Author: Security Research Team
Date: January 26, 2026
Classification: Security Research
Rogier Dijkman azurekid
azurekid
/ research.md
Created
January 26, 2026 15:22
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| Performs comprehensive email security reconnaissance on one or more domains. | |
| .DESCRIPTION | |
| Invoke-EmailRecon performs parallel DNS lookups and HTTP requests to gather | |
| email security configuration data for specified domains. It collects information | |
| about MX records, SPF, DKIM, DMARC, BIMI, MTA-STS, TLS-RPT, DANE/TLSA, DNSSEC, | |
| CAA records, Microsoft 365/Entra ID tenant details, ADFS federation, and | |
| DNS blocklist status. |
azurekid
/ entra_id_privileged_group_self_assignment.yml
Created
December 30, 2025 13:48
Sigma rule for: Self Assignment Privileged Group
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| title: PIM-Enabled Group Self-Assignment | |
| id: b3d4e5f6-a7b8-4c9d-8e1f-2c3d4e5f6a7c | |
| status: stable | |
| description: | | |
| Detects when a user assigns themselves as an active or eligible member or owner of a group | |
| via Entra ID Group Management. This identifies potential indirect privilege escalation | |
| where a user adds themselves to a group that has been granted privileged administrative roles. | |
| references: | |
| - learn.microsoft.com | |
| author: Security Operations Center |
azurekid
/ entra_id_privileged_role_self_assignment.yml
Created
December 30, 2025 13:46
SIGMA Rule for: PIM Privileged Role Self-Assignment
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| title: PIM Privileged Role Self-Assignment | |
| id: a8d1c6e4-4f2b-4d9a-9e1b-2c3d4e5f6a7b | |
| status: stable | |
| description: | | |
| Detects when a user assigns a privileged role to their own account through PIM. | |
| By assigning themselves as an active or eligible member, an administrator can | |
| bypass the "four-eyes" principle and escalate their own privileges. | |
| references: | |
| - learn.microsoft.com | |
| author: Security Operations Center |
azurekid
/ email-not-junk.kql
Created
November 5, 2025 16:41
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Alerts in last 24h | |
| let notJunkAlerts = | |
| AlertInfo | |
| | where Title == "Email reported by user as not junk" | |
| and TimeGenerated >= ago(1h) | |
| | project AlertId; | |
| let evidence = | |
| AlertEvidence | |
| | where AlertId in (notJunkAlerts) | |
| and isnotempty(NetworkMessageId) |
azurekid
/ Cloud-id-summit-2025.md
Last active
October 16, 2025 17:26
azurekid
/ chapter1.md
Created
September 1, 2025 17:25
azurekid
/ Invoke-StealthOperation.ps1
Created
August 21, 2025 08:33
Invoke StealthOperation function
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function Invoke-StealthOperation { | |
| [CmdletBinding()] | |
| param( | |
| [Parameter(Mandatory = $false, ValueFromPipeline = $true)] | |
| [object]$InputObject, | |
| [Parameter(Mandatory = $false)] | |
| [ValidateSet("Random", "Progressive", "BusinessHours", "Exponential")] | |
| [string]$DelayType = "Random", |
Published: August 20, 2025 | By BlackCat Security Team
While developing reconnaissance tools for the BlackCat module, I kept running into a fundamental issue: modern detection systems are not only flagging tools by what they were doing, but also when they were doing it. The functions themselves worked perfectly, but their timing patterns might scream "automation" to behavioral analysis engines.
azurekid
/ Prologue.md
Created
July 14, 2025 06:32
The converted warehouse apartment in Seattle's SoDo district doesn't look like much from the outside, but behind the reinforced steel door marked "3B," Elena Sterling has built a digital command center that would make most penetration testers jealous. Three curved monitors dominate the main wall. The desk surface disappears beneath notebooks filled with drawings and diagrams showing how innocent role assignments chain together into devastating attack paths.
Elena "Phantom" Sterling earned her reputation the hard way. Unlike the script kiddies and ransomware crews that grab headlines, her specialty lies in surgical precision operations that leave no trace while extracting maximum value. Former colleagues from her days at a major West Coast cybersecurity firm would be shocked to learn that their methodical, regulation-obsessed teammate had evolved into something else entirely—a digital predator who turns organizations' own security measures against them.
**Becoming
NewerOlder