Hi Security community ! I would like to share with you my project https://t.co/yyQ4nJYroC ! This repository provide a json and CSV file for all #Windows#Security Event IDs with lot of useful informations (Categories, GPO, Recommandations, Baseline, tags, etc.).
๐ The countdown is on! Insomni'hack is approaching fast
โณ Less than a month and a half left to submit your talk, donโt miss your chance to contribute to this great event.
๐ Apply now: https://t.co/k3d55j2MnJ
#CyberSecurity#CFP#InfoSec
Microsoftโs Agent Governance Toolkit is worth checking out.
Donโt put your trust the prompt to enforce policy, put controls around the actions: tool calls, identity, approvals, and audit logs.
https://t.co/L4Izz4QQZu
๐๏ธ Don't forget, our Call for Talks is still open until August 23rd. This is your chance to share your cybersecurity expertise.
๐ The conference will take place on February 4th and 5th.
๐ Submit your proposal now: https://t.co/UWazilJ8gN
#CyberSecurity#CFP
Entra Connect v2.6.79.0 was just released and contains undisclosed security fixes and @Microsoft recommends to update fast. On the bright side, it will finally support FIDO2 based authentication!
Did you know SSPR for admins is always enabled even if you have SSPR set to None?
It also doesn't honor your authentication methods - all of these are enabled
And currently email and phone are consumed from directory attributes..
This is an unnecessary risk - disable it
Microsoft Entra ID just flipped a switch: passwordless is now the default sign-in experience for millions of users. Here's what changed and why IT leaders need to pay attention. ๐งต #MicrosoftEntra
Entra Hardening Tip #9 ๐
Donโt use client secrets for app authentication.
Use this decision tree when a developer or vendor asks for an app registration to be created in your tenant. ๐
1/14
Conditional Access policies wonโt stop token theftโand standard MFA won't fix it either.
When teams roll out Microsoft Authenticator push codes or SMS, some assume the cloud perimeter is safe. But sophisticated actors have moved completely past brute-forcing passwords. They use Adversary-in-the-Middle (AiTM) phishing frameworks like Evilginx.
The attack flow is clean: The proxy site mirrors your Entra ID login page. The user enters credentials and solves the genuine MFA challenge.
Once Entra ID validates the session, it issues an ESTSAUTH session cookie. The malicious proxy server snatches that cookie before passing it back to the victimโs browser.
The Result: The attacker drops that stolen cookie into their own machine. Because the session has already passed the MFA verification loop, they gain instant access to the mailbox or cloud apps. They bypass standard Conditional Access rules seamlessly.
, when an identical session jumps between network or device contexts
Advanced features like Continuous Access Evaluation (CAE), Token Protection session controls, or strict device compliance rules can mitigate this. But they are rarely part of an organizationโs "default" browser-based setups.
Because a stolen token completely bypasses the sign-in loop, you cannot hunt for it by looking for failed logins. You have to hunt for Session Anomaliesโspecifically when an identical session jumps network or device context mid-lifecycle.
From Sentinel or Entra ID Advanced Hunting, you can run the below KQL query to identify active token replays across interactive and non-interactive sign-ins:
When was the ๐น๐ฎ๐๐ ๐๐ถ๐บ๐ฒ ๐๐ผ๐ ๐ฐ๐ต๐ฒ๐ฐ๐ธ๐ฒ๐ฑ ๐๐ผ๐๐ฟ ๐๐ฐ๐๐ถ๐๐ฒ ๐๐ถ๐ฟ๐ฒ๐ฐ๐๐ผ๐ฟ๐ย for threats and misconfigurations?
โก๏ธ You should do it regularly - because most of the โdangerous stuffโ isnโt created by attackers. Itโs ๐ฐ๐ฟ๐ฒ๐ฎ๐๐ฒ๐ฑ ๐ผ๐๐ฒ๐ฟ ๐๐ถ๐บ๐ฒ ๐ฏ๐ ๐ฎ๐ฑ๐บ๐ถ๐ป๐, tools, legacy projects, and forgotten delegations.
โBut what if you donโt want to blindly trust a ๐ฏ๐ฟ๐ฑ-๐ฝ๐ฎ๐ฟ๐๐ ๐๐ผ๐ผ๐น?
๐ง๐ต๐ฎ๐โ๐ ๐๐ต๐ ๐ ๐ฏ๐๐ถ๐น๐ ๐๐๐ฃ๐ฟ๐ผ๐ฏ๐ฒ.
