Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Merill Fernando Profile picture
@merill
Oct 23, 2023 18 tweets 6 min read Read on X
Scrolly
What are HAR files?
A HAR file is a recording of your current session & includes all web traffic including secrets & tokens.

Admins usually share these files with customer support when troubleshooting issues.

Here's a thread on how you can handle .har files safely.

🧵⬇️
Exporting HAR files
There are a few ways to record your session to create HAR files. You might need to use different tools depending on what you are recording.

→ Browser
Every modern browser lets you export an HAR file of the current tab's session from the Network tab. Export HAR file from browser session
→ Desktop
Sometimes you might need to troubleshoot a non-browser-based app, for example a desktop app like Outlook or a CLI or PowerShell script.

Your admins are usually asked to use an app like Fiddler that adds a system proxy to capture all the web traffic on the desktop. Screenshot of exporting HAR using Fiddler for desktop apps
HAR files and session recordings are important tools to help troubleshoot issues, so they are not going away any time soon.

Here are a few practical tips you can take to reduce your risk when sharing session recordings.
Tip #1: Capture non-production traffic

Try to repro the issue in a non-production environment. This way, even if the session tokens fall in the wrong hands, the impact will be limited to non-prod.

I've shared previously on how to set up a mature model.

Tip #2: Avoid using desktop session recording

Avoid recording with tools like Fiddler and ProxyMan that capture all the desktop traffic. Where possible use the browser session recording. This limits the scope to the active browser tab.
The desktop capture tools on the other hand, capture the traffic and tokens of every single app you have open on your desktop.

If you do need to use them, make sure you filter and export just the selected sessions, instead of 'All Sessions'.

Alternatively use a remote session.
Tip #3: Sanitize the session archive of all the secrets.

Most vendors ask you to review the trace and remove secrets.

This is easier said than done.

Here's none other than @ericlaw (who created Fiddler) answering a post asking how to remove passwords from a Fiddler trace. Removing headers that might contain passwords is easy. Removing POST body data or URL QueryString data that might contain passwords is nearly impossible to do reliably, because there's no standard for how such data is encoded. public static ToolsAction("Remove PII") function doClean() { var arrSess: Session[] = FiddlerApplication.UI.GetAllSessions(); for (var i: int=0; i<arrSess.Length; i++) { arrSess[i].RequestHeaders.RemoveRange(["Cookie", "Authorization", "Proxy-Authorization"]); a...
Having said that Google does provide a HAR Analyzer to help remove some of the common types of secrets. How to get a HAR capture HAR (HTTP Archive) is a file format used by several HTTP session tools to export the captured data. The format is basically a JSON object with a particular set of fields. Note that not all the fields in the HAR format are mandatory, and in many cases, some information won't be saved to the file. HAR files contain sensitive data! Content of the pages you downloaded while recording. Your cookies, which would allow anyone with the HAR file to impersonate your account. All the information that you submitted while recording: personal details, passwords, credit card numb...
Click the incognito icon to download a copy of the HAR file that has been stripped of tokens and other sensitive data.

Note: At the time of writing, the Google HAR Analyzer does all the processing locally in the browser and does not send the file to an external server. Screenshot showing how to export a HAR file without secrets using HAR Analyzer
It's best to perform a manual review to make sure the HAR Analyzer did not miss any secrets.

-----

Note: The next few tips are specific to Microsoft Entra ID customers. I'll talk about what Microsoft admins can do to protect their tenant from token theft/replay.
Tip #4: In Microsoft Entra ID enable Privileged Identity Management (PIM) to ensure privileged sessions are short lived.

With PIM enabled and time-based, approval-based role activation, you reduce the surface area and effectives of stolen tokens. What does it do? Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Here are some of the key features of Privileged Identity Management: Provide just-in-time privileged access to Microsoft Entra ID and Azure resources Assign time-bound access to resources using start and end dates Require approval to activate privileged roles Enforce multi-factor authentication to activate any role Use justification to understand why users activate Get notifica...
Tip #5: Limit admin session duration

NIST recommends a maximum 12-hour session lifetime for admins.

I shared recently on how you can do this with Entra ID.

While the previous post was about the admin portal, it's better to apply these controls to All Cloud Apps accessed by admins. Apply SIF, auth strength and device compliance for admin access
Tip #6: Apply Token Protection conditional access policy for admin access where possible.

Note: This feature is currently in preview and is limited to Exchange and SharePoint and currently blocks access from PowerShell, also requires P2. Screenshot showing how to apply token protection in conditional access policy
Tip #7: Apply Risk based sign in conditional access policy

Entra ID Protection logs anomalous token usage to the logs and can also be used in CA policies to auto-remediate. Anomalous token Calculated offline. This detection indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location. This detection covers Session Tokens and Refresh Tokens. Note Anomalous token is tuned to incur more noise than other detections at the same risk level. This tradeoff is chosen to increase the likelihood of detecting replayed tokens that may otherwise go unnoticed. Because this is a high noise detection, there's a higher than normal chance that some of the sessions flagged by this detecti...
Tip #8: @reprise_99 shared an epic thread on everything tokens including posts from @JeffreyAppel7, @samilamppu, @Thomas_Live, @SantasaloJoosua, @fabian_bader, @_dirkjan, @DrAzureAD and @424f424f

Bookmark and read them all!

Have I missed anything? Let me know.

