ParsonsProject

@ParsonsProject

DFIR Consultant who knows too much about Office 365 IR and Seattle Transit Find me in BlueSky :)

Joined June 2009

252 Following

178 Followers

88 Posts

ParsonsProject @ParsonsProject

4 months ago

@microsoftgraph @azuread @msdev Could you please fix the access issues with getting access to the MS Graph modules? Thank you :) #msgraph #microsoftgraph #outage

ParsonsProject's tweet photo. @microsoftgraph @azuread @msdev Could you please fix the access issues with getting access to the MS Graph modules? Thank you :) #msgraph #microsoftgraph #outage https://t.co/Y0DIGd0i3s

ParsonsProject @ParsonsProject

over 1 year ago

Deleting Twitter, find me on the Blue place (same username).

ParsonsProject @ParsonsProject

over 3 years ago

@JezCorden @TruBluDevil So for a personal account it doesn't give you an option but organizations can choose to enable number matching as MFA rather (Password + number matching) than using only passwordless authentication (which is only number matching). Orgs can also make you type the number in too.

ParsonsProject retweeted

Sean Metcalf

@PyroTek3

over 3 years ago

Due to breaches involving MFA bombing (attacker keeps sending MFA requests until accepted) now is the time for organizations with Office 365 to enable MFA number matching in Microsoft Authenticator. You can deploy to a group before configuring for all. https://t.co/t84oaIyiNH 1/3

PyroTek3's tweet photo. Due to breaches involving MFA bombing (attacker keeps sending MFA requests until accepted) now is the time for organizations with Office 365 to enable MFA number matching in Microsoft Authenticator. You can deploy to a group before configuring for all.
https://t.co/t84oaIyiNH
1/3 https://t.co/9phZUgILXI

947

281

268

Who to follow

rootsecdev

@rootsecdev

Senior Security Consultant @TrustedSec | Military grade meme poster, researcher, cloud penetration tester, voider of warranties. My thoughts are my own.

Nik

@Security_Sleuth

@SocietatesCivis & @passvult. Simplifying dual citizenship & securing your digital life.

allie🖤✨

@ac1dgoddess

infosec vampire; OG linux&cloud punk🤘🏼@hacknotcrime advocate; @notasockpuppet1 is bae 💍 views are mine.

ParsonsProject @ParsonsProject

almost 4 years ago

@DebugPrivilege Well, I just ran it my in my test tenant and so far have nothing although I'll check again after 24 hours in case it takes that long to generate the event! I'm leaning to it not generating any cloud artifacts.

ParsonsProject @ParsonsProject

almost 4 years ago

@DebugPrivilege AAD audit logs will generate an event called "Download groups - started (bulk)" which I've used to find recon of TAs although I'm not certain if that is only generated when you initiate a download via the AAD portal. Perhaps it's not logged via ROADTool : (.

ParsonsProject @ParsonsProject

about 4 years ago

If you're looking for Operation names to alert or hunt with M365 here's a few to help you out! I would prioritize "Add service principal credentials" for nation state cases. (sourced from my BSides Vancouver talk last year) #DFIR #m365 #o365 #bsidesvancouver #stellarparticle

ParsonsProject's tweet photo. If you're looking for Operation names to alert or hunt with M365 here's a few to help you out! I would prioritize "Add service principal credentials" for nation state cases. (sourced from my BSides Vancouver talk last year) #DFIR #m365 #o365 #bsidesvancouver #stellarparticle https://t.co/TSN832Av7v

ParsonsProject @ParsonsProject

over 4 years ago

7. Overall, this case demonstrates how cloud and on-prem IR teams can collaborate in amazing ways to find compromise where many of these exploitation methods were thought to have been in proof of concept only. #DFIR #O365 #APT29 #Crowdstrike

ParsonsProject @ParsonsProject

over 4 years ago

Last week we published this blog post which details several O365 techniques used in the StellarParticle campaign (among others). If there's ever a reason to keep up to date on O365 tech, this is it. Highlights in thread.. #DFIR #O365 #APT29 #Crowdstrike https://t.co/LfteG9Q5QH

ParsonsProject @ParsonsProject

over 4 years ago

6. Finally, and take note, the TA hijacked existing LEGIT service principals which already had global mail access. If there is ONE event to monitor for SPs, please monitor "Add service principal credentials." . This is the only event related that was generated up. #DFIR #O365

ParsonsProject @ParsonsProject

about 5 years ago

Thanks for hosting my talk @BSidesVancouver ! In case you want a copy of the slides here they are! https://t.co/AeKm1fmCmU #DFIR #Office365 #o365 #oauth #azuread

ParsonsProject @ParsonsProject

about 5 years ago

If you want to hear my talk on Nation States and how they stealthily navigate through O365/Azure AD, don't forget to register for this virtual conference ! My talk is today at 2:45 PM in Track 2! Register here! https://t.co/2bsrwDfcMH #DFIR #bsidesvancouver #O365 #Office365

ParsonsProject @ParsonsProject

over 5 years ago

If you don't want me or my colleagues on an IR call with you, please follow these steps! I'm very happy to finally work with my colleagues to get this blog post published after nearly a year of work to document and consolidate to these steps! #DFIR #O365 https://t.co/bmTd1Q2eDK

ParsonsProject @ParsonsProject

over 5 years ago

It's Friday, so here's some more Sunburst related persistence mechanisms within O365/Azure; glad to have helped the team on this post; happy hunting! tl;Dr Check your legitimate Azure Enterprise Apps for MailRead permissions! https://t.co/ZE5prWZJPE #SolarWindsHack #DFIR #O365

ParsonsProject @ParsonsProject

over 6 years ago

And this link has more specific info on MailItemsAccessed https://t.co/d1o2CwXss4

ParsonsProject @ParsonsProject

over 6 years ago

Finally, documentation on MailItemsAccessed and emails accessed and/or synced...shame so few clients actually have E5 though 😞 #MailItemsAccessed #DFIR #BEC #Office365 https://t.co/Xg5InEnQdJ

ParsonsProject

@ParsonsProject

Who to follow

Last Seen Users on Sotwe

Trends for you

Most Popular Users