Attackers of all sorts have been using backdoors to maintain persistence into computer systems and bypass security controls since at least the 1980s. There is a rich history of deeply technical work studying backdoors that affect various operating systems such as Windows and Linux, as well as identity platforms like Active Directory. In 2022, many organizations employ fully staffed teams that are dedicated partly (or sometimes exclusively) to hunting for backdoors in their networks. By comparison, far less is known about backdoors that target Azure and its wide array of services. In this talk, I will give you the information you need to understand the foundational mechanics of Azure that attackers abuse to install and maintain backdoors. I will give examples of how attackers can deploy stealthy means of hiding their access, their privileges, and their command and control communications. I will also show you how to hunt for evidence of attackers deploying those tactics in your own Azure environments, and I will conclude with my thoughts on you how can prepare for the likely future of backdoors in Azure.
Speaker: Andy Robbins
Andy’s background is in red teaming, where he performed numerous red team operations and penetration tests against banks, credit unions, health-care providers, defense companies, and other Fortune 500 companies across the world. He has presented at BlackHat USA, DEF CON, BSides Las Vegas, DerbyCon, ekoparty, and actively researches Active Directory and Azure security. And is a co-creator of BloodHound, and the Product Architect of BloodHound Enterprise.