🚨🚨 New technique to steal AD FS secrets over the network. Defenders need to block internal traffic to AD FS servers over port 80 now!
Read more: https://t.co/R56ZRWDv0b
shoutout to @DrAzureAD who had the same though to look into AD FS replication and all his great work! 1/3
What is old is new again. Very cool work from @TrustedSec team! Highlights the importance of understanding what a vendor means when they use the word “patch”
Today, TrustedSec is releasing #Specula (our previously internal framework) into the world, which will transform the Outlook email client into a beaconing C2 agent. @oddvarmoe and @freefirex2 walk through how to use Specula in our latest blog! https://t.co/ZcXeCwsGAT
@NathanMcNulty Also to make sure these events can actually be retrieved from the purview portal, api, or PoSH you need to toggle auditing off and then back on for all mailboxes!
Great news for DFIR 🕵️ Except! These logs won’t be searchable from the Unified Audit Log for E3 licensees unless you manually toggle auditing for every mailbox in your tenant… 💀🤦🏽♂️ @Microsoft365 likes to make things difficult
https://t.co/jg25RohNDN
#DFIR
For those who were waiting for the additional logging and events to be available in the standard audit logging in Microsoft 365, like MailItemsAccessed, they should be available now in public preview for you - https://t.co/on9EDCw9TC
Audit log query graph API for @Microsoft365 rolling out in May. Has anyone found the actual documentation for the new API? Asking for a friend 💀#m365#DFIR
@DrAzureAD I thought it was mostly gone and now am being punished for that thought with an IR where attacker stole the ADFS signing key and is doing golden SAML 😀
@_dirkjan This is a huge step back for the security community. I know many who use the developer tenant to stay up to date on security features and hone their skills investigating and securing m365
🚨 NetScaler vulnerability CVE-2023-4966 is being actively exploited. It can lead to VDI session hijacking, including MFA bypass. There are no logs on the appliance to monitor for exploitation. Upgrade now and investigate your environment!
https://t.co/L51aQwO6Qk
#DFIR
Today we launched a 🔎 scanning tool for orgs to search their Citrix netscalers for evidence of CVE-2023-3519 post-exploration. You can run this direct on the ADC or against a forensic image. With public POCs out there expect more exploitation!
https://t.co/Wiianjv8AX
#DFIR
😡 Is it me or is the @msftsecurity Defender for Cloud Apps API completely broken? Documentation is wrong, api behaves erratically.. ignores filters doesn’t page, etc
#dfir#Microsoft365#cloudsecurity