Skip to content

Instantly share code, notes, and snippets.

View azurekid's full-sized avatar
:octocat:
Coding

Rogier Dijkman azurekid

:octocat:
Coding
66 followers · 28 following
View GitHub Profile
@azurekid
azurekid / foreword.md
Created June 30, 2025 09:41

Foreword

How I Went from Fixing Copiers to Breaking Into Clouds

You know that moment when you realize your career has taken a completely unexpected turn? Mine came when I was sitting in a boardroom at a major insurance company, explaining to executives why their "secure" Azure environment could be compromised in about fifteen minutes. The silence was deafening.

My journey here wasn't linear. I started fixing copiers at Xerox and Ricoh—yeah, those massive machines that somehow always jammed during important presentations. From there, I bounced through Software Development, became a SharePoint Consultant (which prepared me for dealing with impossible problems), worked as an architect, and eventually found myself as a Cloud Security Architect and Security Researcher.

The thing is, every role taught me something different about how organizations really work versus how they think they work. When you're the guy fixing the printer, you see how people actually handle security badges and passwords. When you'r

@azurekid
azurekid / Get-WifiProfiles.ps1
Last active May 9, 2025 08:24
This function can be used to quickly retrieve all stored WiFi passwords on a Windows device
<#
.SYNOPSIS
Retrieves stored WiFi profiles and their associated passwords from the local computer.
.DESCRIPTION
This function uses netsh commands to extract all saved WiFi profiles and their details including passwords (if available), authentication methods, and connection modes. It processes profiles in parallel for improved performance.
.OUTPUTS
System.Object[]
Returns an array of custom objects containing the following properties:
@azurekid
azurekid / vulnerabilities.kql
Last active February 26, 2025 13:56
let lookback = 1d;
let DeviceList =
DeviceInfo
| where
Timestamp >= ago(lookback)
// and MachineGroup contains "ATOS"
// and MachineGroup contains "AZURE"
// and MachineGroup contains "OGD"
and MachineGroup !contains "OGD"
| distinct DeviceName
@azurekid
azurekid / Vulnerabilities.kql
Last active February 24, 2025 15:57
let lookback = 7d;
let DeviceList =
DeviceInfo
| where MachineGroup contains "Azure"
| where Timestamp >= ago(lookback)
| distinct DeviceName
;
let ScanInformation =
DeviceEvents
| where
@azurekid
azurekid / github-selfservice.md
Created February 4, 2025 15:20

Automating GitHub Organization Membership Requests with GitHub Actions

Managing membership requests for a GitHub organization can be a time-consuming task, especially for larger organizations. In this article, we will walk through a solution that leverages GitHub Actions to automate the process of adding new members to a GitHub organization. By using an issue template and a GitHub Actions workflow, we can streamline the membership request process and reduce manual work.

Introduction

GitHub Actions is a powerful tool for automating various tasks within your repository, including CI/CD pipelines, issue management, and more. One of the less common but highly useful applications of GitHub Actions is automating the management of organization memberships. This can be particularly beneficial for organizations with a large number of members or frequent membership changes.

Why Automate Membership Requests?

@azurekid
azurekid / load-capacities.ps1
Created January 21, 2025 13:12
Security Copilot
$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
$session.UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"
Invoke-WebRequest -UseBasicParsing -Uri "https://api.securityplatform.microsoft.com/account/capacities?api-version=2023-12-01-preview" `
-WebSession $session `
-Headers @{
"authority"="api.securityplatform.microsoft.com"
"method"="GET"
"path"="/account/capacities?api-version=2023-12-01-preview"
"scheme"="https"
"accept"="application/json"
@azurekid
azurekid / fasthttp.md
Created January 15, 2025 11:22

Detecting fasthttp Brute Force Attacks: A Comprehensive Guide

Introduction

In recent times, the fasthttp library has been leveraged in a new brute force campaign targeting Azure Active Directory (AAD) accounts. This high-performance HTTP server and client library for the Go programming language is designed to handle HTTP requests more efficiently than Go’s standard net/http package. However, its capabilities have been exploited by malicious actors to gain unauthorized access to accounts through brute-force login attempts and spamming multi-factor authentication (MFA) requests1.

In this blog post, we will explore how to detect such brute force attacks using Kusto Query Language (KQL) in Microsoft Defender. We will provide a detailed KQL query to help identify suspicious login attempts that may indicate a brute force attack.

Understanding the Threat

@azurekid
azurekid / MondayOfWeek.md
Created December 30, 2024 13:38

Calculating the First Monday of a Given Week in Kusto Query Language (KQL)

Hey KQL heroes! 🌟 If you’ve ever had to wrestle with dates and weeks in your analysis, you’ll know it can be quite a challenge. But worry not, because today we’re diving into a nifty Kusto Query Language (KQL) script that will make calculating the first Monday of any given week a breeze. Ready to uncover some KQL magic? Let’s get started!

A Quick Peek at Our KQL Script

Before we jump into the code, let’s break down what we’re aiming to do. This script will help you find the first Monday of a specified week in a year. Imagine the power of pinpointing exact dates for all your planning, scheduling, and analytical needs!

The Variables in Play

@azurekid
azurekid / Get-PrivilegedRoles.ps1
Created November 13, 2024 14:55
Privileged roles based on permissions
$permissions = Invoke-RestMethod -Uri 'https://graph.microsoft.com/beta/roleManagement/directory/resourceNamespaces/microsoft.directory/resourceActions?$filter=isPrivileged eq true' -Authentication Bearer -Token ($token.token | ConvertTo-SecureString -AsPlainText -Force)
$roles = Invoke-RestMethod -Uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions' -Authentication Bearer -Token ($token.token | ConvertTo-SecureString -AsPlainText -Force)
foreach ($role in $roles.value) {
foreach ($value in $permissions.value.name) {
if ($value -in $role.rolepermissions.allowedResourceActions) {
$prived += $role.displayName | Sort-Object -Unique
}
}
}
@azurekid
azurekid / permissions.txt
Created November 13, 2024 14:49
Privileged Entra permissions used in roles
microsoft.directory/applications.myOrganization/allProperties/update
microsoft.directory/applications.myOrganization/credentials/update
microsoft.directory/applications/allProperties/allTasks
microsoft.directory/applications/allProperties/update
microsoft.directory/applications/credentials/update
microsoft.directory/authorizationPolicy/allProperties/allTasks
microsoft.directory/authorizationPolicy/guestUserSettings/update
microsoft.directory/b2cTrustFrameworkKeySet/allProperties/allTasks
microsoft.directory/bitlockerKeys/key/read
microsoft.directory/customAuthenticationExtensions/allProperties/allTasks