Katie Knowles
LightNews LightNews
siigil.bsky.social
Katie Knowles
@siigil.bsky.social
1.1K followers 85 following 35 posts
Security Researcher @ Datadog. 🐶 Head in the (Azure) clouds.
Sometimes blogging, always curious. Aim to be, rather than to seem.
Blogs at https://kknowl.es.
Posts Replies Media Videos
Reposted by Katie Knowles
securitylabs.datadoghq.com
CoPhish: Using Microsoft Copilot Studio as a wrapper for OAuth phishing

securitylabs.datadoghq.com/articles/cop...

by @siigil.bsky.social
CoPhish: Using Microsoft Copilot Studio as a wrapper for OAuth phishing | Datadog Security Labs
Copilot Studio links look benign, but they can host content to redirect users to arbitrary URLs. In this post, we document a method by which a Copilot Studio agent's login settings can redirect a user...
securitylabs.datadoghq.com
October 28, 2025 at 1:12 PM
siigil.bsky.social
😈 Copilot Studio agents are great for users... and attackers! Check out our deep-dive on why you should be careful to trust unknown agents, plus background on upcoming app consent changes that will help prevent our demo scenario.
securitylabs.datadoghq.com/articles/cop...
CoPhish: Using Microsoft Copilot Studio as a wrapper for OAuth phishing | Datadog Security Labs
Copilot Studio links look benign, but they can host content to redirect users to arbitrary URLs. In this post, we document a method by which a Copilot Studio agent's login settings can redirect a user...
securitylabs.datadoghq.com
October 20, 2025 at 1:24 PM
Reposted by Katie Knowles
frichetten.com
Old and busted: Cloud attackers making noisy List/Describe calls.

New hotness: Laundering enumeration calls through an AWS service silently.

Or at least, that used to work, until @datadoghq.com partnered with AWS to close this gap. Read more here:
securitylabs.datadoghq.com/articles/enu...
Enumerating AWS the quiet way: CloudTrail-free discovery with Resource Explorer | Datadog Security Labs
Discover how attackers could quietly enumerate AWS resources via Resource Explorer, and how Datadog and AWS worked together to close the visibility gap.
securitylabs.datadoghq.com
August 19, 2025 at 4:10 PM
siigil.bsky.social
🎉 Exciting news: The Office 365 Exchange Online SP privilege escalation we documented in "I SPy" is no longer possible! We've updated the post to reflect this. Thanks to Eli Guy for the tip on this one:
securitylabs.datadoghq.com/articles/i-s...
I SPy: Escalating to Entra ID's Global Admin with a first-party app | Datadog Security Labs
Backdooring Microsoft's applications is far from over. Adding service principal credentials to these apps to escalate privileges and obfuscate activities has been seen in nation-state attacks, and led...
securitylabs.datadoghq.com
August 14, 2025 at 5:06 PM
Reposted by Katie Knowles
1cemoon.bsky.social
Check out my new blog on nested app authentication.
specterops.io SpecterOps @specterops.io · Aug 13
Why should Microsoft's Nested App Authentication (NAA) should be on your security team's radar? @1cemoon.bsky.social breaks down NAA and shows how attackers can pivot between Azure resources using brokered authentication. ghst.ly/45h2Zw3
Going for Broke(ring) – Offensive Walkthrough for Nested App Authentication - SpecterOps
In depth walkthrough for using nested app authentication (NAA), or BroCI, for offensive engagements to access information and resources.
ghst.ly
August 13, 2025 at 4:43 PM
siigil.bsky.social
Excited to see folks at DEFCON next week!! Ready to see some great talks and get those conference steps in. 👟
July 31, 2025 at 8:59 PM
siigil.bsky.social
🕵️‍♀️ Looking to escalate privileges with a first-party Microsoft app? How do federated domain backdoors work? And what's an app reg, really? All this and more in our new @securitylabs.datadoghq.com post:
securitylabs.datadoghq.com/articles/i-s...
I SPy: Escalating to Entra ID's Global Admin with a first-party app | Datadog Security Labs
Backdooring Microsoft's applications is far from over. Adding service principal credentials to these apps to escalate privileges and obfuscate activities has been seen in nation-state attacks, and led...
securitylabs.datadoghq.com
July 16, 2025 at 1:17 PM
Reposted by Katie Knowles
frichetten.com
Join my team! We’re looking for a Senior Security Researcher specializing in Generative AI. You’ll have the opportunity to be a part of one of the leading security research organizations in the industry and shape Datadog’s security products! A 🧵
careers.datadoghq.com/detail/70312...
Senior Security Researcher - GenAI | Datadog Careers
We're building a platform that engineers love to use. Join us, and help usher in the future.
careers.datadoghq.com
July 9, 2025 at 3:45 PM
siigil.bsky.social
☁️ My fwd:cloudsec talk, "I SPy: Rethinking Entra ID research for new paths to Global Admin", is up! Learn what a service principal is, how Microsoft's first-party apps could be backdoored, and one weird trick they haven't fixed yet:
www.youtube.com/watch?v=oNpw...
I SPy: Rethinking Entra ID research for new paths to Global Admin
YouTube video by fwd:cloudsec
www.youtube.com
July 3, 2025 at 1:20 PM
Reposted by Katie Knowles
ericonidentity.com
At @wearetroopers.bsky.social I dropped new research on #nOAuth, an abuse of #EntraID that allows you to spoof users in vulnerable SaaS applications. The attack is still alive and well.

