Hacker at @foxit. Connecter of dots. Likes to play around with security and Python.

Joined December 2017
Dirk-jan retweeted
Blog: Abusing cloud services to fly under the radar. Check out our latest blog by @www0ut for our observations and insights into a threat group that we have been tracking for a while that abuses cloud services to achieve their goals. blog.fox-it.com/2021/01/12/a…
0
14
20
Dirk-jan retweeted
We've noted our findings after a couple of years auditing #Windows #Defender Attack Surface Reduction events. Hopefully it will help anyone considering block mode. Being able to use the credential stealing/lsass rule was the surprise for me. medium.com/palantir/microsof…
12
143
323
Service principals: which service principals exist in the tenant? Are they owned by regular users (risk of privesc)? Are these from applications that are actually used or does this mean some third-party app was granted privileges to the tenant at some point?
1
0
4
The service principals overview also provides an easy way to find Microsoft/third party applications with keys or credentials assigned as described in dirkjanm.io/azure-ad-privile… . For example use "Microsoft" as a search term to filter. Azure portal does not show these creds/keys.
1
0
7
Application roles: by filtering on "serviceprincipal" you can see all the SPs with permissions on other apps. These are API permissions. This means the application can access this information offline. This can be abused as persistence for mail access for example.
1
0
4
OAuth2 permissions: An easy and clickable overview (no endless guids) which shows the OAuth2 permissions (delegated permissions) to applications and whether these were assigned for everyone or for a user specifically. May be an indicator of OAuth2 phishing.
1
0
4
All the information above is available to any user in the tenant. When data is gathered by a privileged role, you can also collect MFA information. This makes it possible to get an overview of how many MFA methods (if any) are registered per user (including FIDO2).
2
0
4
And for the directory roles: overview of the members of each role (user/serviceprincipal) and whether they have MFA methods. Great way of finding admin accounts without MFA. Remember that just because it's registered does not mean it's required for every app/API.
1
0
5
Not yet in the gui, but possible via the "policies" plugin, an overview of all the Conditional Access policies in the tenant. Can be collected as any user. Includes who/what they apply to and what the access requirements are.
0
0
8
Show this thread