Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Nathan McNulty Profile picture
@NathanMcNulty
Oct 6 9 tweets 3 min read Twitter logo Read on Twitter
Looks like a good time for a thread on token theft :)

Not all MFA is of the same quality, and anything using OTP (SMS, hardware/software tokens) or Push (MS Authenticator, Duo, etc.) is susceptible to AITM attacks

That doesn't mean it's useless, but it's becoming less useful
Ideally, we want to move to phishing resistant authentication

In this category, Entra ID supports FIDO2 Security keys, Hello for Business, and Certificate Based Authentication. Microsoft Authenticator and passkeys are coming soon.

Let's start with Hello for Business!
Hello for Business is FIDO2 certified, and you can think of it as certificate based authentication with hardware attestation

In addition to being very secure, it's also a great user experience

For AD users, implement cloud Kerberos trust for on-prem SSO
Coming soon, we will have a similar experience on macOS - sign in to your Entra ID account with Touch ID at the logon screen, passwordless and phishing resistant

This leverages the Microsoft Enterprise SSO extension and Apple's new Platform SSO features

techcommunity.microsoft.com/t5/microsoft-e…
FIDO2 security keys are excellent as a primary or supplemental solution

They work just like Hello for Business with cloud trust for on-prem SSO

They are also supported on mobile and personal devices where other options might not work

The downside is cost and replacement
Due to PKI requirements, I recommend Hello/security keys over certificate based authentication for most, but it's still an excellent auth method

That covers user authentication options, but those all take time to plan and roll out

So what can we do right now? Glad you asked!
A good way to break AITM is to use device based authentication

When a device registers or joins Entra ID, it creates a certificate which is used to authenticate. This breaks AITM as the proxy can't answer that challenge.

Use require hybrid join, compliant, or filter for devices
Compliance is amazing because we can enforce a level of assurance on devices, and it helps reduce the number of policies we have to create per each platform

Also, be sure to block attackers from enrolling their own devices to work around your controls ;)

blog.nathanmcnulty.com/intune-using-a…
Finally, use policies that block based on location. Yes, attackers can spin up resources in your country, but they often don't... You can make fun of me for this, but it works 🤷‍♂️

Here's a similar thread I did that has some device side recommendations too:

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Nathan McNulty

Nathan McNulty Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @NathanMcNulty

Nathan McNulty Profile picture
May 14
Did you know we can block gTLDs (and FQDNs) with Windows Firewall and Defender for Endpoint? 💡

This might be helpful if someone started selling TLD's you'll never do business with ;)

Go to intune.microsoft.com under Endpoint security - Firewall, Reusable settings, click Add Image
Reusable settings can be used in multiple firewall policies, and updates to these settings apply across all policies automatically

Let's give this a memorable name, then click Next Image
Now we're going to click Add, then slide the slider for Auto-resolve to True, then type in *.zip or whatever, and click Save.

Do this for each gTDL or FQDN you would like to block

When finished, click Next, and finally, click Add Image
Read 7 tweets
Nathan McNulty Profile picture
Apr 25
I have a more comprehensive blog article I'm working on, but a few folks have asked about examples, so until then!

This will be KQL heavy because it's what I have and use, but this thread will have examples for both process execution as well as network telemetry for FW rules :)
// PowerShell execution (including renamed binaries) excluding SYSTEM, UPN per device
DeviceProcessEvents
| where InitiatingProcessAccountSid != @"S-1-5-18"
| where ProcessVersionInfoOriginalFileName == "PowerShell.EXE"
| summarize count()by InitiatingProcessAccountUpn,DeviceName Image
Some places may run PowerShell scripts as standard users to perform automation tasks (ex. shortcut creation), so it's important to audit before creating AppLocker policies

Say we can't prevent PowerShell as standard user, but we might be able to block network calls. Here's how.
Read 7 tweets
Nathan McNulty Profile picture
Feb 26
What are some of the first things you do when setting up Azure subscriptions?

Here's some of my favorites, and I'd love to hear from others too :)

First, I always start by setting up billing anomaly alerts (and budgets/budget alerts)

https://t.co/qS0ply93ZBlearn.microsoft.com/en-us/azure/co…
Image
While I'm at it, I always double check to se who can transfer subscriptions in and out of my tenant

Attackers can transfer subscriptions to their own tenant but leave you with the billing, so you won't see resources until it's too late

Disable and exempt users only when needed Image
I have a few items in Defender for Cloud that I always enable - Key Vault, Resource Manager, and DNS

These three are very cheap insurance, and you can enable others as it fits your org

You can also enable custom initiatives for security recommendations:
learn.microsoft.com/en-us/azure/de… ImageImage
Read 8 tweets
Nathan McNulty Profile picture
Sep 16, 2022
If you have secrets in PowerShell scripts, at the very least, log in with the account that will be running the script and do the following:

Get-Credential | Export-CliXml -Path $env:USERPROFILE\creds.xml

In your script:

$creds = Import-CliXml -Path $env:USERPROFILE\creds.xml
What happens here is that Export-CliXml sees the credential object and uses DPAPI to encrypt the output

This is why you must run the command as the account that will run the script. It's also why this is Windows only.

For scripts run with a gMSA, use PSExec to run PS as gMSA
I should have made the gMSA comment a separate post..

Don't think of Export-CliXml as for Windows credentials only. You can use it to get bearer tokens, for API keys, etc

If Windows auth only, just use gMSAs for everything. If not, this is what I meant:

Read 4 tweets
Nathan McNulty Profile picture
Aug 13, 2022
You can easily block these attacks by enforcing Code Integrity Guard for teams.exe and onedrive.exe using Defender Exploit Protection

This mitigation won't work for everyone, especially if you rely on 3rd party plugins, but you should at least put it in audit mode

Here's how :)
First, open Windows Security, go under App & browser control, then click Exploit protection settings

Now click Program settings in the top right, then click Add program to customize, and click Add program to customize

Add an entry for teams.exe and onedrive.exe and enable CIG
Be warned, I highly recommend that you enable Audit only for these if you don't have the data to know this won't break any 3rd party plugins.

If you have Defender for Endpoint, you can analyze the audit data with this:

DeviceEvents
| where ActionType startswith 'ExploitGuard'
Read 5 tweets
Nathan McNulty Profile picture
Aug 12, 2022
You can also use Windows Firewall to block outbound connections to non-private IP ranges from processes like rundll32 or PowerShell

If you have an EDR/SIEM, go hunting and see if you find anything. If you find legit use cases, add them as an exception with the private ranges ;)
You might think this is pointless since an attacker can just disable the local firewall or modify the rules

There's actually a feature for both Defender exclusions and Firewall rules called Disable local admin merge

It does exactly what it sounds like

The one downside to Disable local admin merge for Firewall is that you will have to explicitly define all firewall rules as local rules are removed

It can be helpful to build rule sets on a reference machine, export, and use that for your baseline

High value for time investment
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(