ODsec

@IAMERICAbooted Sounds great! Framing it like this and detailing the "blast radius" will really drive it home for people

New blog post preview: When you have given an Entra App Registration any of these application permissions (not delegated), you have given the application whats equivalent to a highly stealthy SharePoint Admin: Allsites.FullControl (SharePoint API) Allsites.Manage (SharePoint API) Allsites.readwrite (SharePoint API) Sites.fullcontrol.all (Graph) Sites.manage.all (Graph) Sites.readwrite.all (Graph) When you give an Entra App Registration the following application permissions (not delegated), you have given the people who have access to the client secret a higly stealthy privilege escalation to Global Admin: ApplicationRoleAssignment.readwrite.all Application.readwrite.OwneBy Application.readwrite.all When you give an Entra App Regiatration application permissions (not delegated) to the following permissions, if the client secret is compromised, you lose the integrity of every file in your organization allowing an attacker to stage persistance, privilege escalation, lateral movement, and organization wide data compromise: Files.readwrite.all More to come in an upcoming blog post.

Most users rarely create inbox rules. Alert on New-InboxRule in every M365 tenant you monitor. Takes minutes to set up. Almost no noise. In a recent Business Email Compromise (BEC), that alert would have surfaced the attacker two days before the mass phishing campaign started.

@DarkLordoftheIT Maybe he was just trying to give everyone a long lunch

We're having a pen tester at our organization and he locked out every AD account across the board...ugh

@trshpuppy Boaa!

tehe, i got my blue belt, taha!

We worked a Business Email Compromise (BEC) case a couple months ago. One compromised account, two days of access before anyone noticed. The attacker tried a payment diversion, failed, and pivoted to mass credential harvesting against hundreds of external contacts. I wrote up the full investigation as a multi-part series. Real data, real KQL queries, real timestamps. Everything anonymized. First post is up now, and covers the initial data pull with Microsoft Extractor Suite, ingestion into ADX, and the initial UAL orientation that told us where to look next. odiesec.io/blog/post-1-th…

some #AITM phishing hunting: SigninLogs | where TimeGenerated > ago (90d) | where UserAgent contains "axios" | where ResultSignature == "SUCCESS" // or REM this out to see attempts because that's also important to understand | sort by TimeGenerated desc

@UK_Daniel_Card @BertJanCyber We used this as one of the main pivots for a recent BEC case. Going to post the full write up on it soon.

@IceSolst @torrell Wonder if this "excuse" has been used in any legal cases yet. Similar to the "I didn't do that, I must've been hacked" reasoning

@torrell Right, afaik this is spawned from Claude code in your terminal which already is popular and used all the time, so how do I distinguish

Claude c2 just dropped Computer use + remote access C2 vendors are COOKED

Seen many M365 orgs plowing money into Purview without even enforcing things like compliant devices. Your “DLP” project must also solve the identity + device access question.

Working on a blog series breaking down a real-world BEC investigation I worked. The phish, first malicious sign-in, inbox rules, spoofed domain, and payment-diversion attempt. Multi-part write-up based on Unified Audit Log data using Microsoft Extractor Suite and ADX.

@IAMERICAbooted I think as long as you keep it general, they shouldn’t mind. Your posts are educational for a lot of people!

I struggle with wanting to post content and then worrying about someone complaining because they think it's about my current workplace when it's stuff I've seen consulting, even though I dont tell anyone where I work, not even on my LinkedIn 🙄 😒 Look, I've worked with ~50 orgs now. I see the same shit everywhere in varying configurations.

@IAMERICAbooted Which one is first?

Work is going to pay for me certs and make me do them haha! May as well do all of them now! :p

@cyb3rops Spot on! Too much shiny object syndrome

People shouldn’t be scared by this CrowdStrike report. I don’t even know why they added the “AI-enabled ransomware” part -probably a PR idea that nobody stopped The real issue is wrong risk perception. CISOs worry about what sounds new instead of what actually causes incidents. AI-enabled ransomware” isn’t really a thing. Maybe an AI written phishing email here and there, but the rest is still human work. Meanwhile, most orgs lack asset visibility, detection on legacy or OT systems, have exposed RDP without 2FA and poor monitoring. Yet somehow this gets less attention than a buzzword in a report. It’s like when everyone panicked about tracking pixels in emails around 2018–2021 simply because PR people pushed it as a serious issue. It generates distorted perception of risks. Our job as a community is to make people aware of this distortion. csoonline.com/article/407591…

@DrAzureAD @fabian_bader @ippsec and I made a video demoing the attack and detection/prevention. In case people prefer videos: youtube.com/watch?v=Y8SSYL…

If you haven't blocked device code authentication flow yet, do it now. Please, just do it! @fabian_bader tells how to do that (and some other related protections) here: cloudbrothers.info/en/protect-use…

@fabian_bader @_dirkjan Looking forward to this!

Looking forward to entering the stage together with @_dirkjan and our talk "Finding Entra ID CA Bypasses - the structured way" #TROOPERS25

@dennis_kniep @fabian_bader It's more like MFA doesn't work as a preventative measure right? So it doesn't "bypass" it, it's just not a factor. Although that's tough to phrase haha

@fabian_bader Thanks @fabian_bader How would you phrase it, if not "bypass #FIDO"? Even though the FIDO protocol is doing nothing wrong here, after clicking on a pish link, the victim can use FIDO as auth method and the attacker receives the access token. See Demo: #demo" target="_blank" rel="nofollow noopener">github.com/denniskniep/De…

While the claim "bypass #fido" might be a bit stretched the actual method and PoC is great. One more reason why nobody in your company should be allowed to to device code flow and if needed this should be limited to certain applications. Great blog @dennis_kniep 👏

We’re seeing a clear trend: attackers are bypassing the endpoint entirely. Not just avoiding traditional EDR-monitored systems by pivoting to embedded and edge devices, but now also operating purely in the cloud. No shell, no malware, no persistence on the endpoint. Just an OAuth token and full access to whatever’s in the victim’s Microsoft 365, Google Workspace, or AWS console. It’s a complete inversion of how things used to be. The endpoint, once the weakest link, is now usually the most monitored, most policy-enforced part of the infrastructure. You’ve got EDRs, SIEM integration, automation, threat hunting - the full stack. But attackers don’t need to touch it anymore. Instead, they go after the new soft spots: - Cloud platforms, where logging is limited, expensive, or off by default - Network devices and appliances, which are practically blind spots - obscure OSes, no EDRs, hard to monitor, hard to forensicate. - Embedded systems and IoT junk that no one really knows how to secure, but that sit in critical network paths. Cloud especially is a mess: - Logging tiers cost extra and the good stuff is behind paywalls. - Detection content is lacking, both from vendors and the community. - You don’t get memory dumps or full control like you do on endpoints. - You’re at the mercy of the provider when it comes to visibility and response. And that’s the shift: attackers aren’t hacking computers anymore. They’re hacking trust relationships, identities, and APIs. The whole idea of detection and response needs to evolve with that. Otherwise, we’re securing the hell out of endpoints while attackers happily fish through mailboxes and cloud shares from halfway across the planet.

@cyb3rops This is 100% spot on! That's why I think we're going to see a big shift towards canaries in cloud environments.

@sapirxfed Awesome, I look forward to reading about it!

@odiesec I don't think it's related to PIM, I saw MS uses it to repair some group membership issues for Azure users on joined devices, I hope to get a deeper look at this exe and publish it soon🙂🫡

Did you know about the dsregcmd /refreshprt command? 😃