You can read all about it here:

#Entra #M365 #infosec

www.semperis.com/blog/noauth-...
New nOAuth Abuse Alert: Entra Cross-Tenant Saas Apps at Risk
Think nOAuth abuse is old news? We wish. Our recent testing shows that nearly 10% of apps in the Microsoft Entra Gallery remain vulnerable.
www.semperis.com
June 25, 2025 at 4:56 PM
siigil.bsky.social
My RSAC virtual session is up! Catch "Persisting Unseen: Attacker Methods of Infesting Entra ID" here: youtu.be/ngSFP-tgupM?...

Companion blog: kknowl.es/posts/defend...
Traditional Sessions: RSAC Virtual Seminar: Cloud Security
YouTube video by RSA Conference
youtu.be
June 24, 2025 at 6:03 PM
siigil.bsky.social
🕵️‍♀️ I'll be presenting "I SPy: Rethinking Entra ID research for new paths to Global Admin” at fwd:cloudsec June 30-July 1, alongside some fantastic other speakers: fwdcloudsec.org/conference/n...

If you can’t make it, talks are streamed at: www.youtube.com/@fwdcloudsec
fwd:cloudsec 2025 Speaker Bios & Abstracts | fwd:cloudsec
fwd:cloudsec is a non-profit conference on cloud security. At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security...
fwdcloudsec.org
June 17, 2025 at 12:54 PM
siigil.bsky.social
🥷 Detect & defend vs Entra ID persistence! From my RSAC Cloud Summit talk, I've shared how attackers persist through Entra ID roles, applications, and authentication... and how you can stop them: kknowl.es/posts/defend...
Persisting Unseen: Defending against Entra ID persistence
I recently presented “Persisting Unseen: Attacker Methods of Infesting Entra ID” at RSAC’s virtual Cloud Security seminar. This session introduced some methods attackers may use now or in the near fut...
kknowl.es
June 5, 2025 at 6:54 PM
Reposted by Katie Knowles
gregfoss.com
Excited to speak at @fwdcloudsec.org in Denver on June 30 with Anthony Randazzo! We’ll share lessons from a year of cloud threat hunting.

Don’t miss other @securitylabs.datadoghq.com talks from @siigil.bsky.social on EntraID escalation and @sethsec.bsky.social on AMI name confusion as well!
fwd:cloudsec 2025 Speaker Bios & Abstracts | fwd:cloudsec
fwd:cloudsec is a non-profit conference on cloud security. At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security...
fwdcloudsec.org
May 19, 2025 at 5:24 PM
siigil.bsky.social
🌐 I'll be speaking at RSA Conference's Virtual Seminar on Cloud Security on June 5, 2025! I'll be sharing a technical overview of Entra persistence techniques for all levels. You can sign up to stop by here: www.rsaconference.com/library/virt...
LinkedIn
This link will take you to a page that’s not on LinkedIn
lnkd.in
May 9, 2025 at 7:25 PM
Reposted by Katie Knowles
fwdcloudsec.org
The CFP for fwd:cloudsec Europe is now open! We're looking for practitioner-focused cloud security content, and we encourage all practitioners to submit, whatever your role or level of experience.