And yes - this still fits the โno 3rd party trustโ idea, becauseย ๐๐๐ฃ๐ฟ๐ผ๐ฏ๐ฒ ๐ถ๐ ๐ท๐๐๐ ๐ฎ ๐ฃ๐ผ๐๐ฒ๐ฟ๐ฆ๐ต๐ฒ๐น๐น ๐๐ฐ๐ฟ๐ถ๐ฝ๐. If you donโt want to run it as a tool, you can simplyย copy out the exact AD queriesย for each check and run them directly in your environment.
โ ๐๐๐ฟ๐ฟ๐ฒ๐ป๐ ๐๐๐ฎ๐๐ฒ:ย 51 security checksย for Active Directory
(If you run it fully, you also get a clear HTML report with explanations.)
๐ ๐ก๐ฒ๐ ๐ฝ๐ฟ๐ฎ๐ฐ๐๐ถ๐ฐ๐ฎ๐น ๐๐๐ฒ-๐ฐ๐ฎ๐๐ฒ:ย turn it intoย continuous monitoring
Pick the checks you care about, run them daily (e.g., 9:00 AM), compare results with yesterday, and alert on changes. ๐ฆ๐ถ๐บ๐ฝ๐น๐ฒ - ๐ฎ๐ป๐ฑ ๐๐๐ฟ๐ฝ๐ฟ๐ถ๐๐ถ๐ป๐ด๐น๐ ๐ฒ๐ณ๐ณ๐ฒ๐ฐ๐๐ถ๐๐ฒ.
It wonโt replace enterprise detection platforms, but itโsย free, fast, and easy to start.
If you want the ๐๐๐ฒ๐ฝ-๐ฏ๐-๐๐๐ฒ๐ฝ way to build this โdaily AD detectionโ approach, I created a short course for it. Itโs currently ๐ฐ๐น๐ผ๐๐ฒ๐ฑ ๐๐ผ ๐๐ต๐ฒ ๐ฝ๐๐ฏ๐น๐ถ๐ฐ - but if youโre interested, ๐ฐ๐ผ๐บ๐บ๐ฒ๐ป๐ ๐ผ๐ฟ ๐๐ me and Iโll send details.
#ActiveDirectory #WindowsSecurity #ADSecurity #BlueTeam #CyberSecurity #HorizonSecured #PowerShell
Your new Azure VM can't reach the internet.
That's not a bug โ it's the new default.
After March 31, 2026, every new VNet ships private by default.
No NAT Gateway = no apt update, no Windows Update. Nothing. ๐
Why Microsoft killed default outbound:
โ IP owned by Microsoft โ could change anytime
โ No ICMP, no fragmented packets
โ Inconsistent across NICs & VMSS
โ Zero Trust violation by design
Your 4 fixes (in order):
โ NAT Gateway โ do this
Standard LB + outbound rules
Instance-level public IP
Firewall/NVA + UDR
Why NAT Gateway wins:
โ 64,000 SNAT ports per IP (vs ~64)
โ Scales to 1M+ ports
โ You own the egress IP
โ Attach once per subnet. Done.
The migration (don't skip step 4):
Find affected NICs โ Advisor โ Operational Excellence
Attach NAT Gateway to the subnet
Set defaultOutboundAccess = false
Stop + deallocate the VMs โ everyone forgets
Start. Verify egress IP.
Gotchas:
โ ๏ธ Old Terraform AzureRM โ still permissive
โ ๏ธ LB backend pool by IP โ leaks default outbound
โ ๏ธ Windows Activation/Update โ silently fails
The lesson:
Implicit defaults feel free. They're never free.
You pay at 3 AM when an IP rotates or SNAT ports dry up.
Explicit > implicit. Always.
โ ๏ธ Azure AD Conditional Access Bypassed Via Phantom Device Registration and PRT Abuse
Source: https://t.co/ewHl9UnrRn
Cloud identity security relies heavily on Microsoft Entra ID (formerly Azure AD) Conditional Access. It acts as the primary digital gatekeeper, checking user locations, calculating risk scores, and verifying device health before granting access.
Starting with a single set of valid credentials, often purchased for just a few hundred dollars on cybercriminal markets, researchers successfully compromised a production tenant containing over 16,000 users.
This attack required no interaction with corporate endpoints. It deployed no malware, highlighting severe gaps in default device registration and compliance validation.
#cybersecuritynews #Azure
๐ย Secure Bits ๐ก
๐๐ฟ๐ฒ๐ฎ๐ธ-๐ด๐น๐ฎ๐๐ ๐ฎ๐ฐ๐ฐ๐ผ๐๐ป๐๐: ๐ณ๐๐น๐น ๐ด๐๐ถ๐ฑ๐ฒ (๐ฃ๐๐)
In my last post I talked about the โworst dayโ scenario:ย CA misconfig โ admins locked out. Most orgs think theyโre coveredโฆ until they test it.
