Open in app
Home
Notifications
Lists
Stories

Write
Derk van der Woude
Derk van der Woude

Home

1 hour ago

Introduction into Microsoft Defender EASM (External Attack Surface Management)

Microsoft Defender EASM (External Attack Surface Management) is a new product in the Microsoft Defender family to provide and external multi-cloud (SaaS, PaaS & IaaS/on-premises) view of the attack surface of the online (internet-exposed) assets (known and unknown). The following assets are available in Microsoft Defender EASM: Domains (e.g. contoso.org)…

5 min read

Introduction into Microsoft Defender EASM (External Attack Surface Management)
Introduction into Microsoft Defender EASM (External Attack Surface Management)

Aug 2

Microsoft Entra Verified ID sample setup and deployment

Microsoft Entra is the (new) Microsoft multicloud Identity & Access portal to access: Azure (AD) Active Directory is the Microsoft Cloud Identity & Access Management solution Microsoft Entra Permissions Management is the Microsoft CIEM: Cloud Infrastructure (Azure AWS & GCP) Entitlement Management solution Microsoft Entra Verified ID is the…

7 min read

Microsoft Entra Verified ID sample setup and deployment
Microsoft Entra Verified ID sample setup and deployment

May 18

Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management (MDVM)is a standalone product or add-on to Microsoft Defender for Endpoint P2 (Microsoft 365 E5 ‘Security’) Threat and Vulnerability Management (TVM). This document describes the Microsoft Defender Vulnerability Management add-on features (future Microsoft 365 E7 license ?? :-))

4 min read

Microsoft Defender Vulnerability Management
Microsoft Defender Vulnerability Management

Apr 6

Leaked credentials for Workload identities

Azure AD Identity Protection [user identities] Compromised credentials (e.g. via phishing mail(s) or website compromise via hacking like SQL injection, see example below) that are available publicly (e.g. on the dark web or other public resources) are gathered and verified by Microsoft against the actual Azure AD credentials. If the username and the password hash is…

4 min read

Leaked credentials for Workload identities
Leaked credentials for Workload identities

Jan 13

Azure subscription hijacking and cryptomining

What’s the story of the attack so we can all learn from it and how to protect (prevent) or detect the attack from happening. The attack The victim has a Microsoft tenant (Azure AD) with a pay-as-you-go Azure subscription with a Credit Card as payment method. The initial account who created the…

8 min read

Azure subscription hijacking and cryptomining
Azure subscription hijacking and cryptomining

Dec 7, 2021

MDE Enterprise IoT

A few months ago an organization was hacked via a Raspberry Pi connected to the corporate network (hidden under a desk and connected to an ethernet port). The Raspberry Pi was accessed from the internet via a 4G modem and stayed unnoticed for several weeks until a cleaning lady discovered…

3 min read

MDE Enterprise IoT
MDE Enterprise IoT

Nov 17, 2021

Consent (OAuth) phishing…from attack to detect to prevent with Microsoft Defender for Cloud Apps

Consent (OAuth) phishing is another method (next to the well known credential phishing) that is getting more popular among bad actors. With consent phishing the end user gives consent to access an app (by the bad actor). App consent bypasses Conditional Access (e.g. Multi Factor Authentication) User app consent is…

3 min read

Consent (OAuth) phishing…from attack to detect to prevent with Microsoft Defender for Cloud Apps
Consent (OAuth) phishing…from attack to detect to prevent with Microsoft Defender for Cloud Apps

Nov 16, 2021

TI (Threat Intelligence) in Microsoft Sentinel high level overview

Introduction Indicators of Compromise (IOC) is called tactical TI in the form of ‘file hashes, IP-address(s) and/or URLs/Domains’ to detect anomalies and/or malicious behavior; e.g. use IOC’s when a 0-day is published and before the signature is included in the (Microsoft Defender for) AV detection.

5 min read

TI (Threat Intelligence) in Microsoft Sentinel high level overview
TI (Threat Intelligence) in Microsoft Sentinel high level overview

Sep 6, 2021

Microsoft 365 Defender XDR and Azure Sentinel Fusion attack and detection example

Patient zero is the first device (or identity) that has been compromised, after the initial compromise, the attacker continues the attack, e.g. via (local & domain) privilege escalation and lateral movement to exfiltrate or destroy data (e.g. ransomware). It’s very important during a breach to connect the dots for the…

4 min read

Microsoft 365 Defender XDR and Azure Sentinel Fusion attack and detection example
Microsoft 365 Defender XDR and Azure Sentinel Fusion attack and detection example

Aug 10, 2021

PetitPotam…from attack to detection via Microsoft Defender for Identity (MDI)

PetitPotam is a NTLM relay attack on Active Directory Certificate Services (AD CS) HTTP Endpoints. If the following AD CA services are installed the Active Directory is vulnerable to the attack. See KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) for more information how to mitigate. The attack …

5 min read

PetitPotam…from attack to detection via Microsoft Defender for Identity (MDI)
PetitPotam…from attack to detection via Microsoft Defender for Identity (MDI)
Derk van der Woude

Derk van der Woude

Chief Technology Officer @ Nedscaper

Following
  • DfiStarter

    DfiStarter

  • Mehmet Ergene

    Mehmet Ergene

  • Jonathan Steeman

    Jonathan Steeman

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Knowable