Azure AD Identity Protection [user identities] Compromised credentials (e.g. via phishing mail(s) or website compromise via hacking like SQL injection, see example below) that are available publicly (e.g. on the dark web or other public resources) are gathered and verified by Microsoft against the actual Azure AD credentials. If the username and the password hash…

What’s the story of the attack so we can all learn from it and how to protect (prevent) or detect the attack from happening. The attack The victim has a Microsoft tenant (Azure AD) with a pay-as-you-go Azure subscription with a Credit Card as payment method. The initial account who created the…

A few months ago an organization was hacked via a Raspberry Pi connected to the corporate network (hidden under a desk and connected to an ethernet port). The Raspberry Pi was accessed from the internet via a 4G modem and stayed unnoticed for several weeks until a cleaning lady discovered…

Consent (OAuth) phishing is another method (next to the well known credential phishing) that is getting more popular among bad actors. With consent phishing the end user gives consent to access an app (by the bad actor). App consent bypasses Conditional Access (e.g. Multi Factor Authentication) User app consent…

Introduction Indicators of Compromise (IOC) is called tactical TI in the form of ‘file hashes, IP-address(s) and/or URLs/Domains’ to detect anomalies and/or malicious behavior; e.g. use IOC’s when a 0-day is published and before the signature is included in the (Microsoft Defender for) AV detection.

Patient zero is the first device (or identity) that has been compromised, after the initial compromise, the attacker continues the attack, e.g. via (local & domain) privilege escalation and lateral movement to exfiltrate or destroy data (e.g. ransomware). It’s very important during a breach to connect the dots for the…

PetitPotam is a NTLM relay attack on Active Directory Certificate Services (AD CS) HTTP Endpoints. If the following AD CA services are installed the Active Directory is vulnerable to the attack. See KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) for more information how to…

Microsoft Defender for Endpoint (MDE) is an integrated platform that provides Endpoint Protection Platform (EPP), Endpoint Detection Response (EDR) and Threat and Vulnerability Management (TVM) for endpoints. Microsoft Defender for Endpoint (MDE) is part of the Microsoft 365 Defender (M365D) ecosystem. The Endpoint discovery feature detects (agent-less where all MDE…

The Print spooler service on domain controller(s) is enabled by default since 2000. Any authenticated user can remotely connect to the print spooler service (owned by SYSTEM) and abuse the service if compromised and get access to the domain controller with ‘nt authority/system’ permissions. Microsoft Defender for Identity (MCAS) …