Discover and read the best of Twitter Threads about #microsoftsecurity
Most recents (2)
7 AzureAD identity-related protection tips for protecting against new identity attacks like OAuth theft, MFA prompt spamming, AiTM, and MFA Phishing. #azureAD #MicrosoftSecurity
Links included for more information to earlier posted blogs.
A thread🛡️
Links included for more information to earlier posted blogs.
A thread🛡️
Tip 1: MFA fatigue / MFA spamming is growing. To protect against MFA spamming enable:
- Azure MFA number matching (preview)
- Show additional context in notifications (preview)
Use Azure AD Identity Protection + response actions for medium or high risk. jeffreyappel.nl/mfa-prompt-spa…
- Azure MFA number matching (preview)
- Show additional context in notifications (preview)
Use Azure AD Identity Protection + response actions for medium or high risk. jeffreyappel.nl/mfa-prompt-spa…
Tip 2: 1/2: Adversary-in-the-middle/ AiTM attacks are growing/ detected more in the wild. Prevention using:
- Use phish-resistant MFA
- Protect attacks using Conditional Access
- Use CA: Require device to be marked as compliant/ marked as HAADJ
jeffreyappel.nl/protect-agains…
- Use phish-resistant MFA
- Protect attacks using Conditional Access
- Use CA: Require device to be marked as compliant/ marked as HAADJ
jeffreyappel.nl/protect-agains…
Spent some time today at work playing with @msftsecurity Windows InstallerFileTakeOver LPE (CVE-2021-41379 bypass - github.com/klinix5/Instal…) and managed to create some detections on it.
Detection will be based on Sysmon/SIEM, here we go... 1/n #threathunting #detection #dfir
Detection will be based on Sysmon/SIEM, here we go... 1/n #threathunting #detection #dfir
The exploit requires the user to overwrite elevation_service.exe with a compromised one (in this case with InstallerFileTakeOver.exe).
We can monitor this using #Sysmon event ID 11 - File Creation events:
We can monitor this using #Sysmon event ID 11 - File Creation events:
event_id:11 AND event_data.TargetFilename:*\\elevation_service.exe
