Follow
Tal Maor
@talthemaor
Tal Maor’s Tweets
If you didn’t catch our webinar on malicious OAuth apps, don’t worry you can still view the recording and read the blog! youtu.be/cypkI7y7LtM.
2
1
10
Show this thread
Should also invest in reviewing newly created apps -
1
Show this thread
Security teams returning from holidays? invest some time reviewing what Oauth apps have been created or consented in your org while you were gone. Consider allowing consent only with admin’s approval
1
1
5
Show this thread
In M365D there is detection for risky admins which elevate their access. But ideally, every elevate access operation should be monitored and evaluated by the security team
1
6
Heather Lake Trail: 740 meter above PNW shoreline
5
Just published a new blog post 👀 -
this time, we joined forces to uncover notorious actor's infrastructure and TTPs. Worth to mention some of them, and learn how the risk can be mitigated 👇🧵
microsoft.com/security/blog/
1/n
3
53
120
Show this thread
Having ARM logs next to the rest of the Cloud Apps Logs is a great way to avoid Subscription Hijacking!
How to enable connector: learn.microsoft.com/en-us/defender
The threat: techcommunity.microsoft.com/t5/microsoft-3
#MCAS #M365D #MicrosoftDefenderforCloudAppS
1
Is your Azure subscription being compromised or hijacked? 👀
Check out the new blog I published about how we can hunt for compromised / hijacked Azure subscriptions using M365D & MDCA:
7
8
Skeleton key attack ported to AD FS.
An excellent blog post
Quote Tweet
Microsoft has discovered a post-compromise capability we’re calling MagicWeb, which the threat actor tracked as NOBELIUM is using to maintain persistent access to environments they have compromised. In-depth technical analysis and hunting guidance here: msft.it/6016jeB4i
1
9
32
Show this thread
NTLM relay is dead and living in AAD.
An interesting talk by
i.blackhat.com/USA-22/Wednesd
CC:
#BHUSA2022
5
115
289
Show this thread
I just read a great blog about hunting in Okta events, so I implemented some of the ideas as Advanced Hunting queries.
You can find the queries here:
1
1
3
Show this thread
How to set up Microsoft Authenticator, Windows Hello, or FIDO2 keys in Azure AD admin center.
Get more advice and options for your Zero Trust security model here on our Essentials Series. youtu.be/fQZQznIKcGM #IDMGMT
22
56
Today I'm happy to announce my newest and most ambitious project - the Azure Threat Research Matrix (ATRM). A similar look to MITRE ATT&CK Enterprise, but the ATRM will cover AzureAD and Azure resource TTPs. Official blog post: techcommunity.microsoft.com/t5/security-co (1/2)
16
309
838
Show this thread
BEC should get the attention it deserves -
Deploy FIDO2 and YubiKeys to avoid AiTM
Quote Tweet
Attackers behind a large-scale adversary-in-the-middle (AiTM) phishing campaign used stolen credentials and session cookies to skip the authentication process and perform follow-on business email compromise (BEC) campaigns against other targets. Details: msft.it/6016b2F3Q
1
Attackers behind a large-scale adversary-in-the-middle (AiTM) phishing campaign used stolen credentials and session cookies to skip the authentication process and perform follow-on business email compromise (BEC) campaigns against other targets. Details:
4
143
252
2nd reason to attend Blackhat this year is 's "AAD Joined Machines - The New Lateral Movement" talk. Don't miss it.
1
7
Months of work is finally published! Let's use our blog to raise some insights for all the defenders out there! Let's hunt AiTM phishing & cookie🍪replaying! 🧵
1/n
Quote Tweet
Attackers behind a large-scale adversary-in-the-middle (AiTM) phishing campaign used stolen credentials and session cookies to skip the authentication process and perform follow-on business email compromise (BEC) campaigns against other targets. Details: msft.it/6016b2F3Q
3
8
31
Show this thread
Today , and I are launching a new website to list cloud vulnerabilities and CSP security issues. The website will be driven by the community, enabling cloud defenders to search and view essential info about cloud vulnerabilities cloudvulndb.org 1/6
5
131
270
Show this thread
If you have MDE-MDCA integration enabled, you might want to check the following hunting query we wrote as response to DEV-0537 (Lapsus$):
github.com/Azure/Azure-Se
The query can find scenarios where user upload zipped repos to external domain (based on exclude list).
