Newsletter #7 2023
Published on: December 03, 2023
Hi,
First of all, thank you for subscribing and reading the EndpointCave security newsletter.
I feel honored that you will join me on the journey of this bi-weekly Security Newsletter! My goal is to deliver valuable security content directly to you and your inbox.
But I need your help, do you have any valuable content that needs to be shared with the community? Did you create a security blog post or did you find a security-related news item that needs to be mentioned in my upcoming newsletters?
Please send me a message. You can contact me on Twitter (X) or LinkedIn.
The community has created a lot of content in the past two weeks. I want to share some of those blogs and videos with you. First of all, I want to highlight some content and after the highlights and video, I have shared some blogs from the community for the community. I assume that one of those topics will be interesting for you.
For your information, this will be the last newsletter for 2023. I will enjoy my two-week Christmas holiday. I will be back next year. So it is maybe a little bit early but I wish you all a Merry Christmas and a Happy New Year.
Highlights
Microsoft’s Windows Hello fingerprint authentication has been bypassed
Microsoft’s Windows Hello fingerprint authentication has been bypassed on laptops from Dell, Lenovo, and even Microsoft. Security researchers at Blackwing Intelligence have discovered multiple vulnerabilities in the top three fingerprint sensors that are embedded into laptops and used widely by businesses to secure laptops with Windows Hello fingerprint authentication.
Security Tech Accelerator – Next week!
As a follow-up from Ignite, Microsoft will be hosting a deeper dive into the announcements shared and give you the chance to ask their product teams questions (register for a Tech Community Profile now so you can ask questions live, during the event). Microsoft’s goal is to connect you to your security peers and equip you with the technical knowledge that will help you and your team safely and confidently adopt AI.
Security topics to watch
Unifying SIEM & XDR: a new era in SecOps
In this episode—live from Microsoft Ignite—Principal Product Managers Javier Soriano and Tiander Turpijn lead the conversation on the newest unified security operations platform. Learn how this innovation offers you enhanced analyst efficiency by combining security information and event management (SIEM) and extended detection and response (XDR), reducing interruptions through consolidation of duplicate features, and enabling proactive attack detection and disruption across Microsoft and non-Microsoft products. Discover how you can benefit from comprehensive coverage from the market’s most extensive XDR capabilities and a SIEM that extends across multi-cloud business applications, the Internet of Things, operational technology, and multiple platforms.
Incident Response: Azure Log Analysis
Investigating an incident with log analysis! Navigating a simulated attack of a managed service provider– from initial intrusion all the way to full network exploitation, we uncover what techniques the attacker used to compromise this Azure environment!
The New Microsoft Purview Portal – A work in progress?
In this video, Peter takes the new Microsoft Purview portal out for a spin, with some surprising results!
Blogs from the community
Microsoft Cybersecurity Reference Architectures December 2023 update is now live!
What does the MCRA include? – Antipatterns (common mistakes) and best practices – Guiding rulesets for end to end architecture – Threat trends, and attack patterns – Mapping Microsoft capabilities to organizational roles – Mapping Microsoft capabilities to Zero Trust standards – Securing privileged access – Reference plans in SAF (including example of patching modernization) […]
Detecting and remediating emails with Defender XDR correlation
One of my customers have seen an interesting campaign, and they wanted help detecting and remediating it.
Mastering Zero Trust with Microsoft Entra and SailPoint IdentityNow
Having navigated through various vendors, a recurring question from our customers and partners is, ‘We have both Microsoft Entra and SailPoint IdentityNow coexisting in our environment. How can we better manage these two products to enhance identity and security?’
All OSINT Tools
In this place, you can find all gathered necessary and useful open-source investigating (OSINT) tools on the internet.
