This is amazing research. Robbe explained every step so well and provided PS command for everything! As a person who is a bit scared of all the new AI agents thingy, I really enjoyed reading this! @robbevddaele.bsky.social
hybridbrothers.com/posts/agenti...

Uncovering Malicious OAuth Campaigns in Entra ID | Wiz Blog Learn how Wiz Research automates detection of emerging malicious Azure app and consent phishing campaigns.

I haven't been here for a while 🙃 It's nice to be back!
I wrote a nice post if you are interested 🙂 it contains a lot of IOCs and real-world statistics🩵
www.wiz.io/blog/detecti...

Enhancements in #MicrosoftEntra (diagnostic) logs: Several interesting sign-in properties (including Session ID, status for Token Protection, or GSA traffic) have been added to the sign-in logs and available in #MicrosoftSentinel. (1/3)

Some first-party apps that support ROPC flow, I see some FOCI apps in there 🫣
(I tested it!)

No 🥺 I saw it on my user, and I didn't change the password

Yet another time I impulsively post a random thought that appears to be wrong 🥲

Can someone explain what scenario can cause password failure log in non-interactive sign-in logs? 😥 @merill.net @fabian.bader.cloud

Detect threats using Microsoft Graph activity logs - Part 2 In part one I focused mostly on detecting offensive security tools like AzureHound, GraphRunner, and PurpleKnight. In part two I will go into more depth how you can use the now available information f...

I saw $batch requests on my logs so I thought you can't see the payload, but then saw this - cloudbrothers.info/en/detect-th...
So I might be wrong 🥺

a pixelated image of a little girl in a red jacket looking up ALT: a pixelated image of a little girl in a red jacket looking up

Want to avoid microsoft graph activity log detection? Just create all your requests as $batch
And you're done 😋

GitHub - zh54321/GraphPreConsentExplorer: A comprehensive list of usable Entra ID first-party clients with pre-consented Microsoft Graph scopes, in a simple YAML-file explorable with a simple HTML GUI... A comprehensive list of usable Entra ID first-party clients with pre-consented Microsoft Graph scopes, in a simple YAML-file explorable with a simple HTML GUI. - zh54321/GraphPreConsentExplorer

Adding the github page :)
github.com/zh54321/Grap...

a close up of a cartoon bunny with the word wow written on it ALT: a close up of a cartoon bunny with the word wow written on it

I just found out that Project Zero has released a Windows Registry Research Series, and I'm really looking forward to reading it!
googleprojectzero.blogspot.com/2024/04/the-wi…

an animated image of elsa from frozen 2 says i am ready ALT: an animated image of elsa from frozen 2 says i am ready

Omg I just realized all the good stuff happens here! It's like heaven of blog posts !!!

I love to show them the cool side of the security industry and use that to get them into things. My favorite - stuxnet. youtu.be/C8lj45IL5J4?...

Thats cool ! Is it a reference to the amazing white paper ? An ace up the sleeve 😜

That looks like a good one to read

What was your talk about? Looking forward watching it!

Gaining Initial Access Part 1: How Do Attackers Find People to Target? A look at how to enumerate users accounts in a M365 tenant

I really enjoyed reading parts 1 and 2 of this series!🤩💪
www.edtechirl.com/p/gaining-in...

Hybrid attack paths sound like a crazy capability!! I love correlating stuff 😂

That's so awesome!! Thank you for the opportunity . It's so crazy to think that someone is reading my posts (and maybe even find it useful!!).

a little girl is standing in front of a mirror with her fist in the air and says `` can 't wait ! '' ALT: a little girl is standing in front of a mirror with her fist in the air and says `` can 't wait ! ''

Waiting for today's entra news so bad, I can't find anything to read 🥲

a cat wearing glasses and a tie is laying in front of a laptop . ALT: a cat wearing glasses and a tie is laying in front of a laptop .

Currently working on a cool automation that sends you a message every time something is added to version v1.0 in the changelog. Would anyone be interested in the code?

I just read that security defaults become disable as soon as there is at least one CAP, is this wise? In practice it can be a very specific CAP, for which many security mechanisms are lost

Copilot is now part of Entra, and I wonder.
1. How does it handle permissions
2. Can we get access to data we are not supposed to be able to read
3. Does it also perform write/update actions for you, or only read?
This is going to be interesting 💣

So true !!

Do you know if there is a large amount of entra sign-in logs example data so I can work on it? I have a cool idea 🙂

Perfect rainy morning and the new entra.news (: it's like my dad used to read the paper, but instead of wars, I read about the great new CAE video 😜

I love it here. It feels more pure 🙂

Thank you for reading it 🥹

Thanks !! I really appreciate it 🙂

Haha tell me about it I'm a hugeeee fan!!