🧵
1
1
4
Show this thread
Another great example that Oauth consent phishing campaigns are here to say!
Make sure to monitor consent activities to high priv apps in your org (can be easly done using MDCA policies)
"Youre only as strong as your weakest player"
Quote Tweet
Microsoft is tracking a recent consent phishing campaign, reported by @ffforward, that abuses OAuth request links to trick users into granting consent to an app named ‘Upgrade’. The app governance feature in Microsoft Defender for Cloud Apps flagged the app’s unusual behavior.
Show this thread
2
7
Microsoft is tracking a recent consent phishing campaign, reported by , that abuses OAuth request links to trick users into granting consent to an app named ‘Upgrade’. The app governance feature in Microsoft Defender for Cloud Apps flagged the app’s unusual behavior.
9
216
312
Show this thread
In this post, I explain how to abuse Service Principals to escalate rights in Azure - this is the most common avenue of escalating to Global Admin in Azure we've seen so far: posts.specterops.io/azure-privileg
Prior work by and
5
233
455
Show this thread
Quote Tweet
Tomorrow: join me and @davidpmcguire as we preview the first commercial product from the #BloodHound development team at SpecterOps. Register here: specterops.zoom.us/webinar/regist
1
7
I never imagined a security talk we gave ( + ) would lead someone into a journey he claims "actually changed my life", but apparently it did.
So happy to see 's journey and progress.
Quote Tweet
My BlueHound talk was just released!
It's about my #bloodhound journey and a tool I wrote to automate a methodology for defenders I presented last year. Hope you will enjoy!
sector.ca/sessions/bhpd-
1
1
14
Hunt for activity related to the Solorigate attack with Azure Sentinel. New blog has guidance and empowers defenders to hunt for a highly sophisticated actor operating both on endpoint and in the cloud:
1
84
164
Super cool as always.
Quote Tweet
Proud to release BloodHound 4.0 - AzureHound, one of our biggest releases to date. As always, the release can be found on the repo, as well as the new AzureHound collector. Linux builds coming whenever CI finishes them!
github.com/BloodHoundAD/B
Reminder to all our Windows customers to deploy at least the August 2020 update or later and follow the original, published guidance to fully resolve the vulnerability, CVE-2020-1472. For further information, see our blog post: msft.it/6019TARbV
5
81
118
New version of #AADInternals out now:
•Play with PRT's 🔥
•Join imaginary devices to Azure AD 🧙♂️
Read the blog to learn more:
👉 o365blog.com/post/prt/
#Microsoft #AzureAD #infosec #security #identity #MFA #redteam
Credits to
3
78
149
Show this thread
Added also Intune enrollment 😎
👉
1
13
20
exploiting #Zerologon...
Tired: boring all 0s challenge 😴
Wired: Exciting challenges with non 0 values 🥳
See my new blog on the matter
medium.com/@TalBeerySec/z
Thanks to
1
50
84
Show this thread
Between Sep 2019 and Jun 2020, STRONTIUM launched credential harvesting attacks against tens of thousands of accounts at >200 organizations. Learn about the group’s shifting approach to credential harvesting, and get guidance for proactive defense:
2
92
147
Show this thread
WE HAVE PCAPs 😈
a) ➕ ET Rules!
b) git clone github.com/hunters-forge/ && cd mordor/datasets/large
c) find apt29/day*/pcaps -name '*.zip' -execdir unzip -P infected {} \;
c) find apt29/day*/pcaps -name '*cap' -execdir suricata -r {} -k none \;
TY 🙏
2
70
185
In case you missed it (I totally did); Identity Protection now detects password spray attacks.
2
17
51
Show this thread
Quote Tweet
From Pass The Prt to Pass The Certificate for Azure AD machines
In this post, I will explain what NegoEx and PKU2U are, what P2P certificate is and how to use those to gain access to Azure AD machines
medium.com/@mor2464/azure
1
5
Illustration of an end-to-end attack chain across multiple domains using Microsoft security products was just posted!
46
115
Azure ATP detects SMBGhost on protected Domain Controllers bit.ly/2VxvtO5
Quote Tweet
It's here! Details on how we achieved #SMBGhost RCE are available. Enjoy!
"I'll ask your body": SMBGhost pre-auth RCE abusing Direct Memory Access structs by (@hugeh0ge)
ricercasecurity.blogspot.com/2020/04/ill-as
1
3