Diamond Sleet, tracking the activities based on IoCs in KQL, Advanced Hunting
Diamond Sleet, tracking the activities based on IoCs in KQL, Advanced Hunting 🚀 – FileType : Win32 EXE, Win32 DLL, PNG
Microsoft Defender for Cloud Apps in Microsoft Defender XDR
Microsoft Defender for Cloud Apps is now part of Microsoft Defender XDR – Microsoft Defender XDR will be the home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure. – SOC analysts will be able to triage, investigate and hunt across all Microsoft Defender XDR workloads, including cloud apps. – […]
How to import Conditional Access policies
We want to import Conditional Access policies into the Microsoft Entra tenant. Now, we can restore Conditional Access policies using the Microsoft Entra admin center. But that’s a single Conditional Access policy upload. What if you have multiple Conditional Access policies that you want to import? PowerShell is the easiest and fastest way. In this […]
Using KQL in a Playbook for Sentinel
Andrea was working with a customer recently and they wanted to run a playbook in Microsoft Sentinel that would take an incident and look to see if the accounts in the incident were enable or disabled and then send an email to the security team giving them that information.
How to develop a MITRE ATT&CK Microsoft Copilot bot, Integrate it with Teams and Monitor it with Microsoft Sentinel.
Hi defenders, At Microsoft Ignite 2023, Microsoft introduced Microsoft Copilot for Microsoft 365 that uses Large Language Models (LLMs) and your enterprise data to provide powerful intelligent assistance capabilities. In this blog we are going to explore how to use Microsoft Copilot Studio to develop your first Copilot, integrate it with Microsoft Teams and Monitor […]
Microsoft Defender XDR, Security Copilot & Microsoft Sentinel now in one portal
Manage SIEM, XDR, and threat intelligence from one place with new updates in the Microsoft Defender portal. Interact with all of your security data using generative AI with Security Copilot. View incidents across your digital estate — whether they’re related to endpoints, SaaS services, your network in the cloud or on prem. This unified approach eliminates the […]
Securing your GitLab Environment with Microsoft Defender for Cloud
In the dynamic landscape of software development, developers across diverse organizations are embracing a wide variety of Source Code Management (SCM) and CI/CD pipeline systems to optimize their workloads. While this trend presents flexibility, collaboration, and speed to software development, the challenges of securing the application lifecycle become increasingly complex. As organizations strive to improve […]
Securing AWS: A Comprehensive Guide to Efficient Privilege Identity Access Management with Microsoft Entra SSO Integration.
Managing identities and access permissions in AWS is a critical aspect of maintaining a secure and well-controlled cloud environment. The challenge often lies in finding a balance between users seeking admin permissions and security/ auditors advocating for the principle of least privilege access. This article explores an approach to privilege identity access management, emphasizing the […]
Adopting Microsoft Entra ID Governance – A Deep Dive
Lately, there has been a lot happened/ changed/ introduced in the Microsoft Entra ID Governance space and this is one of my favorite topics to write and explain as well. The main reason is that Entra ID Governance features are all interconnected and organizations can easily create an eco-system and start using its features. Not […]
Step-by-Step : Assign access packages automatically based on user properties in Microsoft Entra ID
Microsoft Entra ID Governance offers the capability to manage the access lifecycle of resources through access packages, which are organized into catalogs and define the resources available within them. Each access package includes at least one policy that outlines who can request access to it, the approval process, and access lifecycle settings such as assignment […]
From Threat Report to (KQL) Hunting Query
Threat intelligence reports are an essential source to be able to identify and mitigate security threats. However, the process of converting the information in these reports into actionable queries (such as Kusto Query Language (KQL)) can be challenging. In this blog post, we will explore the steps involved in going from a threat intelligence report […]
Microsoft Sentinel: Public preview of Microsoft Defender for Cloud to Defender XDR integration
At Ignite 2023 Microsoft announced the Public Preview of Microsoft Defender for Cloud integration into Microsoft Defender XDR. As a Microsoft Sentinel customer, you can benefit from this powerful integration in your own workspaces using the Defender XDR Incidents and Alerts connector simplifying attack detection by streaming merged detections from various sources. Security teams can […]
Prevent AiTM with Microsoft Entra Global Secure Access and Conditional Access
Microsoft Entra Global Secure Access brings a new control to Conditional Access. By installing the Global Secure Access Client on (hybrid) Entra joined devices and enabling Global Secure Access signaling for Conditional Access, admins can now work with a new condition: All Compliant Network locations (Preview)
Auditing Azure Storage Account Activities
Azure storage services offer a variety of options for storing and managing data in the cloud. However, storing data in the cloud also comes with some security risks and challenges that organizations should be aware of.
