{"id":10482,"date":"2021-04-28T09:00:00","date_gmt":"2021-04-28T08:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/resources-hub\/w-labs\/attack-detection-fundamentals-2021-azure-lab-2\/"},"modified":"2021-04-28T09:00:00","modified_gmt":"2021-04-28T08:00:00","slug":"attack-detection-fundamentals-2021-azure-lab-2","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-2021-azure-lab-2\/","title":{"rendered":"Attack Detection Fundamentals 2021: Azure &#8211; Lab #2"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Attack Detection Fundamentals 2021: Azure &#8211; <span class=\"blue-text\">Lab #2<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Attack Detection                                    <\/span>\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Cloud Security                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                28 April, 2021                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Teilen Sie dies                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-2021-azure-lab-2\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20Azure%20&#8211;%20Lab%20#2\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Auf LinkedIn teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: Azure &#8211; Lab #2&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-2021-azure-lab-2\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Auf X (Twitter) teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_news-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_86d2f7bd6db7d85db0d461541e5f9411\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Masande Mtintsilana<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                Inhaltliche Navigation            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    W\u00e4hlen Sie einen Abschnitt                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-2021-azure-lab-2\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20Azure%20&#8211;%20Lab%20#2\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Auf LinkedIn teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: Azure &#8211; Lab #2&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-2021-azure-lab-2\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Auf X (Twitter) teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <p>In the final part of WithSecure Consulting&#x27;s Attack Detection Fundamentals workshop series for 2021, we covered a walkthrough of an end-to-end kill chain in Azure.<\/p>\n<p>Beginning with compromising a user account to retrieve service principal credentials, escalating privileges by further credential discovery, and finally moving laterally to a VM to access sensitive information.<\/p>\n<p>A recording of the workshop can be found <a href=\"https:\/\/youtu.be\/Uen-gDtPxf4\" target=\"_blank\" rel=\"noopener\">here<\/a>, and the slides <a href=\"https:\/\/www.f-secure.com\/content\/dam\/f-secure\/en\/consulting\/events\/collaterals\/digital\/f-secure_attack-detection-fundamentals-workshop-4-azure_2021-04-28.pdf\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>In the <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-2021-azure-lab-1\/\" target=\"_blank\" rel=\"noopener\">previous lab<\/a>, we used consent phishing as our initial access technique in order to compromise a victim&#x27;s user account and discovered service principal credentials. In this lab, we will walkthrough discovering &#x27;what&#x27; permissions are assigned to this account and leverage this to escalate our privileges.<\/p>\n<h2>Required Tools<\/h2>\n<ul>\n<li>Deployment of the lab environment detailed in <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-2021-azure-lab-1\/\" target=\"_blank\" rel=\"noopener\">lab one<\/a><\/li>\n<li>Azure CLI<\/li>\n<li>Azure CLI &quot;logic app&quot; extension<\/li>\n<\/ul>\n<h2>Walkthrough<\/h2>\n<h3>Account Setup<\/h3>\n<p>Before we begin this lab, we will need to update information in our target resource &#8211; Logic App. Login to the Azure portal and search for the lab resource group &quot;ad-lab-rg&quot;. Select the Logic App resource named &quot;resource-tracker-&lt;random value&gt;-app&quot; and then navigate to the Logic App designer in the left-hand blade.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/logic-app-setup.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>By selecting the &quot;HTTP&quot; action, we will see its configuration details. Replace the following fields with those created during lab one.<\/p>\n<ul>\n<li>Tenant &#8211; Your tenant ID;<\/li>\n<li>Client ID &#8211; Contributor service principal client ID;<\/li>\n<li>Secret &#8211; Contributor service principal secret.<\/li>\n<\/ul>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/inkedhttp-action-config-redacted.jpg.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Don&#x27;t forget to click save!<\/p>\n<h3>Escalating Privileges<\/h3>\n<p>Using the previously discovered credentials from lab one, let&#x27;s login into Azure and discover what credentials are assigned to us.<\/p>\n<pre><code class=\"language-bash\">az login --service-principal --username &lt;client_id&gt; --password &lt;client_secret&gt; --tenant &lt;tenantId&gt;\naz role assignment list --all --assignee &lt;client_id&gt;<\/code><\/pre>\n<p>The second command lists all roles assigned to the service principal at all scopes in our subscription. An output similar to the below should be returned.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/role-assignment-reader.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>You will notice that you have Reader role permissions over the &quot;ad-lab-rg&quot; resource group. The Reader role can be considered to provide relatively benign permissions. However, several services can be configured to store sensitive information insecurely. In this lab we are interested in Logic Apps. Let&#x27;s list all the Logic Apps we have access to using the following command:<\/p>\n<pre><code class=\"language-bash\">az logic workflow list --query &#x27;[].name&#x27;<\/code><\/pre>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/list-logic-apps2.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>We can see that a Logic App with the name &quot;resource-tracker-bhsjipxqcj-app&quot; exists. With the Reader role, we can get the Logic App workflows. For those not familiar with Logic Apps, they are composed of &quot;actions&quot; which perform a task. For example, performing an HTTP request is an action. Some actions require credentials and, if stored insecurely, will be readable to users with Reader role permissions.<\/p>\n<p>With this in mind, we can get the workflow definition for all Logic Apps and store the contents in a file for manual review.