Bhabesh

If you want to a central repo of #Ransomware analysis #reports, check out github.com/d4rk-d4nph3/Ra…

In real world incidents, we often see attackers compromise on-premises environments and then pivot into the cloud. We understand most large organizations, and even smaller ones, still have a significant on-premises identity footprint. To help you protect M365 from on-premises compromise we have written specific guidance to help you - learn.microsoft.com/en-us/entra/ar…

@reprise_99 @fabian_bader @NathanMcNulty I am a muppet. I mistakenly used appRoleAssignedTo instead of appRoleAssignments

@bh4b3sh @fabian_bader @NathanMcNulty You want the service principal endpoint for a multi tenant app installed to your tenant learn.microsoft.com/en-us/graph/ap…

Why is the appRoles empty when trying to list Service Principal info? Even servicePrincipals/{Id}/appRoleAssignedTo returns empty 🤔 Any help will be much appreciated. cc. @fabian_bader @NathanMcNulty

@reprise_99 @fabian_bader @NathanMcNulty This is the exact endpoint I used but it came back empty /servicePrincipals/{ObjectID}/appRoleAssignedTo

@NathanMcNulty Great! And... still no SearchQueryInitiated* MS doing MS stuff.

@bh4b3sh I did a comparison of all the record types available vs the default set later in the thread, but here's the image But the usefulness of some of these additional records is highly dependent on the incident, and likely more rare which is probably why they aren't enabled by default

You likely aren't collecting all available events to the Unified Audit Log First, not all events are enabled or retained optimally. Consider creating this policy in the Purview portal (leave users and record types blank to collect everything). Retention is based on license...

#Lazarus Operation Traffic sourced from DPRK IPs, masked via VPNs/proxies, routed through Oculus nodes (Hasan, Russia) to C2; multi-hop architecture ensures full-chain anonymity & evasion. securityscorecard.com/blog/operation…

APT coming for the AI! cloud.google.com/blog/topics/th… Guard your LLM!

@pfiatde @0xbirdd @fabian_bader Thanks. Very much needed hardening.

@bh4b3sh @0xbirdd @fabian_bader ourcloudnetwork.com/microsoft-to-r… This was the first mention of it i think. And there was a small notification in admin center

Just noticed, all the permissions from the Directory Synchronization Accounts role were replaced with a new one back in August👀 This locks down attack paths shown by @fabian_bader which could result in privesc to Global Admin by taking control of a privileged service principal

Hey @_wald0, do you know if it is possible to access Exchange Online EWS activity log by customers? PS: What an excellent breakdown of the Microsoft breach with nice illustrations!

@0xbirdd @fabian_bader Oh I missed that. Can you please share me that write-up?

@bh4b3sh @fabian_bader MSFT also wrote about this and said they need to harden the sync account more, theres surely something up if you ask me. Personally I dislike SSPR to OnPremise since it opens up more holes than it does good - interestingly enough MSFT gives you + points on the Secure Score

@reprise_99 Vendor: We don't need GA Blue Team: yay! Vendor: Give us RoleManagement.ReadWrite[.]Directory instead Blue Team: 😶

The blue team when a vendor asks for their application to be added to domain and global admin

Great stuff as always. One major gripe with O365 Management API is lack of non-interactive signin logs.🥲

This hack is brilliant, APT28 hopping into a target environment over wifi by compromising neighbouring companies and finding a dual-homed host within range. volexity.com/blog/2024/11/2… And yet... they got caught doing this!

🚨EDR Telemetry website is live! 🥳 I hope this makes it even easier for folks to compare the telemetry of EDR vendors and visualize their visibility gaps 🙂 ‣ Website🔗edr-telemetry.com ‣ GitHub 🔗github.com/tsale/edr-tele… **Telemetry results reflect the most recent updates from the EDR Telemetry project.

A cool way to visualize threat actor groups andreacristaldi.github.io/APTmap/

@fabian_bader @reprise_99 Thankfully I have it enabled. But the AccountDomain in IdentityInfo stores the DNSDomain and not the NTDomain (🪟), so it cannot be used in the join. That leaves me with only username and SID with the latter not present in select few EIDs like 4648, 4769, 4776, 4778, etc.

@bh4b3sh @reprise_99 If this is the case I would recommend to enable UEBA entity enrichment in Sentinel and use the IdentityInfo table to get the UPN and/or object ID

Since Windows event logs lack user's UPN, Sentinel is creating two Account entities for the same user across Windows, O365 & Okta incidents. Is my conclusion correct? If yes then, one solution I think is enriching the 🪟 event logs to have UPN. cc. @fabian_bader @reprise_99

@fabian_bader @reprise_99 Correct.

@bh4b3sh @reprise_99 Just to clarify, this is the result of two incidents that were correlated by XDR because Sentinel is onboarded to the unified xdr experience?