoption over the last decade has extended traditional Active Directory domain environments into the Azure (and Entra ID) cloud. During that time, penetration tests and red team assessments have also been bringing Azure tenants into engagement scopes. Less experienced testers are often finding themselves with an initial foothold in Azure, but lacking in experience on what an escalation path would look like. This talk will cover all the steps along the way from initial access through persistence.
Attendees should walk away with some new techniques, along with a handful of potential escalation paths for furthering access in an Azure tenant. In addition to this, we will cover some techniques for maintaining privileged access after an initial escalation. Finally, we will be introducing a new resource for identifying attack paths for specific Azure services.
Starting off with some basics, attendees will get a brief lesson on the fundamental concepts that support Azure tenants. Building on that foundation, we will explain what privilege escalation looks like in Azure, as compared to a traditional on-prem environment. Often in the cloud, there can be a blending of concepts that result in escalation, lateral movement, and persistence. With all of these in mind, we will then go over the escalation and lateral movement options for multiple Azure resource types. These will be focused on the permissions a user may have available, and how those permissions can be abused. We will also cover escalations from the Entra ID side and explain why that's fundamentally different from the Azure resource level escalations. Finally, we will wrap things up with a few persistence concepts in Azure and provide some resources to help with escalations.
As a VP of Research, Karl is part of a team developing new services and product offerings at NetSPI. Karl previously oversaw the Cloud Penetration Testing service lines at NetSPI and is one of the founding members of NetSPI's Portland, OR team. Karl has a Bachelors of Computer Science from the University of Minnesota and has been in the security consulting industry for over 15 years. Karl spends most of his research time focusing on Azure security and contributing to the NetSPI blog. As part of this research, Karl created the MicroBurst toolkit to house many of the PowerShell tools that he uses for testing Azure. In 2021, Karl co-authored the book "Penetration Testing Azure for Ethical Hackers" with David Okeyode.
Thomas Elling is the Director of Azure/Entra ID Cloud Pentesting and a security researcher at NetSPI. He specializes in web application and cloud security testing. He has advised multiple Fortune 500 companies in the technology sector. In his spare time, Thomas enjoys improving his coding skills, watching bad action movies, and hanging out with his dog, Chunks.