Ethan 🇺🇦

@mozzeph Many people are saying! @cybureauocracy/entra-ids-app-service-principal-user-experience-is-a-mess-updated-june-2025-45d70b5ba38b" target="_blank" rel="nofollow noopener">medium.com/@cybureauocrac…

I updated my blog about Entra ID App Registrations vs Service Principals. It was only a couple of months ago that I learned that with Graph API, it's possible to add credentials directly to service principals and that they never show up in Entra Portal except in audit log. #update-19042026" target="_blank" rel="nofollow noopener">heusser.pro/p/whats-the-di…

@reprise_99 ...and Managed Identities are a different form of Service Principal in a single tenant but you actually don't see the matching Application object because it's managed by Microsoft...and Service Principals can have roles like users, but you can't see them in Entra easily...and...

So applications can be multi tenant or single tenant and have either delegated or administrative permissions and sometimes we call them service principals but there’s actually a difference between an application and a service principal

@jasonc_nc @JeremiahDJohns WHAT

@JeremiahDJohns They’re also exempt from state and local income taxes. With no cap.

Wait the public unions want retirement at FIFTY FIVE? Call me a heartless bastard but 30ish years of not working on the taxpayer dime seems like incredible overkill. That's literally paying them twice for every year worked.

Who knew a really long string could make an Entra ID login disappear from the logs entirely? In our #blog, @nyxgeek breaks down how overflowing #Azure's sign-in logging mechanism allowed access tokens to be issued without a single log entry. Read it now! hubs.la/Q047xTVc0

@JoePostingg I was relieved to hear that Dr Al-Hashimi trained in cyber defense.

I think I would have handled the cyber attack better than the IT workers in The Pitt.

@IAMERICAbooted When I got a demo from Microsoft of security copilot, it searched for an ActionType that does not exist. Syntax was right though! It’s Microsoft’s fault because many of the ActionTypes are not publicly listed online.

Why is it that Microsofts own Enterprise bot cannot write a functional KQL query for Advanced Hunting?

@Cyb3rMonk Based on Wireshark + ConnectionSuccess comparisons, I see many non-ECH with blank RemoteUrl, so it's not only ECH. Another thing I wonder about it is why some events get duplicated and seem to follow a different value pattern. Here same connection logged twice, different values

@ethanadoor Didn't check for the same website since I only see the IP. I'm also suspecting TLS ECH.

I'm quite obsessed with the DeviceNetworkEvents table in Defender nowadays. It's one of the most powerful telemetry source and there is too much weird stuff going on in that table. Maybe I could post a short blog 🤔

@Cyb3rMonk Do you see it consistent for the same website or connection? Like one event has it for site 1 and another for site 1 does not? Or is it that no events for the site have it? I believe, but still need to test, TLS ECH could result in an empty value for RemoteUrl.

@ethanadoor Good insights! I was looking into the internet connections where RemoteUrl is empty, which shouldn't happen with real-time protection and network security enabled.

@reprise_99 Agree that Apps/SPs are confusing! Can you ask them to improve the Entra UI for apps/SPs? The differences and nuances are not very clear in the portal. I wrote about some a while ago. @cybureauocracy/entra-ids-app-service-principal-user-experience-is-a-mess-updated-june-2025-45d70b5ba38b" target="_blank" rel="nofollow noopener">medium.com/@cybureauocrac…

Having responded to probably hundreds of incidents at this point, from ransomware to APT's, in my experience, the lack of knowledge on how to adequately secure Entra applications and service principals continues to be the biggest knowledge gap most defending teams have. You should be able to securely configure apps, detect compromise of apps and understand how to investigate compromise of apps. It seems overwhelming at first, but it isn't. Get started like this Secure them: •Use managed identities where possible - negates the need for credential handling •Limit privilege - reduce both the permissions granted and add additional API specific restrictions (i.e don't grant read/write all to all SharePoint sites, just the ones an application needs to access). This includes pushing back on vendors or internal teams that request privilege not required •High privileged applications should have no direct owners - lower privileged users can be granted direct ownership of an app, don't do this, govern the ability to manage applications via Entra ID roles •Configure credential restrictions such as requiring shorter lived secrets or enforcing use of certificates •Remove unused apps and service principals, this can prevent existing high privileged apps being leveraged and reduces your supply chain compromise footprint for multitenant apps •Monitor risk events for service principals like you would users Detect compromise of them: •Alert on application creation or application credential creation - may be noisy in large environments, but a good starting point •Alert on credentials being added to service principals - credentials generally live on the application object, service principal credential creation should be rare •Alert on permission consent - this can detect not only malicious activity but permission creep •Alert on anomalous resource access - does your app usually access only Azure Storage, and suddenly it accesses Microsoft Graph? - this may indicate a compromised credential •Alert on anomalous ASN or location access - does your app usually access only from a specific ASN or country, and suddenly that changes? - this may indicate a compromised credential Many of these are covered by Defender for Cloud Apps and other tools out of the box, but it is worth ensuring you are covered down and what they actually mean. Investigate compromise of them: Know how to query the following logs and understand the events surfaced •Entra ID sign in data - filter on service principal sign in events via the Entra portal or Kusto in the Defender XDR portal •Entra ID audit logs - filter on events related to the service principal via the Entra portal or Kusto in the Defender XDR portal. Service principals can be used to further establish persistence, such as creation of users or additional service principals, rinse and repeat for any malicious additions to your environment •Microsoft Graph - was the compromised app used to access data via Microsoft Graph? You can query via the Defender XDR portal using Kusto to find these events •Defender for Cloud Apps - did the compromised app access other M365 services? You can query via the Defender XDR portal using Kusto to find these events •Unified Audit Log - you can retrieve the events related to the compromised app via the audit functionality inside the Defender XDR portal

