Doug Bienstock

483 posts

Doug Bienstock

@doughsec

IR Leader @Mandiant. Hacking things and responding to things being hacked. Opinions my own

参加日 Şubat 2018

111 フォロー中2.5K フォロワー

固定されたツイート

Doug Bienstock@doughsec·27 Nis

🚨🚨 New technique to steal AD FS secrets over the network. Defenders need to block internal traffic to AD FS servers over port 80 now! Read more: fireeye.com/blog/threat-re… shoutout to @DrAzureAD who had the same though to look into AD FS replication and all his great work! 1/3

English

258

518

Doug Bienstock@doughsec·30 Tem

What is old is new again. Very cool work from @TrustedSec team! Highlights the importance of understanding what a vendor means when they use the word “patch”

GIF

TrustedSec@TrustedSec

Today, TrustedSec is releasing #Specula (our previously internal framework) into the world, which will transform the Outlook email client into a beaconing C2 agent. @oddvarmoe and @freefirex2 walk through how to use Specula in our latest blog! hubs.la/Q02JfFFN0

English

527

Doug Bienstock@doughsec·23 May

@NathanMcNulty Also to make sure these events can actually be retrieved from the purview portal, api, or PoSH you need to toggle auditing off and then back on for all mailboxes!

English

771

Nathan McNulty@NathanMcNulty·22 May

Fortunately, I have written a script that will ensure all mailboxes have all available auditing enabled, but note you will see errors on shared/resource mailboxes without licenses I try to keep it up to date in GitHub here: github.com/nathanmcnulty/… x.com/NathanMcNulty/…

Nathan McNulty@NathanMcNulty

#Requires ExchangeOnlineManagement # Connect to Exchange Online Connect-ExchangeOnline # Enable all advanced auditing (Get-Mailbox -ResultSize Unlimited -Filter { RecipientType -eq "UserMailbox" -and RecipientTypeDetails -ne "DiscoveryMailbox"}).PrimarySmtpAddress | ForEach-Object { Write-Output $_ Set-Mailbox -Identity $_ -AuditEnabled $true -AuditLogAgeLimit 365 -AuditAdmin @{add='Update, Copy, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create, UpdateFolderPermissions, AddFolderPermissions, ModifyFolderPermissions, RemoveFolderPermissions, UpdateInboxRules, UpdateCalendarDelegation, RecordDelete, ApplyRecord, MailItemsAccessed, UpdateComplianceTag, Send, AttachmentAccess, PriorityCleanupDelete, ApplyPriorityCleanup'} -AuditDelegate @{add='Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, FolderBind, SendAs, SendOnBehalf, Create, UpdateFolderPermissions, AddFolderPermissions, ModifyFolderPermissions, RemoveFolderPermissions, UpdateInboxRules, RecordDelete, ApplyRecord, MailItemsAccessed, UpdateComplianceTag, AttachmentAccess, PriorityCleanupDelete, ApplyPriorityCleanup'} -AuditOwner @{add='Update, Move, MoveToDeletedItems, SoftDelete, HardDelete, Create, MailboxLogin, UpdateFolderPermissions, AddFolderPermissions, ModifyFolderPermissions, RemoveFolderPermissions, UpdateInboxRules, UpdateCalendarDelegation, RecordDelete, ApplyRecord, MailItemsAccessed, UpdateComplianceTag, Send, SearchQueryInitiated, AttachmentAccess, PriorityCleanupDelete, ApplyPriorityCleanup'} }

English

3.9K

Doug Bienstock@doughsec·22 May

Great news for DFIR 🕵️ Except! These logs won’t be searchable from the Unified Audit Log for E3 licensees unless you manually toggle auditing for every mailbox in your tenant… 💀🤦🏽‍♂️ @Microsoft365 likes to make things difficult #search-for-mailbox-activities-performed-by-users-with-non-e5-licenses" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/purview/… #DFIR

Matt Zorich@reprise_99

For those who were waiting for the additional logging and events to be available in the standard audit logging in Microsoft 365, like MailItemsAccessed, they should be available now in public preview for you - techcommunity.microsoft.com/t5/security-co…

English

Doug Bienstock@doughsec·19 May

@ZephrFish Nice one!

English

155

Andy Gill@ZephrFish·19 May

I've ported #ADFSDump to PowerShell (github.com/ZephrFish/ADFS…), but I can't take credit for @doughsec's original work.

English

5.8K

Doug Bienstock@doughsec·15 Nis

Anyone have resources or insights into Windows code integrity driver.stl file? I’m trying to parse it… 🕵️ #DFIR #Windows

English

1.1K

Doug Bienstock@doughsec·8 Nis

@KorstiaanS @Microsoft365 Ah nice thanks! Interesting in your tests the graph API while consistent returned fewer results than the old method 🙃

English

Korstiaan@KorstiaanS·8 Nis

@doughsec @Microsoft365 We wrote a blog about it and it's part of the extractor suite: invictus-ir.com/news/using-mic…

English

140

Doug Bienstock@doughsec·8 Nis

Audit log query graph API for @Microsoft365 rolling out in May. Has anyone found the actual documentation for the new API? Asking for a friend 💀#m365 #DFIR

English

2.8K

Doug Bienstock@doughsec·26 Mar

@DrAzureAD I thought it was mostly gone and now am being punished for that thought with an IR where attacker stole the ADFS signing key and is doing golden SAML 😀

English

1.2K

Dr. Nestori Syynimaa@DrAzureAD·26 Mar

Thought of the day: I hate ADFS.