Zero Trust Adoption Guidance with Nicolas Blank
We’re all using zero trust – but are we using it well? Richard talks to Nicolas Blank about his work helping to develop the Zero Trust Adoption Framework. Nicolas talks about resisting the buzzword effect and avoiding looking at zero trust as a set of products because it isn’t – it’s really about the people […]
Detecting Ransomware with Defender for Cloud Apps
Ransomware attacks grow and cripple companies, cities, and businesses. Attackers are locking people out of their networks and demanding significant payment to get back in. The case is that many organizations still pay attackers in order to get their data back. Security teams are trying to prevent and stop ransomware attacks – Many times, it’s […]
Using the hidden gems in Entra ID Governance access packages, all you need to know! – Part 4
This fourth part of the ‘hidden gems’ in Entra ID Governance Access Packages will look at how we can delegate some access package management from IT to the business or stakeholders so IT can focus on what really matters: ‘Adding new features and empower the business to do more themselves’. At last, we will look […]
ABOUT, MICROSOFT ENDPOINT MANAGER A Overview into Lifecycle Management: Why Organizations need to embrace it?
In the technology-driven environment we operate in today, the need for effective management and control of the numerous digital assets within an organization cannot be overstated. Among these, lifecycle management stands out as a crucial, yet often overlooked, component. In this post Niklas is going to explain you what Lifecycle management is and why organizations […]
How to Enable End-to-End Encryption for Microsoft Teams Meetings?
After COVID, with more virtual meetings happening, it’s really important to make sure the confidentiality of online meetings. As we’re aware, Microsoft Teams has enhanced its security measures by implementing end-to-end encryption (E2EE) for 1:1 calls. Well, they didn’t stop with that but also went a step further and added that same strong security to […]
How to protect against modern phishing attacks like Evilginx
Modern phishing attacks are on the rise, and methods to defend against them are scarce and few. Shared numerous posts on how Evilginx works, Luke wanted to dedicate some time to investigating and understanding how to prevent Evilginx and other Man-In-The-Middle (MITM) style attacks based on personal experience. This guide is designed not only to […]
Mistaken Identity: Extracting Managed Identity Credentials from Azure Function Apps
Karl started working on a function that could be added to a Linux container-based Function App to decrypt the container startup context that is passed to the container on startup. As he got further into building the function, he found that the decrypted startup context disclosed more information than we had previously realized.
A TOUCH OF PWN – PART I
They had recently the privilege of speaking at Microsoft’s BlueHat conference in Redmond, about a vulnerability research project on Windows biometric authentication our team performed for Microsoft’s Offensive Research and Security Engineering group (MORSE). Their objective was to evaluate the security of the top three embedded fingerprint sensors used for Windows Hello embedded by OEM […]
Conditional Access ‘What If’ Simulation with PowerShell
So, Daniel decided to write his own Conditional Access evaluation engine in PowerShell, like one does on rainy November nights, right? Its purpose is to provide capabilities similar to the built-in What If tool in the Entra ID portal, but with a clear focus on finding grant control gaps in common an uncommon use cases. […]
3 Ways to made the CIS Controls More Automation-Friendly
Compliance obligations that support data privacy and cyber risk are nearly ubiquitous. Not only that, but they’re expanding. According to Gartner, government regulations covering these areas of emphasis will apply to five billion citizens and more than 70% of global GDP through 2023. Like all organizations, you need to make sure you get the most […]
Introducing AD FS Application Migration: Your Path to Simplicity and Security
Are you tired of dealing with the hassles of managing your Active Directory Federation Services (AD FS) applications? Do you want to enjoy the benefits of a modern, secure, and cloud-based identity platform? If so, Microsoft has some great news for you, a new tool feature – AD FS Application Migration – is here to […]
Attack Surface Reduction Generator
Welcome to the Attack Surface Reduction (ASR) Generator. This project is a comprehensive suite of tools and resources designed to aid in understanding and configuring ASR rules in Microsoft Defender. The ASR Generator is built with the aim of simplifying the process of managing ASR rules, making it more accessible and efficient for users of […]
Thank you for being a part of my newsletter, I hope you found valuable content in my newsletter. I look forward to delivering more valuable content in the future.
Your feedback is welcome, so please feel free to share your thoughts and suggestions for future editions.
Kind Regards,
René
EndpointCave