azurekid

# Find-AdmxUsage.ps1
param(
  [Parameter(Mandatory=$true)][string]$AdmxFileName
)

Import-Module Microsoft.Graph.DeviceManagement -ErrorAction Stop
Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All","Directory.Read.All"

$keywords = @($AdmxFileName.ToLower(), "mozilla", "firefox", "software\\policies\\mozilla", "mozilla.firefox")

azurekid

Impairing Azure Defenses Through Diagnostic Setting Manipulation

MITRE ATT&CK: T1562.008 — Impair Defenses: Disable or Modify Cloud Logs
Tactic: TA0005 — Defense Evasion
BlackCat Function: Disable-DiagnosticSetting

---

Introduction

azurekid

Azure Functions Key Encryption: A Deep Dive into Security Mechanisms and Vulnerabilities

Author: Security Research Team
Date: January 26, 2026
Classification: Security Research

---

Executive Summary

azurekid

<#
.SYNOPSIS
    Performs comprehensive email security reconnaissance on one or more domains.

.DESCRIPTION
    Invoke-EmailRecon performs parallel DNS lookups and HTTP requests to gather
    email security configuration data for specified domains. It collects information
    about MX records, SPF, DKIM, DMARC, BIMI, MTA-STS, TLS-RPT, DANE/TLSA, DNSSEC,
    CAA records, Microsoft 365/Entra ID tenant details, ADFS federation, and
    DNS blocklist status.

azurekid

title: PIM-Enabled Group Self-Assignment
id: b3d4e5f6-a7b8-4c9d-8e1f-2c3d4e5f6a7c
status: stable
description: |
    Detects when a user assigns themselves as an active or eligible member or owner of a group 
    via Entra ID Group Management. This identifies potential indirect privilege escalation 
    where a user adds themselves to a group that has been granted privileged administrative roles.
references:
    - learn.microsoft.com
author: Security Operations Center

azurekid

title: PIM Privileged Role Self-Assignment
id: a8d1c6e4-4f2b-4d9a-9e1b-2c3d4e5f6a7b
status: stable
description: |
    Detects when a user assigns a privileged role to their own account through PIM. 
    By assigning themselves as an active or eligible member, an administrator can 
    bypass the "four-eyes" principle and escalate their own privileges.
references:
    - learn.microsoft.com
author: Security Operations Center

azurekid

// Alerts in last 24h
let notJunkAlerts =
    AlertInfo
    | where Title == "Email reported by user as not junk"
        and TimeGenerated >= ago(1h)
    | project AlertId;
let evidence =
    AlertEvidence
    | where AlertId in (notJunkAlerts)
      and isnotempty(NetworkMessageId)

azurekid

This script demonstrates a practical proof-of-concept for an attack that:

1. Uses a compromised App Registration to restore a deleted privileged App
2. Uses that privileged App to clone a high-privilege user
3. Authenticates with the new cloned user

Prerequisites

• PowerShell 7.x
• Az PowerShell module

azurekid

The Phantom Sterling Chronicles: How Toxic Role Combinations Turned Anonymous Access into Global Admin

A cybersecurity thriller based on real-world attack techniques

---

Chapter 1: The Digital Treasure Hunt - Initial Reconnaissance

Day 1 - 3:47 AM EST

azurekid

function Invoke-StealthOperation {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory = $false, ValueFromPipeline = $true)]
        [object]$InputObject,

        [Parameter(Mandatory = $false)]
        [ValidateSet("Random", "Progressive", "BusinessHours", "Exponential")]
        [string]$DelayType = "Random",