Newsletter #3 2023
Published on: October 08, 2023
Hi,
First of all, thank you for subscribing and reading the EndpointCave security newsletter.
I feel honored that you will join me on the journey of this bi-weekly Security Newsletter! My goal is to deliver valuable security content directly to you and your inbox.
But I need your help, do you have any valuable content that needs to be shared with the community? Did you create a security blog post or did you find a security-related news item that needs to be mentioned in my upcoming newsletters?
Please send me a message. You can contact me on Twitter (X) or LinkedIn.
October means Security Awareness Month, so a lot of content will be created and published. In the last two weeks, the community has created a lot of content.
First, I want to start with a question. As we all know, techniques will help us to protect ourselves or our users from hackers. But people are still humans and they make mistakes. And that is OK.
I see a lot of companies sending out phishing campaigns with the goal of testing the users. I do not prefer this method of awareness. I do like to help them to understand cybersecurity with training and help them to recognize a phishing email. and give them a reward if they forward suspicious emails to security.
So it’s security Awareness month and my question is: What are you doing about security awareness?
Security topics to watch
The Microsoft 425Show has released a video about Microsoft Entra ID Authentication Strengths Deep Dive.
Click Here to view the video on YouTube.
John Savill has released a video about Microsoft Entra ID Governance and will discuss: What is the Microsoft Entra ID Governance license and what are some key recent governance capabilities?
Click Here to view the video on YouTube.
The video of Microsoft Security will show step by step migration of a user doing Certificate-based Authentication with ADFS to access Microsoft Entra ID to be a cloud-managed user and do Certificate-based Authentication directly against Microsoft Entra ID without the need for a federated server like ADFS.
Click Here to view the video on YouTube.
The majority of Fortune 500 organizations are using Azure Active Directory (Azure AD) as Identity and Access Management (IAM) solution. The high adoption rate makes Azure AD a lucrative target for threat actors, including state-sponsored actors like APT29/Nobelium. Azure AD is leveraging Microsoft’s not-so-well-documented Evolved Security Service (eSTS). eSTS hides multiple security token services so that users see only Azure AD
Click Here to view the Black Hat video on YouTube.
Gianni Castaldi, Alex Verboon, and Brian Bønk Rueløkke have released a video about KQL.
Click Here to view the video on YouTube.
The Microsoft Sentinel DoD Zero Trust Workbook provides a single platform to assess posture relative to the US Department of Defense’s Zero Trust strategy as well as actionable steps for improving alignment with the guidance across all seven pillars of zero trust. Join this webinar to discover how this workbook serves as an excellent foundational resource for customers aiming to enhance their security posture.
Click Here to view the video on YouTube.
Blogs from the community
Creating the Red Lab for Entra Id Azure series for 0 cost!
This demo explains in detail how to obtain trial subscription for Azure Entra ID and Office E5 trial license. Using this guide you can build the lab with no cost during the trial period as well to automate how to create labs regarding Privileges Accounts, misconfigure groups. Using this guide can also bring insights of […]
Microsoft Entra MFA Fraud Deep Dive
Recently, Microsoft released the new feature Report suspicious activity for Entra ID. Since I see this feature as a significant improvement and have faced some challenges with the old feature in the past, I have decided to delve deeper into the topic and share my findings here. Now, you might be wondering what makes this […]
Allow On-Premise Password Change to Reset User Risk in Microsoft Entra
Handling user risk can be a difficult task, especially today when users are based all across the globe and identity-based attacks are on the increase. Organisations need to have an understanding of the risks present to them and visibility in real-time of how it is impacting them. All of this of course comes as a […]
Introducing Microsoft Sentinel Web Session Essentials Solution.
Today, Microsoft is announcing the new web session Essentials solution in Public Preview. This is a domain solution and a third Microsoft Sentinel solution to leverage the Advanced Security Information Model (ASIM). This solution provides a set of generic OOTB (out-of-the-box) content for different products like web server, web proxies and web security gateways that […]
Atlassian Confluence Hit by New Actively Exploited Zero-Day
Atlassian has released fixes to contain an actively exploited critical zero-day flaw impacting publicly accessible Confluence Data Center and Server instances. The vulnerability, tracked as CVE-2023-22515, is remotely exploitable and allows external attackers to create unauthorized Confluence administrator accounts and access Confluence servers.