As promised, ๐ต๐ฒ๐ฟ๐ฒโ๐ ๐๐ต๐ฒ ๐ณ๐๐น๐น ๐ฃ๐๐ ๐ด๐๐ถ๐ฑ๐ฒย that walks you through aย practical break-glass setup:
โช๏ธ Naming
โช๏ธ Permissions
โช๏ธ Role-Assignable Security Group
โช๏ธ Custom Break-glass Administrator role (Optional)
โช๏ธ Restricted Management Administrative Unit (RMAU)
โช๏ธ Authentication Methods
โช๏ธ Conditional Access Configuration
โช๏ธ Monitoring & Alerting
โช๏ธ Operational Procedures
๐ย Download the PDF here:
https://t.co/Q4h9BikrDV
๐๐ถ๐ต๐ฉ๐ฐ๐ณ:ย Martin Strnad
๐ฌ When was the last time you tested your break-glass access?
#EntraID #IdentitySecurity #ConditionalAccess #SecureBits #HorizonSecured
Stop Enabling Every AWS Security Service
By: Sena Yakut
Turning everything on by default creates thousands of untriaged alerts and dashboards nobody looks at. Sena argues you should threat-model your actual architecture, find the real breaking points, and pick controls that map to those risks.
๐งญ Start with threat modeling: map assets, attack paths, and where detection actually matters.
๐ธ Cost and overlap matter: many AWS services duplicate thirdโparty tools and generate redundant telemetry.
๐ Prefer IAM Identity Center + shortโlived credentials over piling on more continuous monitoring โ it reduces signal noise and blast radius.
โ๏ธ Practical tips on rule tuning, prioritizing highโfidelity alerts, and aligning monitoring to businessโcritical components.
This was first mentioned in AWS Security Digest Issue #251: https://t.co/1rrdVmwRuZ
Read the full piece here: https://t.co/z72QIDbfye
๐ Secure Bits ๐ก
๐ฌ๐ผ๐๐ฟ ๐๐ฒ๐ป๐ฎ๐ป๐ ๐ต๐ฎ๐ ๐๐ ๐บ๐ถ๐๐ฐ๐ผ๐ป๐ณ๐ถ๐ด๐๐ฟ๐ฎ๐๐ถ๐ผ๐ป. ๐๐๐ฒ๐ฟ๐ ๐ฎ๐ฑ๐บ๐ถ๐ป ๐ถ๐ ๐น๐ผ๐ฐ๐ธ๐ฒ๐ฑ ๐ผ๐๐. ๐๐ผ ๐๐ผ๐ ๐ต๐ฎ๐๐ฒ ๐ฎ ๐๐ฎ๐ ๐ฏ๐ฎ๐ฐ๐ธ ๐ถ๐ป?
Most organizations donโt โ or think they do, until they discover their break-glass accounts are untested, unmonitored, or built on outdated guidance. You donโt want to find that out the hard way, and you definitely donโt want to go through Microsoftโs Tenant Recovery process.
๐ค ๐ช๐ต๐ ๐ฐ๐ฎ๐ฟ๐ฒ?
A lockout from a bad CA policy, a compromised admin, or a personnel emergency means opening a support ticket with Microsoft and waiting. In urgent situations, you donโt have 14 days for that process.
๐ง ๐ช๐ต๐ฎ๐ ๐๐ฒ ๐๐ฒ๐ฒ ๐ถ๐ป ๐๐ต๐ฒ ๐ณ๐ถ๐ฒ๐น๐ฑ
โข๐๐ฟ๐ฒ๐ฎ๐ธ-๐ด๐น๐ฎ๐๐ ๐ฎ๐ฐ๐ฐ๐ผ๐๐ป๐๐ ๐ฎ๐ฟ๐ฒ ๐บ๐ถ๐๐๐ถ๐ป๐ด โ Two geographically separated accounts is the baseline.
โข๐๐ฒ๐ป๐ฒ๐ฟ๐ถ๐ฐ ๐ป๐ฎ๐บ๐ฒ๐ โ admin@โฆ, info@โฆ are not break-glass accounts.
โข๐๐๐น๐น ๐๐ ๐ฒ๐ ๐ฐ๐น๐๐๐ถ๐ผ๐ป ๐ถ๐ ๐ฑ๐ฒ๐ฎ๐ฑ โ MFA is now enforced by Microsoft regardless.
