Patient zero is the first device (or identity) that has been compromised, after the initial compromise, the attacker continues the attack, e.g. via (local & domain) privilege escalation and lateral movement to exfiltrate or destroy data (e.g. ransomware).

It’s very important during a breach to connect the dots for the RCA (Root Cause Analyse). With the Microsoft Security tooling, different Alerts can be correlated into Incidents, initial per source (e.g. device) and multi-sources (e.g. identity & device).

Multi-source attack

An example of a multi-source (staged) attack is the Microsoft PowerShell command below, which leverages Microsoft Defender for Endpoint (MDE) and Microsoft Defender…


PetitPotam is a NTLM relay attack on Active Directory Certificate Services (AD CS) HTTP Endpoints. If the following AD CA services are installed the Active Directory is vulnerable to the attack.

See KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) for more information how to mitigate.

The attack

My lab setup for the attack is shown below.


Microsoft Defender for Endpoint (MDE) is an integrated platform that provides Endpoint Protection Platform (EPP), Endpoint Detection Response (EDR) and Threat and Vulnerability Management (TVM) for endpoints.

Microsoft Defender for Endpoint (MDE) is part of the Microsoft 365 Defender (M365D) ecosystem.

The Endpoint discovery feature detects (agent-less where all MDE devices can act as probe) unprotected (Windows, Mac, iOS and Android) devices connected to the corporate network, more info available at Microsoft 365 — Endpoint Discovery | by Derk van der Woude | Medium

The Network device discovery is the 2nd discovery feature which detects network devices (routers, switches and…


The Print spooler service on domain controller(s) is enabled by default since 2000. Any authenticated user can remotely connect to the print spooler service (owned by SYSTEM) and abuse the service if compromised and get access to the domain controller with ‘nt authority/system’ permissions.

Microsoft Defender for Identity (MCAS) - Identity Security Posture
Microsoft Defender for Identity (source) and Microsoft Cloud App Security (UI) warns (since September 2020) customers that the print spooler should be disabled (vulnerability management) on domain controllers.


This blog is a high level overview of Microsoft Defender for IoT and the integration with Azure Sentinel.

IT (Information Technology) is secure by default (at least it should be) and internet connected. OT (Operational Technology) is the opposite, it’s often Old Technology with availability in mind (not Security that’s why it’s an isolated network).

IoT (Internet of Things) is invading our corporate and home networks which increases the network exposure, often with security in mind but not always with vulnerability management in mind (even if you use a complex password on an IoT device, how often is the device…


Active Directory lateral movement attack(s) via MimiKatz (e.g. pass-the-hash, pass-the-ticket, etc.) via domain-joined machines are detected by Microsoft Defender for Identity (MDI).

Please Microsoft: rebrand MDI to MDAD (Microsoft Defender for Active Directory) so people don’t get confused Azure AD is not in-scope of the detection.

MimiKatz (version 2.2.0 and above) can be used to attack (hybrid) Azure AD joined machines for lateral movement attacks via the Primary Refresh Token (PRT) which is used for Azure AD SSO (single sign-on).

The lifetime of a Primary Refresh Token is 14 days!

The attack

First we need to verify if the computer is (hybrid)…


Password spray is an attack method to fly under the radar of the Security detection systems.

A password spray attackis is using one common used password against a lot of different accounts (e.g. Summer2021!). A brute force attack is using multiple passwords against one account (often the Admin account), this attack is easily detected by the Security detection systems.

The attack

We are using Office 365 creeper to validate if e-mail address exists in Office 365 (Azure AD). We create an <input.txt> file with usernames (e.g. extract them from LinkedIn if you know the format like firstname.lastname@domain.com)

Verification of valid e-mail addresses


Microsoft Defender for Endpoint (MDE) is an integrated platform that provides Endpoint Protection Platform (EPP), Endpoint Detection Response (EDR) and Threat and Vulnerability Management (TVM) for endpoints.

Microsoft Defender for Endpoint is part of the Microsoft 365 Defender ecosystem.

All common enterprise O.S. (Operating Systems) are supported like computer (Mac & Windows), server (Windows & Linux) and mobile (Android & iOS) operating systems.

MDE protects managed endpoints via detecting (and responding to) advanced attacks like zero-days or fileless attacks for example. …


Web applications are connected to the internet 24x7 and attacked continuously.

It is very important to Protect web applications against different types of attacks (prevention is better than the cure) but no Security baseline can 100% prevent breaches to occur so it is also important to Detect & Respond to attacks that might bypass the protection layer.


Azure WAF (Web Application Firewall) provides protection for web applications (IaaS, PaaS or on-premises) from common attacks (OWASP Top 10) like SQL injection and XSS (Cross-site scripting).

Azure WAF can be used on Azure Front Door and/or Azure Application Gateway, in our example we use Azure Application Gateway (simple setup).

Setup

In the setup we use DVWA (Damn Vulnerable Web Application) as the vulnerable web server (VM in Azure IaaS), another option is the Juice Shop, as our backend pool (target). Azure Application Gateway provides (layer 7) load balancing.

Azure WAF monitoring can be done via:
- Azure Monitor
- Azure Security Center…

Derk van der Woude

Chief Technology Officer @ Nedscaper

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store