<\/p>\n<pre><code class=\"language-bash\">az logic workflow list &gt; workflows.json<\/code><\/pre>\n<p>As can be seen in the following output, an HTTP action exists that stores credentials in clear text as HTTP Headers.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/logic-app-creds.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>Great! Be retrieving these credentials and repeating the steps above, we can login to Azure as this newly-discovered account and list what permissions are assigned.<\/p>\n<pre><code class=\"language-bash\">az login --service-principal --username &lt;client_id&gt; --password &lt;client_secret&gt; --tenant &lt;tenantId&gt;\naz role assignment list --all --assignee &lt;client_id&gt;<\/code><\/pre>\n<p>As can be seen below, the service principal has Contributor role permissions over the &quot;ad-lab-rg&quot; resource group.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/contributor-role.png.webp\" alt=\"\" class=\"wp-component-image\" \/><\/figure>\n<p>This role is considered a highly-privileged role, as the only operations it is not permitted to perform are those related to access management.<\/p>\n<h2>Detection<\/h2>\n<p>An interesting fact about Azure Activity logs is that most &quot;read&quot; operations are not logged. Indeed, <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-resource-manager\/management\/view-activity-logs\" target=\"_blank\" rel=\"noopener\">Microsoft<\/a> states that only &quot;write&quot; operations (PUT, POST and DELETE) are logged. This does leave a blind spot for most of the actions we performed above. However, we can still take a look at authentication logs provided by Azure AD for detection opportunities.<\/p>\n<p>Using our Log Analytics Workspace, we can query for all authentication attempts performed by our service principal.<\/p>\n<pre><code class=\"language-kusto\">AADServicePrincipalSignInLogs\n| where AppId == &quot;&lt;Client ID&gt;&quot;<\/code><\/pre>\n<p>Useful information provided in each login event includes:<\/p>\n<ul>\n<li>Time;<\/li>\n<li>App ID;<\/li>\n<li>Service Principal Name;<\/li>\n<li>IP Address;<\/li>\n<li>Location Details.<\/li>\n<\/ul>\n<p>Considering how service principal are typically used, they often perform predictable actions from fixed locations. A detection use case that considers these facts is likely to be valuable.<\/p>\n<h2>Conclusion<\/h2>\n<p>In this lab, we used our previously-compromised credentials to gain access to our Azure lab and understand what permissions we have.<\/p>\n<p>We learnt that with read-only permissions, we can still read Azure Logic App Workflow definitions and that they can contain sensitive information. Discovering additional credentials, we escalated our privileges to gain the Contributor role over the same resource group.<\/p>\n<p>As the majority of our actions were &quot;read&quot; operations which are not logged by Azure Activity logs. As such we subsequently relied on the anomalous nature of our login event as a use case for detection.<\/p>\n<p>In the <a href=\"https:\/\/labs.withsecure.com\/blog\/attack-detection-fundamentals-2021-azure-lab-3\/\" target=\"_blank\" rel=\"noopener\">final lab<\/a>, we will look to be more stealthy as we access sensitive information in a virtual machine.<\/p>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-2021-azure-lab-2\/&#038;title=Attack%20Detection%20Fundamentals%202021:%20Azure%20&#8211;%20Lab%20#2\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Auf LinkedIn teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Attack Detection Fundamentals 2021: Azure &#8211; Lab #2&#038;url=https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-2021-azure-lab-2\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Auf X (Twitter) teilen\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/darkgate-rises\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Reverse engineering a Lumma infection<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Lumma is an information stealer that the WithSecure Detection and Response Team (DRT) have encountered several times. It has seen wider use over the past couple of years, and makes for an interesting threat to monitor.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/reverse-engineering-a-lumma-infection\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Machine learning-driven malware analysis<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">With the rapid emergence of new malware variants, accurately classifying and attributing malware samples has become more challenging than ever<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/machine-learning-driven-malware-analysis\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>In the previous lab, we used consent phishing as our initial access technique in order to compromise a victim&#8217;s user account and discovered service principal credentials. In this lab, we will walkthrough discovering &#8218;what&#8216; permissions are assigned to this account and leverage this to escalate our privileges.<\/p>\n","protected":false},"author":3,"featured_media":0,"template":"","categories":[310,384],"labs_content_type":[313],"class_list":["post-10482","lab_item","type-lab_item","status-publish","hentry","category-attack-detection","category-cloud-security"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder.jpg 618w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-300x214.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-447x318.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/placeholder-205x146.jpg 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Cloud Security<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Attack Detection Fundamentals 2021: Azure &#8211; Lab #2<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">In the previous lab, we used consent phishing as our initial access technique in order to compromise a victim&#039;s user account and discovered service principal credentials. In this lab, we will walkthrough discovering &#039;what&#039; permissions are assigned to this account and leverage this to escalate our privileges.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/de\/ressourcen\/w-labs\/attack-detection-fundamentals-2021-azure-lab-2\/\">Mehr erfahren<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/lab_item\/10482","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/users\/3"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/media?parent=10482"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/categories?post=10482"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/de\/wp-json\/wp\/v2\/labs_content_type?post=10482"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}