The Emoji Jailbreak exploits LLM tokenization. Emojis force dangerous words (like "B💣mb") to split into "safe" pieces, bypassing security filters, allowing the LLM to generate content it was explicitly supposed to refuse.
Join Moses Frost, Senior Consultant at Neuvik and author of SANS: SEC588, for a deep dive into AI, emergent risks, and the techniques involved in defending against them.
Even in Okta or Google-managed orgs, Azure AD often still handles device joins or Graph access. Red Teams exploit this bridge using token replay or device joins to escalate across trust boundaries. Used in hybrid assessments to bridge environments.
Tools like ScoutSuite, CloudFox, and TokenTactics are used early in engagements. These tools surface misconfigs and identity gaps. Used to build initial situational awareness.
JWTs issued by Azure or AWS contain critical claims (scp, azp, upn). Red Teams can decode tokens using jwt.ms to map what the token can access. We use this to find overly-permissive scopes and escalate privileges.
6️⃣ Microsoft Graph as a Post-Exploitation Toolkit
After access is granted, red teamers use Graph to: 🔎 Search inboxes for creds 📂 Download attachments 🗂️ List files from OneDrive 🗓️ Read calendar entries
It’s quiet, credentialed access and perfect for stealthy data exfil.
On-prem recon uses Nmap. In cloud, we query APIs like AWS CLI or Azure Graph, enumerating services, IAM roles, storage buckets via credentialed API calls, not noisy scans.
Understanding control vs. data plane is foundational in cloud pentesting. It’s how offensive teams turn a single console foothold into full data compromise. Master this and you’ll see how attackers really pivot in your cloud.
Attackers with control plane access snapshot storage volumes, extract them offline, and dump LSASS. This sidesteps EDRs, since everything happens outside the monitored runtime.
In VMware, vCenter is the control plane, and VMs are the data plane. In AWS, the management console/API is the control plane, while EC2 or S3 make up the data plane.
