Hiding in the clouds:How attackers can use applications for sustained persistence and how to find it

Applications are modernizing. With that, the way permissions for these applications are granted are also changing. These new changes can allow an attacker to have sustained persistence in plain sight if we don’t understand how these work and where to look.  What’s the difference if an application has permissions or an application has delegated permissions? Why did that admin account consent to that application, should I be worried? Is that application overprivileged? I have thousands of apps, how do I account for this? In this session we will look to demystify and bring clarity to these questions. You’ll understand these new application models and how they can be abused for sustained persistence, how these permissions work and what overprivileged looks like and finally, how to find them in your environment.


Mark Morowczynski

Mark Morowczynski (@markmorow) is a Principal Program Manager on the customer success team in the Microsoft Identity division. He spends most of his time working with customers on their deployments of Azure Active Directory. Previously he was Premier Field Engineer supporting Active Directory, Active Directory Federation Services and Windows Client performance. He was also one of the founders of the AskPFEPlat blog. He's spoken at various industry events such as Black Hat 2019, Defcon Blue Team Village, several Bsides, Microsoft Ignite, Microsoft Inspire, Microsoft Ready, Microsoft MVP Summits, The Cloud Identity Summit, SANs Security Summits and TechMentor. He can be frequently found on Twitter as @markmorow arguing about baseball and making sometimes funny gifs.

Gloria Lee

Gloria Lee is a Program Manager at Microsoft focused on driving customer success in the Azure Identity division. She works with customers utilize Azure Active Directory to strengthen security posture protecting identity, applications both in a hybridized and cloud only environments. Previously, she was a seasoned IT engineer and architect with 15+ years of experience in the areas of Identity, security as well as messaging and collaboration. She had previously presented at Microsoft events such as Identity Driven Airlift Conference for partners. Outside of technology, she enjoys spend time with family experiment fun games and bargain hunting.

Thursday Oct 29, 2020 - 11:45 AM CDT

Level 0, Blue Team Village