English

119

50.8K

Doug Bienstock@doughsec·22 Mar

@DrAzureAD @_xpn_ @BakedSec @_dirkjan @_wald0 @PyroTek3 @gentilkiwi @samilaiho @jvesiluoma An amazing crew of incredibly accomplished people to be included with, thank you! Your work has inspired me on many occasions excited to see what you do at msft

English

180

Dr. Nestori Syynimaa@DrAzureAD·22 Mar

A couple of names (not in any particular order) whose research and example inspired me to jump full-time to #infosec: @_xpn_ @doughsec @BakedSec @_dirkjan @_wald0 @PyroTek3 @gentilkiwi @samilaiho @jvesiluoma

English

7.3K

Doug Bienstock@doughsec·15 Mar

@_dirkjan This is a huge step back for the security community. I know many who use the developer tenant to stay up to date on security features and hone their skills investigating and securing m365

English

270

Dirk-jan@_dirkjan·14 Mar

I've always recommend the free Microsoft 365 developer subscription as a great way to learn. Having it locked behind a 600 EUR to 3k EUR minimum cost is going to hurt Identity Security learning capabilities for everyone. Very sad to see it like this. devblogs.microsoft.com/microsoft365de…

English

122

20.5K

Doug Bienstock がリツイート

PIVOTcon@pivot_con·6 Mar

"Microsoft Signed my Malware" Doug Bienstock (@JWilsonSecurity), Mandiant Jared Wilson (@doughsec) , Mandiant Barry Vengerik (@BarryV), Mandiant 14/15

English

2.5K

Doug Bienstock@doughsec·16 Ara

@cbecks_2 Try again I think it works

English

Chris Beckett@cbecks_2·15 Ara

@doughsec Thank you! Your DMs are closed.

English

Mandiant (part of Google Cloud)@Mandiant·14 Ara

Listen to the recent #DefendersAdvantage podcast with @doughsec and @MadeleyJosh sharing the trends they’ve experienced when responding to breaches in 2023. Check out their episode here: spoti.fi/3TmbnVe #ThreatIntelligence

English

4.4K

Doug Bienstock@doughsec·15 Ara

@reprise_99 Are IP addresses for cross tenant access still redacted? It breaks just about everything 😬😬

English

687

Matt Zorich@reprise_99·15 Ara

Microsoft has seen an uptick in organizations having their M365 & Microsoft Entra ID tenants compromised as a result of supply chain compromise of a partner. We put together some guidance on using the Unified Audit Log as part of these investigations - techcommunity.microsoft.com/t5/microsoft-s…

English

112

369

41K

Doug Bienstock@doughsec·15 Ara

@cbecks_2 @Mandiant @MadeleyJosh Fire away

English

115

Chris Beckett@cbecks_2·15 Ara

@Mandiant @MadeleyJosh @doughsec @MadeleyJosh @doughsec Hey Gents - Don't suppose either of you would mind opening your DMs so that I can ask a follow up question on something mentioned here? I'd appreciate it!

English

Doug Bienstock@doughsec·8 Kas

@SebastianWalla @_dirkjan @joslieben This is the doc I tend to use to identify what Microsoft considers “first party” learn.microsoft.com/en-us/troubles…

English

Sebastian Walla@SebastianWalla·8 Kas

@_dirkjan @joslieben What kind of security mechanism are you thinking of? I tried assigning password credentials to preexisting service principals a few weeks ago and the assignment worked fine (I.e. triggering a "Add service principal credentials" event). I haven't tried to actually use them though.

English

Doug Bienstock@doughsec·19 Eki

🚨 NetScaler vulnerability CVE-2023-4966 is being actively exploited. It can lead to VDI session hijacking, including MFA bypass. There are no logs on the appliance to monitor for exploitation. Upgrade now and investigate your environment! mandiant.com/resources/blog… #DFIR

English

7.5K

Doug Bienstock@doughsec·15 Ağu

@ZawadiDone We don’t use bash often but for Unix systems it is often the most convenient and consistent

English

Doug Bienstock@doughsec·15 Ağu

Today we launched a 🔎 scanning tool for orgs to search their Citrix netscalers for evidence of CVE-2023-3519 post-exploration. You can run this direct on the ADC or against a forensic image. With public POCs out there expect more exploitation! mandiant.com/resources/blog… #DFIR

English

8.4K

Doug Bienstock@doughsec·15 Ağu

@shotgunner101 Seems like there are some intermittent caching issues - direct link to the tool; github.com/mandiant/citri…

English

Dodge This Security@shotgunner101·15 Ağu

@doughsec Blog post doesn't load 😬

English

155

Doug Bienstock@doughsec·30 May

Turns out most of the documentation references a legacy APi endpoint that doesn’t work 🙄 the “tenant” URL should not be used

English

349

Doug Bienstock@doughsec·29 May

😡 Is it me or is the @msftsecurity Defender for Cloud Apps API completely broken? Documentation is wrong, api behaves erratically.. ignores filters doesn’t page, etc #dfir #Microsoft365 #cloudsecurity

English

760

ディスカバー

@TrustedSec @NathanMcNulty @Microsoft365 @ZephrFish @KorstiaanS @DrAzureAD @_xpn_ @BakedSec