GitHub Repositories Hit by Password-Stealing Commits Disguised as Dependabot Contributions
A new deceptive campaign has been observed hijacking GitHub accounts and committing malicious code disguised as Dependabot contributions with an aim to steal passwords from developers. “The malicious code exfiltrates the GitHub project’s defined secrets to a malicious C2 server and modifies any existing javascript files in the attacked project with a web-form password-stealer malware […]
How to be Notified When Microsoft Sentinel Data Stops Populating
The idea behind this solution is to be alerted when data ingestion has stopped for a specific table or originating service, i.e., ingestion health. As a security analyst, having the most current data is critically important – which makes knowing when data has stopped flowing also an important factor. But a lot of times it’s […]
Modifying the Sentinel Costs workbook
Andrea was recently working with an enterprise that has more than 20 different Workspaces where Sentinel is deployed. They wanted to use the Sentinel Cost Workbook to view the costs of these instances individually. If you’re not familiar with the Sentinel Cost Workbook, you can deploy it from the Content Hub. Just search for Sentinel […]
Conditional Access – Common Microsoft 365 Security Mistakes Series
Conditional Access (CA) is front and center of any attempt to secure Microsoft 365. If you’ve spent any time securing your tenant and Entra resources, you’ll know what Conditional Access is by now, so we’ll assume at least a level 200 understanding, skip the introduction, and instead dive into the most common mistakes Ru has […]
Quality assurance in Microsoft Sentinel: how to ensure accurate threat detections?
Mikko has been discussing detection effectiveness, quality, and maturity with many of his Sentinel clients recently. Especially when the detection content is not created in-house but originates from external sources. This post is partly about detection engineering in general but focused on the perspective of managing external detections, not DIY detections.
How To Deploy a Complete Entra ID Conditional Access PoC in Under 5 Minutes
This is BY FAR the most substantial TIME SAVING tool Daniel ever shared with the community. From many years of working with EntraID and ConditionalAccess deployments, baselines, and automation tools, Daniel wanted to package all that knowledge, experience, and best-practices, in a single fully automated PowerShell deployment tool.
Support for passkeys in Windows
Passkeys provide a more secure and convenient method to logging into websites and applications compared to passwords. Unlike passwords, which users must remember and type, passkeys are stored as secrets on a device and can use a device’s unlock mechanism (such as biometrics or a PIN). Passkeys can be used without the need for other […]
Detect when Entra ID guest account get blocked due to risk on home tenant
Imagine your organization’s Microsoft 365 tenant as your home. You wouldn’t welcome a stranger with unknown intentions and a shady introduction into your home? Similarly, proactively identifying and mitigating risks associated with guest users in their home tenant is vital for safeguarding your organization’s data and resources within your tenant.
Cloudflare DDoS protections ironically bypassed using Cloudflare
Cloudflare’s Firewall and DDoS prevention can be bypassed through a specific attack process that leverages logic flaws in cross-tenant security controls. This bypass could put Cloudflare’s customers under a heavy burden, rendering the protection systems of the internet firm less effective.
Azure DevOps Security Guide
Okan Yildiz is thrilled to share a comprehensive Azure DevOps Security Guide, meticulously he prepared for the community! This guide serves as a critical framework to navigate through the myriad aspects of security like access control, network security, and continuous monitoring within the Azure DevOps environment.
open-source proof of concept offensive tooling
Sion Dafydd is happy to share that Secureworks has open-sourced some of the proof of concept offensive tooling that I have developed over the last two years while undertaking research as part of the Offensive Security Research team, Catalyst.
Defending against Quishing attack with Microsoft 365 Defender Advanced Hunting
If you analyzed majority of the quishing emails received, all the automated quishing emails contained a picture QR code with filename in random alpha characters and of type PNG. Based on this characteristic we can craft a KQL in Microsoft Defender 365 Advanced Hunting to detect QR code phishing emails.