@0x534c How does it filter for apps not in their tenant?

𝗛𝘂𝗻𝘁𝗶𝗻𝗴 𝗨𝗻𝗮𝘂𝘁𝗵𝗼𝗿𝗶𝘇𝗲𝗱 𝗠𝗮𝗶𝗹 𝗔𝗰𝗰𝗲𝘀𝘀 𝘃𝗶𝗮 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗚𝗿𝗮𝗽𝗵 𝗔𝗣𝗜 𝗔𝗯𝘂𝘀𝗲 Threat actors can exploit Microsoft Graph API functions to access and read emails from user mailboxes. In this scenario, an application with excessive permissions was potentially abused, enabling unauthorized access to mailbox data. The following query helps detect Graph API calls used to read mail from user mailboxes by unidentified applications that are not registered within the user's Entra tenant. detections.ai/share/rule/OrG… #Cybersecurity #GraphAPI #MailAbuse

@Cyb3rMonk Really makes you wonder about detections for this… 😀

🤡Yeah, let's detect EDR-Freeze. If you have the logs of course 🤣 For red teamers: First freeze the EDR process, then freeze the rest and you should be OK 🤷‍♂️. I suspect this behavior is consistent for other EDRs, too. #redteam

@0x534c Shouldn’t it be MsSense.exe?

🛡️🥶 EDR-Freeze abuses WerFaultSecure.exe to suspend AV/EDR via MiniDumpWriteDump — no BYOVD needed. zerosalarium.com/2025/09/EDR-Fr… I wrote a DefenderXDR KQL to catch it by mapping WerFaultSecure PID to core MDE processes. 🫡 detections.ai/share/rule/cic… #CyberSecurity #EDRFreeze #RedTeam #DefenderXDR

@fabian_bader The description for Disable is odd. What is considered “recently logged in”? It implies “Disable” revokes existing user access which is not entirely true. If the account already has Kerberos Service Tickets, it’s already authenticated and will not lose access for hours or more.

New Microsoft Graph based API for response actions in #MDI Disable, Enable, ForcePasswordReset and RevokeAllSessions finally available for your automations. #new-graph-based-api-for-response-actions-preview" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/defender…

@CrookedBong @fabian_bader @rafal_fitt Yes! Finally!

@fabian_bader @rafal_fitt So we can disable hybrid user using this endpoint?

@RedByte1337 Really cool and unique research! Also great slide design 😁

Thanks to everyone who joined my DEFCON33 talk!🎉 For those of you who missed it and are interested in seeing how we can extract cleartext credentials and bypass MFA directly from the official Microsoft login page, I just uploaded the recording to YouTube: youtu.be/z6GJqrkL0S0

@rucam365 @Threatzman @headburgh The “Force password reset” button in MDI doesn’t actually do a password reset. It just forces a password change on next logon. Poorly named feature! MDE network protection has a lot of limitations and is not a NIDS.

Folks, working on two Defender books out this year and want to feature the best community tips. Defender for Endpoint In Depth 2nd Ed (w/ @Threatzman) Mastering Defender XDR 2nd Ed (w/ @Headburgh) So, drop your great MDE, MDO, MDI, MDA, and XDR tips here. Best get featured.

@Cyb3rMonk Ahhh yes; I think that’s right now. I always interpreted it as using contains but I think that’s wrong.

@ethanadoor I don't think so. It scans data but still uses stop characters in my opinion.

@Cyb3rMonk have you ever seen the HAS operator fall back to CONTAINS when the search term is less than 3 chars? This is the documented behavior but seems to not work? I’m certain I saw it work before. 🤔

@Cyb3rMonk Hmm interesting. That seems to confirm the docs. Where for an ‘el’ example term, “both operators do not use the index since the index contains only terms of 3 characters or more”, which suggests has would work as a contains.

@ethanadoor Nope. There is only a stackoverflow post I found. stackoverflow.com/questions/7482…