Censored

A year ago I spoke at DEF CON 31 about massive user enumeration in Azure. At the time, I had enumerated 24 million users via OneDrive. Fast forward, and I've now enumerated over 44 million users. The issues I spoke to in that talk haven't gone away. I know there have been flashier findings in the time since, but user enumeration is a foundational flaw that enables password sprays and phishing attacks against users (the hardest component to "patch"). You can find my slide deck here: https://t.co/0miNCaUgJX And the YouTube from DC31 here: https://t.co/LJSuIBzPtB

Analyzing security data by joining recent malicious SHA256 hashes from external data with specific tables. Filtering and extracting key fields to detect potential threats. let SHA256_Abuse = (externaldata(sha256_hash: string) [@"https://externaldta.txt/"] with (format="txt")) | where sha256_hash !startswith "#" | project sha256_hash; SHA256_Abuse | join (union DeviceEvents, DeviceFileEvents, EmailAttachmentInfo | where TimeGenerated > ago(15d) ) on $left.sha256_hash == $right.SHA256 #ThreatDetection #kql

Detects suspicious child processes of a ClickOnce deployment application SecurityEvent | where EventID == 4688 | where (ParentProcessName contains @'\AppData\Local\Apps\2.0\' and (NewProcessName endswith @'\calc.exe' or NewProcessName endswith @'\cmd.exe' or NewProcessName endswith @'\cscript.exe' or NewProcessName endswith @'\explorer.exe' or NewProcessName endswith @'\mshta.exe' or NewProcessName endswith @'\net.exe' or NewProcessName endswith @'\net1.exe' or NewProcessName endswith @'\nltest.exe' or NewProcessName endswith @'\notepad.exe' or NewProcessName endswith @'\powershell.exe' or NewProcessName endswith @'\pwsh.exe' or NewProcessName endswith @'\reg.exe' or NewProcessName endswith @'\regsvr32.exe' or NewProcessName endswith @'\rundll32.exe' or NewProcessName endswith @'\schtasks.exe' or NewProcessName endswith @'\werfault.exe' or NewProcessName endswith @'\wscript.exe')) https://t.co/xxwkbwUcHi #kql #hunting