Microsoft Entra is the (new) Microsoft multicloud Identity & Access portal to access: Azure (AD) Active Directory is the Microsoft Cloud Identity & Access Management solution Microsoft Entra Permissions Management is the Microsoft CIEM: Cloud Infrastructure (Azure AWS & GCP) Entitlement Management solution Microsoft Entra Verified ID is the…

Microsoft Defender Vulnerability Management (MDVM)is a standalone product or add-on to Microsoft Defender for Endpoint P2 (Microsoft 365 E5 ‘Security’) Threat and Vulnerability Management (TVM). This document describes the Microsoft Defender Vulnerability Management add-on features (future Microsoft 365 E7 license ?? :-))

Azure AD Identity Protection [user identities] Compromised credentials (e.g. via phishing mail(s) or website compromise via hacking like SQL injection, see example below) that are available publicly (e.g. on the dark web or other public resources) are gathered and verified by Microsoft against the actual Azure AD credentials. If the username and the password hash is…

What’s the story of the attack so we can all learn from it and how to protect (prevent) or detect the attack from happening. The attack The victim has a Microsoft tenant (Azure AD) with a pay-as-you-go Azure subscription with a Credit Card as payment method. The initial account who created the…

A few months ago an organization was hacked via a Raspberry Pi connected to the corporate network (hidden under a desk and connected to an ethernet port). The Raspberry Pi was accessed from the internet via a 4G modem and stayed unnoticed for several weeks until a cleaning lady discovered…

Consent (OAuth) phishing is another method (next to the well known credential phishing) that is getting more popular among bad actors. With consent phishing the end user gives consent to access an app (by the bad actor). App consent bypasses Conditional Access (e.g. Multi Factor Authentication) User app consent is…

Introduction Indicators of Compromise (IOC) is called tactical TI in the form of ‘file hashes, IP-address(s) and/or URLs/Domains’ to detect anomalies and/or malicious behavior; e.g. use IOC’s when a 0-day is published and before the signature is included in the (Microsoft Defender for) AV detection.

Patient zero is the first device (or identity) that has been compromised, after the initial compromise, the attacker continues the attack, e.g. via (local & domain) privilege escalation and lateral movement to exfiltrate or destroy data (e.g. ransomware). It’s very important during a breach to connect the dots for the…

PetitPotam is a NTLM relay attack on Active Directory Certificate Services (AD CS) HTTP Endpoints. If the following AD CA services are installed the Active Directory is vulnerable to the attack. See KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) for more information how to mitigate. The attack …