The most important iron rule when using cloud platforms, SaaS platforms, and CI/CD platforms is the Principle of Least Privilege (PoLP). We always believe that by setting the minimal amount of privileges possible, we can ensure the security of the system. But is this really the case? This session will present an intriguing case study where the misuse of the Github Actions API led to privilege escalation and the hijacking of the CI/CD process, as well as tampering with the Repository. In this instance, despite the developers adhering strictly to the official documentation's recommended settings for all permissions, in line with the Principle of Least Privilege, it still resulted in the exploitation of vulnerabilities that compromised the website.

In this session, we will delve into the core differences between Active Directory and Azure Active Directory (Entra ID), and reveal the cybersecurity threats inherent in Azure and Entra ID. We will take a red team perspective to analyze the potential risks associated with Entra ID and demonstrate, through practical examples, how to use specific tools to perform enumeration and exploitation, exfiltration techniques, and even methods to bypass 2FA. Moreover, we will elaborate on lateral movement in Hybrid Identity attack techniques, including from on-premises to the cloud and even from the cloud back to the on premise Active Directory, such as techniques like Password Hash Sync, Pass-Through Authentication, and AD Federation Golden SAML.