A quick note. None of us are immune from token theft and there is a lot we need to do to raise awareness about the measures that can be taken to reduce the impact.

It is in this spirit that I'm sharing this thread.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Merill Fernando

Merill Fernando Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @merill

Merill Fernando Profile picture
Sep 24, 2024
Microsoft just published their SFI progress report. Here's the TLDR; version.

There is a lot that CISOs, M365/Entra admins and cybersecurity teams can learn from what Microsoft is doing and apply to their own organizations.

🧵👇 Image
How far along is your org in this journey? Image
Managing the number of tenants (including dev tenants) and securing ALL of them is becoming important Image
Read 6 tweets
Merill Fernando Profile picture
Feb 28, 2024
The ability to block Device Code Flow just became available in Microsoft Entra ID Conditional Access.

Here's a quick walkthrough of how attackers use device code flow to get access to your tenant and what you can do to protect yourself. Attn M365 admins & security teams Create this CA policy NOW and protect your users from Device Code Flow phishing & social engineering attacks!
❇️ Why does device code flow exist?

Device code flow is required when signing into devices that might lack local input for eg meeting room devices or scenarios like shared devices.

Unfortunately, attackers frequently use this mechanism to target your users. The new Conditional Access feature Authentication Flows, lets you target Device Code Flow + Authentication Transfer and BLOCK them from your tenant
🪟 Microsoft's recommendation

Microsoft's recommendation is to block device code flow wherever possible and only allow device code flow where necessary.

Learn more




→ How-to article: learn.microsoft.com/entra/identity…
learn.microsoft.com/entra/identity…
learn.microsoft.com/entra/identity…
Here’s how the new CA policy works to block Device Code Flow and protect your users! Illustration showing how the block access policy will prevent user from signing in
Read 5 tweets
Merill Fernando Profile picture
Feb 8, 2024
So your Microsoft 365 tenant has been compromised by a malicious app!

Here's a step by step guide to block access to the app and remove it from your tenant -Bkmk this!

1️⃣ Go to Microsoft Entra → Enterprise Apps
2️⃣ Select the compromised app
3️⃣ Permissions → Review Permissions Image
Select 'This app is malicious and I'm compromised' Image
Follow the recommendations to
✅ Disable the app

Then run the PowerShell scripts that is generated to
✅ Require user assignment
✅ Revoke all permissions
✅ Invalidate refresh tokens of users with access to the app Image
Read 4 tweets
Merill Fernando Profile picture
Oct 24, 2023
Windows LAPS just went GA today!

Here's a refresher and quick walkthrough on what it is and how you can start using it.

🧵⬇️ What is Windows LAPS with Microsoft Entra ID and why is everyone so excited about today's GA announcement?
2/8 Local Administrator Password Solution Every Windows device comes with a built-in local administrator account that you must secure and protect to mitigate any Pass-the-Hash (PtH) and lateral traversal attacks. LAPS is a Windows feature that automatically manages and backs up the password of the local admin account.
3/8 Windows LAPS is available for both Entra joined and hybrid Entra joined devices! Windows LAPS is now built-in into Windows! 🎯 Windows 10 20H2 and later 🎯 Windows 11 21H2 and later 🎯 Windows Server 2019 and later
Read 9 tweets
Merill Fernando Profile picture
Aug 8, 2023
It's 2023 and your IT team is still forcing the entire company to change their passwords every few months 🤦

PS. I work at Microsoft, and we stopped doing this nearly four years ago.

Send the link below to your IT team 👇 Image of Margot from Barbie movie crying
💠

The recommendation now is to only force a user to change their password if a compromise has been detected.

If your org is using Microsoft 365, you can set it up to force a password change when a user's password is compromised.

If you are not licensed… https://t.co/Ipo25zfUa9zdnet.com/article/micros…
twitter.com/i/web/status/1…
To those asking about audits & PCI requirements.

How many of your users have access to your customer's credit card data❓️
Why not apply the forced expiry to the subset of users that actually handle credit card data?

📢 Plus, it's now 1 year expiry ⬇️

https://t.co/pWDAnMEiHKbleepingcomputer.com/news/security/…
Five new requirements for PCI 4.0 PCI version 4.0 requires multifactor authentication to be more widely used. Whereas multifactor authentication had previously been required for administrators who needed to access systems related to card holder data or processing, the new requirement mandates that multifactor authentication must be used for any account that has access to card holder data. The new standards also require user’s passwords to be changed every 12 months. Additionally, user’s passwords must be changed any time that an account is suspected to have been compromised
Read 4 tweets
Merill Fernando Profile picture
Aug 3, 2023
🎯 Tip for Microsoft 365, Microsoft Entra and infosec admins

As promised here is a quick breakdown of one way you can set up a process to either force users to change passwords or force an MFA prompt.

🔵 Screenshot with illustration of setting up a password change flow. Need to reset user passwords after a compromise? Set up this process for one-off and bulk resets of user passwords or to force prompt for MFA. Step 1: Create Risky User CA Policy Step 2: Mark user as High Risk User prompted to change password
Start by creating a CA policy.

You can either scope it to all users or use a custom group to isolate this from your other risk-based CA policies.

For detailed steps see https://t.co/XII9cpMg2Klearn.microsoft.com/en-us/azure/ac…
Screenshot of CA policy
Next, we set the user as high risky by calling Graph API. You can automate this using PowerShell, CLI, Logic Apps or your choice of DevOps tool.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(