โข๐ช๐ฒ๐ฎ๐ธ ๐ฎ๐๐๐ต ๐บ๐ฒ๐๐ต๐ผ๐ฑ๐ โ Phone or certificate-based auth will fail exactly when you need it.
โข๐จ๐ป๐ฝ๐ฟ๐ผ๐๐ฒ๐ฐ๐๐ฒ๐ฑ ๐ฎ๐ฐ๐ฐ๐ผ๐๐ป๐๐ โ Any admin can edit or delete them.
โข๐ก๐ผ ๐บ๐ผ๐ป๐ถ๐๐ผ๐ฟ๐ถ๐ป๐ด โ If someone touches these accounts, you should know immediately.
๐ ๏ธ ๐๐ฟ๐ฒ๐ฎ๐๐ฒ ๐๐๐ผ ๐ฎ๐ฐ๐ฐ๐ผ๐๐ป๐๐
Use descriptive names on onmicrosoft[.]com with a random string โ e.g. [email protected]. Assign ๐๐น๐ผ๐ฏ๐ฎ๐น ๐๐ฑ๐บ๐ถ๐ป๐ถ๐๐๐ฟ๐ฎ๐๐ผ๐ฟ as a direct, permanent, active role. No eligibility.
๐ ๏ธ ๐๐ผ๐ฐ๐ธ ๐๐ต๐ฒ๐บ ๐ฑ๐ผ๐๐ป
Place both accounts and their group inside an ๐ฅ๐ ๐๐จ (requires Entra P1). Manage access via a custom PIM role โ max 1-hour activation, approval required, auth context enforced (requires Entra P2).
๐ ๏ธ ๐๐ผ๐ป๐ณ๐ถ๐ด๐๐ฟ๐ฒ ๐ฎ๐๐๐ต๐ฒ๐ป๐๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป
Scope a passkey profile to the break-glass group with specific AAGUIDs for your hardware keys (YubiKey, Token2). Enforce via a custom authentication strength in a dedicated CA policy. Exclude the group from all other CA policies โ run a What If to verify only your two break-glass policies apply.
๐ ๏ธ ๐ฆ๐ฒ๐ ๐๐ฝ ๐ฎ๐น๐ฒ๐ฟ๐๐ถ๐ป๐ด
Stream AuditLogs and SignInLogs to a Log Analytics Workspace (requires Azure subscription). KQL alert rule on the break-glass Object IDs โ any event fires immediately.
๐ก๏ธ ๐ฆ๐๐ผ๐ฟ๐ฒ, ๐๐ฒ๐๐, ๐ฑ๐ผ๐ฐ๐๐บ๐ฒ๐ป๐
Each passkey + PIN in a separate physical location. Define who can trigger the procedure and under what circumstances. Test end-to-end at minimum every 180 days โ Microsoft recommends 90. Pick your cadence, but validate.
๐ฌ When was the last time you tested these accounts?
๐๐ถ๐๐ฉ๐ฐ๐ณ: Martin Strnad
PS: We will soon ๐ฝ๐๐ฏ๐น๐ถ๐๐ต ๐ณ๐๐น๐น ๐ด๐๐ถ๐ฑ๐ฒ on this topic!
#EntraID #IdentitySecurity #ConditionalAccess #SecureBits #HorizonSecured
Entra Hardening Tip #2: Require MFA for device join & device registration using 'User Action'
If you donโt enforce a Conditional Access policy for โRegister or join devicesโ, youโre leaving a gap.
Attackers can take advantage of this and register new devices without MFA.
Once theyโre in, they can:
๐ฉ Stay persistent
๐ฉ Bypass controls that rely on trusted devices
From there, it opens the door to:
๐ฉ Data exfiltration
๐ฉDropping malicious apps
๐ฉ Moving laterally across your environment
๐ฉRecon of your device configuration and compliance policies
The fix:
Create a CA policy
โ Include: All users
โ Target: User Action = Register or join devices
โ Grant access: Require authentication strength - MFA
Security recommendation: Enable Tenant Isolation in Power Platform!
Starting March 30, 2026, Microsoft enabled tenant isolation by default for new tenants.
This is great news for new tenants. But not really for existing tenants.
For existing tenants, this setting will not be enabled automatically, and you must turn it on manually.
Microsoft strongly recommends enabling tenant isolation for existing tenants to improve your Microsoft tenant security posture.
Learn more: https://t.co/kVyRebnkIw
#Microsoft365 #PowerPlatform #Cybersecurity
Building custom graphs in Microsoft Sentinel will be a game changer for many security operations. While KQL supported graph for a long time, this finally solves the gap in integration.
https://t.co/IsJt123tyQ