Security Researcher @ Datadog. 🐶 Head in the (Azure) clouds. Sometimes blogging, always curious. Aim to be, rather than to seem. Blogs at https://kknowl.es.https://bsky.app/profile/siigil.bsky.socialhttps://bsky.app/profile/siigil.bsky.social/post/3m3mw2w2y4k2d😈 Copilot Studio agents are great for users... and attackers! Check out our deep-dive on why you should be careful to trust unknown agents, plus background on upcoming app consent changes that will help prevent our demo scenario. https://securitylabs.datadoghq.com/articles/cophish-using-microsoft-copilot-studio-as-a-wrapper/20 Oct 2025 13:24 +0000at://did:plc:orgollddhva2byrhdvkmlxml/app.bsky.feed.post/3m3mw2w2y4k2dhttps://bsky.app/profile/siigil.bsky.social/post/3lwetageet22x🎉 Exciting news: The Office 365 Exchange Online SP privilege escalation we documented in "I SPy" is no longer possible! We've updated the post to reflect this. Thanks to Eli Guy for the tip on this one: https://securitylabs.datadoghq.com/articles/i-spy-escalating-to-entra-id-global-admin/#appendix14 Aug 2025 17:06 +0000at://did:plc:orgollddhva2byrhdvkmlxml/app.bsky.feed.post/3lwetageet22xhttps://bsky.app/profile/siigil.bsky.social/post/3lvbzqbc4hk2bExcited to see folks at DEFCON next week!! Ready to see some great talks and get those conference steps in. 👟31 Jul 2025 20:59 +0000at://did:plc:orgollddhva2byrhdvkmlxml/app.bsky.feed.post/3lvbzqbc4hk2bhttps://bsky.app/profile/siigil.bsky.social/post/3lu3ivz6n5c2y🕵️‍♀️ Looking to escalate privileges with a first-party Microsoft app? How do federated domain backdoors work? And what's an app reg, really? All this and more in our new @securitylabs.datadoghq.com post: https://securitylabs.datadoghq.com/articles/i-spy-escalating-to-entra-id-global-admin/16 Jul 2025 13:17 +0000at://did:plc:orgollddhva2byrhdvkmlxml/app.bsky.feed.post/3lu3ivz6n5c2yhttps://bsky.app/profile/siigil.bsky.social/post/3lt2szijzek22☁️ My fwd:cloudsec talk, "I SPy: Rethinking Entra ID research for new paths to Global Admin", is up! Learn what a service principal is, how Microsoft's first-party apps could be backdoored, and one weird trick they haven't fixed yet: https://www.youtube.com/watch?v=oNpwtt1TEkQ03 Jul 2025 13:20 +0000at://did:plc:orgollddhva2byrhdvkmlxml/app.bsky.feed.post/3lt2szijzek22https://bsky.app/profile/siigil.bsky.social/post/3lseom56wac2tMy RSAC virtual session is up! Catch "Persisting Unseen: Attacker Methods of Infesting Entra ID" here: https://youtu.be/ngSFP-tgupM?si=hsI5_Q7vW2UWIeYQ&t=4719 Companion blog: https://kknowl.es/posts/defending-against-entra-id-persistence/24 Jun 2025 18:03 +0000at://did:plc:orgollddhva2byrhdvkmlxml/app.bsky.feed.post/3lseom56wac2thttps://bsky.app/profile/siigil.bsky.social/post/3lrsk3t2ces2u🕵️‍♀️ I'll be presenting "I SPy: Rethinking Entra ID research for new paths to Global Admin” at fwd:cloudsec June 30-July 1, alongside some fantastic other speakers: https://fwdcloudsec.org/conference/north-america/speakers.html If you can’t make it, talks are streamed at: www.youtube.com/@fwdcloudsec17 Jun 2025 12:54 +0000at://did:plc:orgollddhva2byrhdvkmlxml/app.bsky.feed.post/3lrsk3t2ces2uhttps://bsky.app/profile/siigil.bsky.social/post/3lquymn6irc23🥷 Detect & defend vs Entra ID persistence! From my RSAC Cloud Summit talk, I've shared how attackers persist through Entra ID roles, applications, and authentication... and how you can stop them: https://kknowl.es/posts/defending-against-entra-id-persistence/05 Jun 2025 18:54 +0000at://did:plc:orgollddhva2byrhdvkmlxml/app.bsky.feed.post/3lquymn6irc23https://bsky.app/profile/siigil.bsky.social/post/3lor5qvfkvs2s🌐 I'll be speaking at RSA Conference's Virtual Seminar on Cloud Security on June 5, 2025! I'll be sharing a technical overview of Entra persistence techniques for all levels. You can sign up to stop by here: https://www.rsaconference.com/library/virtual%20seminar/hds19-cloud-security https://lnkd.in/gQ-eNuDT09 May 2025 19:25 +0000at://did:plc:orgollddhva2byrhdvkmlxml/app.bsky.feed.post/3lor5qvfkvs2shttps://bsky.app/profile/siigil.bsky.social/post/3lojo4jzvrk2u👾 It's up!! Everything you ever wanted to know about Entra Administrative Unit (AU) attack paths, from my talk at @specterops.io SO-CON 😁 https://www.youtube.com/watch?v=oxD7-UhE3Nw06 May 2025 19:56 +0000at://did:plc:orgollddhva2byrhdvkmlxml/app.bsky.feed.post/3lojo4jzvrk2uhttps://bsky.app/profile/siigil.bsky.social/post/3lm5dgjg2q22qHad a fantastic time at @specterops.bsky.social SO-CON and Azure training! So much to learn, and so many incredible people to meet. Feeling excited to apply all this knowledge... time to head home. 😁06 Apr 2025 11:23 +0000at://did:plc:orgollddhva2byrhdvkmlxml/app.bsky.feed.post/3lm5dgjg2q22qhttps://bsky.app/profile/siigil.bsky.social/post/3llolm4idsc26Excited to be at @specterops.bsky.social SO-CON this week!! If you're around, I'll be presenting "Abusing AUs, Confusing the SOC" tomorrow bright & early:31 Mar 2025 14:39 +0000at://did:plc:orgollddhva2byrhdvkmlxml/app.bsky.feed.post/3llolm4idsc26https://bsky.app/profile/siigil.bsky.social/post/3ll7uk46gf223🛡️ We found a bug in restricted AUs that let accounts stay restricted (forever!) without an AU, preventing containment. Glad this is fixed now! More details here: https://securitylabs.datadoghq.com/articles/creating-immutable-users-entra-id-administrative-units/25 Mar 2025 18:09 +0000at://did:plc:orgollddhva2byrhdvkmlxml/app.bsky.feed.post/3ll7uk46gf223https://bsky.app/profile/siigil.bsky.social/post/3ldqljln67s2f🎄Have you ever paid for a simple product and thought, "Hey, I could build that"? As a pre-holiday project, I tried my hand at "home cooking" my own web text editor with GPT Canvas: https://kknowl.es/posts/home-cooking-apps-with-ai/ + the results: github.com/siigil/brevity20 Dec 2024 14:22 +0000at://did:plc:orgollddhva2byrhdvkmlxml/app.bsky.feed.post/3ldqljln67s2fhttps://bsky.app/profile/siigil.bsky.social/post/3ldojbo64v22a👻 Excited to be presenting "Abusing AUs, Confusing the SOC: Entra ID's Administrative Unit Attack Paths" at #SOCON2025, March 31-April 1! You can register to join me with discount code SOCONSPEAKER20: ghst.ly/socon25-spkr19 Dec 2024 18:36 +0000at://did:plc:orgollddhva2byrhdvkmlxml/app.bsky.feed.post/3ldojbo64v22ahttps://bsky.app/profile/siigil.bsky.social/post/3ldix4zdk7s27🔑 Azure Key Vault Contributors can't access keys... but they CAN modify access policies! More on how this can lead to unintended data access here: https://securitylabs.datadoghq.com/articles/escalating-privileges-to-read-secrets-with-azure-key-vault-access-policies/17 Dec 2024 13:28 +0000at://did:plc:orgollddhva2byrhdvkmlxml/app.bsky.feed.post/3ldix4zdk7s27https://bsky.app/profile/siigil.bsky.social/post/3ldccam6nb22y🎄 I shared a lab on reviewing Azure security with KQL + Resource Graph Explorer! My walkthrough is available as Day 14 of the Advent of Cloud Security: ❄️ Calendar, Day 14: advent.cloudsecuritypodcast.tv ❄️ Full Repo: https://github.com/siigil/azure-kql-demo14 Dec 2024 21:58 +0000at://did:plc:orgollddhva2byrhdvkmlxml/app.bsky.feed.post/3ldccam6nb22y