Rogier Dijkman azurekid

Impairing Azure Defenses Through Diagnostic Setting Manipulation

MITRE ATT&CK: T1562.008 — Impair Defenses: Disable or Modify Cloud Logs
Tactic: TA0005 — Defense Evasion
BlackCat Function: Disable-DiagnosticSetting

Introduction

Azure Functions Key Encryption: A Deep Dive into Security Mechanisms and Vulnerabilities

Author: Security Research Team
Date: January 26, 2026
Classification: Security Research

Executive Summary

This script demonstrates a practical proof-of-concept for an attack that:

Uses a compromised App Registration to restore a deleted privileged App
Uses that privileged App to clone a high-privilege user
Authenticates with the new cloned user

Prerequisites

PowerShell 7.x
Az PowerShell module

The Phantom Sterling Chronicles: How Toxic Role Combinations Turned Anonymous Access into Global Admin

A cybersecurity thriller based on real-world attack techniques

Chapter 1: The Digital Treasure Hunt - Initial Reconnaissance

Day 1 - 3:47 AM EST

Building Invoke-StealthOperation: A Journey into Cultural Cybersecurity

Published: August 20, 2025 | By BlackCat Security Team

The Pattern Recognition Problem

While developing reconnaissance tools for the BlackCat module, I kept running into a fundamental issue: modern detection systems are not only flagging tools by what they were doing, but also when they were doing it. The functions themselves worked perfectly, but their timing patterns might scream "automation" to behavioral analysis engines.

	<#
	.SYNOPSIS
	Performs comprehensive email security reconnaissance on one or more domains.

	.DESCRIPTION
	Invoke-EmailRecon performs parallel DNS lookups and HTTP requests to gather
	email security configuration data for specified domains. It collects information
	about MX records, SPF, DKIM, DMARC, BIMI, MTA-STS, TLS-RPT, DANE/TLSA, DNSSEC,
	CAA records, Microsoft 365/Entra ID tenant details, ADFS federation, and
	DNS blocklist status.

	title: PIM-Enabled Group Self-Assignment
	id: b3d4e5f6-a7b8-4c9d-8e1f-2c3d4e5f6a7c
	status: stable
	description: \|
	Detects when a user assigns themselves as an active or eligible member or owner of a group
	via Entra ID Group Management. This identifies potential indirect privilege escalation
	where a user adds themselves to a group that has been granted privileged administrative roles.
	references:
	- learn.microsoft.com
	author: Security Operations Center

	title: PIM Privileged Role Self-Assignment
	id: a8d1c6e4-4f2b-4d9a-9e1b-2c3d4e5f6a7b
	status: stable
	description: \|
	Detects when a user assigns a privileged role to their own account through PIM.
	By assigning themselves as an active or eligible member, an administrator can
	bypass the "four-eyes" principle and escalate their own privileges.
	references:
	- learn.microsoft.com
	author: Security Operations Center

	// Alerts in last 24h
	let notJunkAlerts =
	AlertInfo
	\| where Title == "Email reported by user as not junk"
	and TimeGenerated >= ago(1h)
	\| project AlertId;
	let evidence =
	AlertEvidence
	\| where AlertId in (notJunkAlerts)
	and isnotempty(NetworkMessageId)

	function Invoke-StealthOperation {
	[CmdletBinding()]
	param(
	[Parameter(Mandatory = $false, ValueFromPipeline = $true)]
	[object]$InputObject,

	[Parameter(Mandatory = $false)]
	[ValidateSet("Random", "Progressive", "BusinessHours", "Exponential")]
	[string]$DelayType = "Random",