New ZenRAT Malware Targeting Windows Users via Fake Password Manager Software
A new malware strain called ZenRAT has emerged in the wild that’s distributed via bogus installation packages of the Bitwarden password manager.
Microsoft is Rolling out Support for Passkeys in Windows 11
Microsoft is officially rolling out support for passkeys in Windows 11 today as part of a major update to the desktop operating system. The feature allows users to login to websites and applications without having to provide a username and password, instead relying on their device PIN or biometric information to complete the step.
Optimizing Azure Firewall logging costs
In this post George will dive deep and show the expected cost optimization of this new structured logging, and what is causing this saving. George will use a sample record of a network rule log to explain it. Please note that this saving applies only if the sink is Log Analytics.
New expanded visibility into multicloud data security in Microsoft Defender for Cloud
Attackers have turned their attention to finding these “unknown unknowns” and easily exploit unintentionally misconfigured and exposed cloud data resources. It should come as no surprise that it’s more critical than ever to identify where sensitive data exists and is accessed in resources across increasingly complex, distributed, and dynamic multicloud environments.
Entra Connect Account Hardening
Microsoft Entra Connect Sync (aka Azure AD Connect) allows establishing hybrid identity scenarios by interconnecting on-premises Active Directory and Entra ID (aka Azure AD) and leveraging synchronisation features in both directions. As you might already know, this brings potential for abuse of the assigned permissions to the involved service accounts and permissions of this service.
QR Code + AITM phishing!!
Attacks are growing and evaluating. Since attackers are trying to bypass protections. As already mentioned in my previous blogs; AiTM is rising and growing. Since this year the combination of AiTM and QR-code-based phish are more used. In this situation, attackers use QR codes which include malicious links going to AiTM or phishing sites to […]
How to Block User Access to BitLocker Keys in Microsoft Entra
Do you allow users to self-service recover their own BitLocker keys in Microsoft Entra? 🤔 Well, there are certainly some arguments for and against. regardless, by default any user in your organisation can log in to myaccount.microsoft.com select ‘Devices’, and be able to recover the BitLocker key of their corporate device.
My favorite Conditional Access policies to implement
A bit of light reading today, but still an important topic worth discussing: Conditional Access! If you’re not very experienced with implementing these policies, this post might help set you up in the right direction.
Entra ID Conditional Access Policy Design Baseline with Automatic Deployment Support
I’ve just released version 13 of my ConditionalAccess Policy Design Baseline for EntraID (AzureAD). Updates: Added a GLOBAL prefix for all policies (and a CUSTOM prefix for any deviations). Reversed the guest access policy to block access to Azure Management. Added medium-risk policies for Entra ID Protection. Added a new device registration policy with MFA requirement. […]
Take back control over installing Add-Ins
Microsoft 365 add-ins are important for enhancing functionality and user experience. However, it is crucial to balance the benefits they provide with the need for security and privacy. This blog focuses on finding that balance and ensuring the security of your Microsoft 365 environment. Having a well-rounded system is essential for a successful business strategy.
Chinese hackers have unleashed a never-before-seen Linux backdoor
Chinese hackers have unleashed a never-before-seen Linux backdoor SprySOCKS borrows from open source Windows malware and adds new tricks.
Respond to threats across tenants more effectively with Microsoft 365 Defender multi-tenant support
Multi-tenant environments add an additional layer of complexity to today’s ever-evolving threat landscape. Whether organizations have grown through acquisition, or have strategically implemented multi-tenant setups, navigating across multiple environments is no small task. Mundane and repetitive tasks require security operations center (SOC) teams to log in and out of each customer environment individually. This not […]
Thank you for being a part of my newsletter, I hope you found valuable content in my newsletter. I look forward to delivering more valuable content in the future.
Your feedback is welcome, so please feel free to share your thoughts and suggestions for future editions.
Kind Regards,
René
EndpointCave