Kris McConkey

There’s no need to suffer through the rough patch of indeterministic Claude Code behaviors. Here’s my config to get you started w proper planning, implementation, and review, phased development, decision point documentation, git worktrees, and consensus deep research implemented w deterministic hooks. It’s a WIP. Hope it helps! https://t.co/qMKnYETonN

Having responded to probably hundreds of incidents at this point, from ransomware to APT's, in my experience, the lack of knowledge on how to adequately secure Entra applications and service principals continues to be the biggest knowledge gap most defending teams have. You should be able to securely configure apps, detect compromise of apps and understand how to investigate compromise of apps. It seems overwhelming at first, but it isn't. Get started like this Secure them: •Use managed identities where possible - negates the need for credential handling •Limit privilege - reduce both the permissions granted and add additional API specific restrictions (i.e don't grant read/write all to all SharePoint sites, just the ones an application needs to access). This includes pushing back on vendors or internal teams that request privilege not required •High privileged applications should have no direct owners - lower privileged users can be granted direct ownership of an app, don't do this, govern the ability to manage applications via Entra ID roles •Configure credential restrictions such as requiring shorter lived secrets or enforcing use of certificates •Remove unused apps and service principals, this can prevent existing high privileged apps being leveraged and reduces your supply chain compromise footprint for multitenant apps •Monitor risk events for service principals like you would users Detect compromise of them: •Alert on application creation or application credential creation - may be noisy in large environments, but a good starting point •Alert on credentials being added to service principals - credentials generally live on the application object, service principal credential creation should be rare •Alert on permission consent - this can detect not only malicious activity but permission creep •Alert on anomalous resource access - does your app usually access only Azure Storage, and suddenly it accesses Microsoft Graph? - this may indicate a compromised credential •Alert on anomalous ASN or location access - does your app usually access only from a specific ASN or country, and suddenly that changes? - this may indicate a compromised credential Many of these are covered by Defender for Cloud Apps and other tools out of the box, but it is worth ensuring you are covered down and what they actually mean. Investigate compromise of them: Know how to query the following logs and understand the events surfaced •Entra ID sign in data - filter on service principal sign in events via the Entra portal or Kusto in the Defender XDR portal •Entra ID audit logs - filter on events related to the service principal via the Entra portal or Kusto in the Defender XDR portal. Service principals can be used to further establish persistence, such as creation of users or additional service principals, rinse and repeat for any malicious additions to your environment •Microsoft Graph - was the compromised app used to access data via Microsoft Graph? You can query via the Defender XDR portal using Kusto to find these events •Defender for Cloud Apps - did the compromised app access other M365 services? You can query via the Defender XDR portal using Kusto to find these events •Unified Audit Log - you can retrieve the events related to the compromised app via the audit functionality inside the Defender XDR portal

Open Klara released - your own private cloud Yara scanner! Together with our community member Gajesh, I would like to announce the fork of the KLara project into Open Klara! We aim to maintain, support and fix future bugs. Open KLara is a community-driven fork of the original KLara project by Kaspersky Lab, aimed at helping Threat Intelligence researchers hunt for new malware using Yara. Think of it as your own private Yara scanner where you can setup malware / clean collections on multiple distributed servers and fire up Yara rules, everything centralized with a nice web interface / UI. For more info, check https://t.co/AszkevTtvz Happy hunting!

I live in the real world and so I’m not really surprised to see this, but I am definitely shocked. As an incident response person, how do you spend all day supporting and watching your customer’s teams cope with the stress and grief of going through a ransomware incident and then turn around and inflict that on others. 🤦‍♀️😱🤮