What’s the story of the attack so we can all learn from it and how to protect (prevent) or detect the attack from happening.
The victim has a Microsoft tenant (Azure AD) with a pay-as-you-go Azure subscription with a Credit Card as payment method. The initial account who created the…
A few months ago an organization was hacked via a Raspberry Pi connected to the corporate network (hidden under a desk and connected to an ethernet port). The Raspberry Pi was accessed from the internet via a 4G modem and stayed unnoticed for several weeks until a cleaning lady discovered…
Consent (OAuth) phishing is another method (next to the well known credential phishing) that is getting more popular among bad actors. With consent phishing the end user gives consent to access an app (by the bad actor).
App consent bypasses Conditional Access (e.g. Multi Factor Authentication)
User app consent is…
Indicators of Compromise (IOC) is called tactical TI in the form of ‘file hashes, IP-address(s) and/or URLs/Domains’ to detect anomalies and/or malicious behavior;
e.g. use IOC’s when a 0-day is published and before the signature is included in the (Microsoft Defender for) AV detection.
Patient zero is the first device (or identity) that has been compromised, after the initial compromise, the attacker continues the attack, e.g. via (local & domain) privilege escalation and lateral movement to exfiltrate or destroy data (e.g. ransomware).
It’s very important during a breach to connect the dots for the…
PetitPotam is a NTLM relay attack on Active Directory Certificate Services (AD CS) HTTP Endpoints. If the following AD CA services are installed the Active Directory is vulnerable to the attack.
See KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) for more information how to mitigate.
…
Microsoft Defender for Endpoint (MDE) is an integrated platform that provides Endpoint Protection Platform (EPP), Endpoint Detection Response (EDR) and Threat and Vulnerability Management (TVM) for endpoints.
Microsoft Defender for Endpoint (MDE) is part of the Microsoft 365 Defender (M365D) ecosystem.
The Endpoint discovery feature detects (agent-less where all MDE…
The Print spooler service on domain controller(s) is enabled by default since 2000. Any authenticated user can remotely connect to the print spooler service (owned by SYSTEM) and abuse the service if compromised and get access to the domain controller with ‘nt authority/system’ permissions.
This blog is a high level overview of Microsoft Defender for IoT and the integration with Azure Sentinel.
IT (Information Technology) is secure by default (at least it should be) and internet connected. …
Active Directory lateral movement attack(s) via MimiKatz (e.g. pass-the-hash, pass-the-ticket, etc.) via domain-joined machines are detected by Microsoft Defender for Identity (MDI).
Please Microsoft: rebrand MDI to MDAD (Microsoft Defender for Active Directory) so people don’t get confused Azure AD is not in-scope of the detection.
MimiKatz (version 2.2.0 and…