The CFP is open until July 11th. Read more: fwdcloudsec.org/conference/e...
CFP | EU 2025 | fwd:cloudsec
fwd:cloudsec is a non-profit conference on cloud security. At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security...
fwdcloudsec.org
May 7, 2025 at 3:25 PM
siigil.bsky.social
👾 It's up!! Everything you ever wanted to know about Entra Administrative Unit (AU) attack paths, from my talk at @specterops.io SO-CON 😁
www.youtube.com/watch?v=oxD7...
Abusing AUs, Confusing the SOC: Entra ID's Administrative Unit Attack Paths | SO-CON 2025
YouTube video by SpecterOps
www.youtube.com
May 6, 2025 at 7:57 PM
Reposted by Katie Knowles
specterops.io
In our latest blog post, @xpnsec.com breaks down how SQL Server Transparent Data Encryption works, shares new methods for brute-forcing database encryption keys, & reveals a default key used by ManageEngine's ADSelfService product backups.

Read more 👉 ghst.ly/4iXFTyF
April 8, 2025 at 6:31 PM
siigil.bsky.social
Had a fantastic time at @specterops.bsky.social SO-CON and Azure training! So much to learn, and so many incredible people to meet. Feeling excited to apply all this knowledge... time to head home. 😁
April 6, 2025 at 11:23 AM
siigil.bsky.social
Excited to be at @specterops.bsky.social SO-CON this week!! If you're around, I'll be presenting "Abusing AUs, Confusing the SOC" tomorrow bright & early:
March 31, 2025 at 2:39 PM
siigil.bsky.social
🛡️ We found a bug in restricted AUs that let accounts stay restricted (forever!) without an AU, preventing containment. Glad this is fixed now! More details here: securitylabs.datadoghq.com/articles/cre...
Creating immutable users through a bug in Entra ID restricted administrative units | Datadog Security Labs
Imagine trying to disable a malicious user in your Azure environment, only to find it can't be modified! We recently identified a timing-based bug in Entra ID's restricted administrative units (AUs) t...
securitylabs.datadoghq.com
March 25, 2025 at 6:09 PM
Reposted by Katie Knowles
securitylabs.datadoghq.com
The Datadog Security Digest is a monthly, practitioner-focused newsletter.

Don't miss our February edition going live tomorrow!

securitylabs.datadoghq.com/newsletters/...
February 26, 2025 at 11:55 AM
Reposted by Katie Knowles
securitylabs.datadoghq.com
We discovered a pattern in the way many projects retrieve Amazon Machine Images (AMIs), allowing attackers to publish AMIs with specially crafted names and gain code execution within vulnerable accounts.

securitylabs.datadoghq.com/articles/who...

by @sethsec.bsky.social
whoAMI: A cloud image name confusion attack | Datadog Security Labs
Detailing the discovery and impact of the whoAMI cloud image name confusion attack, which could allow attackers to execute code within AWS accounts due to a vulnerable pattern in AMI retrieval.
securitylabs.datadoghq.com
February 12, 2025 at 3:29 PM
Reposted by Katie Knowles
specterops.io
Check out this new blog post from @andyrobbins.bsky.social discussing the fundamental components & mechanics that enable the emergence of critical Attack Paths in Microsoft's increasingly popular Intune product. ghst.ly/3Cd5cwH
Intune Attack Paths — Part 1
Intune is an attractive system for adversaries to target…
ghst.ly
January 15, 2025 at 5:48 PM
siigil.bsky.social
🎄Have you ever paid for a simple product and thought, "Hey, I could build that"? As a pre-holiday project, I tried my hand at "home cooking" my own web text editor with GPT Canvas: kknowl.es/posts/home-c...
+ the results: github.com/siigil/brevity
Home cooking apps with AI assistance
This is a reflective end-of-year post on using AI to make our app wishes come true. Happy holidays! ❄️
kknowl.es
December 20, 2024 at 2:22 PM