Rogier Dijkman azurekid

Phase 1

# Step 1: DNS record discovery
Find-DnsRecords -Domains "bluemountaintravel.uk"

# Step 2: Find DNS records for Azure resources
Find-AzurePublicResource -Name "bluemountaintravel" `

Impairing Azure Defenses Through Diagnostic Setting Manipulation

MITRE ATT&CK: T1562.008 — Impair Defenses: Disable or Modify Cloud Logs
Tactic: TA0005 — Defense Evasion
BlackCat Function: Disable-DiagnosticSetting

Introduction

Azure Functions Key Encryption: A Deep Dive into Security Mechanisms and Vulnerabilities

Author: Security Research Team
Date: January 26, 2026
Classification: Security Research

Executive Summary

This script demonstrates a practical proof-of-concept for an attack that:

Uses a compromised App Registration to restore a deleted privileged App
Uses that privileged App to clone a high-privilege user
Authenticates with the new cloned user

Prerequisites

PowerShell 7.x
Az PowerShell module

The Phantom Sterling Chronicles: How Toxic Role Combinations Turned Anonymous Access into Global Admin

A cybersecurity thriller based on real-world attack techniques

Chapter 1: The Digital Treasure Hunt - Initial Reconnaissance

Day 1 - 3:47 AM EST

	# Find-AdmxUsage.ps1
	param(
	[Parameter(Mandatory=$true)][string]$AdmxFileName
	)

	Import-Module Microsoft.Graph.DeviceManagement -ErrorAction Stop
	Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All","Directory.Read.All"

	$keywords = @($AdmxFileName.ToLower(), "mozilla", "firefox", "software\\policies\\mozilla", "mozilla.firefox")

	<#
	.SYNOPSIS
	Performs comprehensive email security reconnaissance on one or more domains.

	.DESCRIPTION
	Invoke-EmailRecon performs parallel DNS lookups and HTTP requests to gather
	email security configuration data for specified domains. It collects information
	about MX records, SPF, DKIM, DMARC, BIMI, MTA-STS, TLS-RPT, DANE/TLSA, DNSSEC,
	CAA records, Microsoft 365/Entra ID tenant details, ADFS federation, and
	DNS blocklist status.

	title: PIM-Enabled Group Self-Assignment
	id: b3d4e5f6-a7b8-4c9d-8e1f-2c3d4e5f6a7c
	status: stable
	description: \|
	Detects when a user assigns themselves as an active or eligible member or owner of a group
	via Entra ID Group Management. This identifies potential indirect privilege escalation
	where a user adds themselves to a group that has been granted privileged administrative roles.
	references:
	- learn.microsoft.com
	author: Security Operations Center

	title: PIM Privileged Role Self-Assignment
	id: a8d1c6e4-4f2b-4d9a-9e1b-2c3d4e5f6a7b
	status: stable
	description: \|
	Detects when a user assigns a privileged role to their own account through PIM.
	By assigning themselves as an active or eligible member, an administrator can
	bypass the "four-eyes" principle and escalate their own privileges.
	references:
	- learn.microsoft.com
	author: Security Operations Center

	// Alerts in last 24h
	let notJunkAlerts =
	AlertInfo
	\| where Title == "Email reported by user as not junk"
	and TimeGenerated >= ago(1h)
	\| project AlertId;
	let evidence =
	AlertEvidence
	\| where AlertId in (notJunkAlerts)
	and isnotempty(NetworkMessageId)