Cyber back to school: Microsoft Token Theft Unveiled

Cyber back to school: Microsoft Token Theft Unveiled

I am thrilled to participate in the Cyber Back to School initiative hosted during cyber awareness month! This session is all about Primary Refresh Token VS Access Token stealing in Microsoft Entra ID, and will show the practical countermeasures for each of them. I preferred to write a blog post for this instead of a PowerPoint deck since there are a lot of technical details and references I want to cover.
17 min read
Entra ID Cyber back to school Tokens AiTM
T1556.009 - Detect and prevent suspicious conditional access policy modifications

T1556.009 - Detect and prevent suspicious conditional access policy modifications

In April 2024, MITRE came with their new V15 version of ATT&CK. In this version a new sub-technique was introduced called 'T1556.009 - Modify Authentication Process: Conditional Access Policies'. This was, in my opinion, a great addition to the framework, since it is an important technique which can be abused by adversaries. By changing a Conditional Access policy (later referred to as 'CA policy'), an adversary can establish Credential Access, Defense Evasion, and Persistence in Entra ID. Since it is such a vital component, I thought it was time to do a bit of a deep dive into how we can detect and mitigate suspicious CA policy changes.
21 min read
Entra ID Conditional Access MITRE ATT&CK Defender XDR
Using WDAC to ingest missing MDE events and detect token stealing

Using WDAC to ingest missing MDE events and detect token stealing

In a previous blog post I talked about how adversaries can exploit SSO capabilities of Hybrid or fully Entra ID joined devices. I mentioned the different ways we can steal tokens from the devices, either by using BrowserCore.exe or MicrosoftAccountTokenProvider.dll.
7 min read
Entra ID WDAC Tokens PRT Stealing
From hybrid / fully joined devices to Entra ID

From hybrid / fully joined devices to Entra ID

Adversaries are more and more interested in the data and infrastructure that lives in Cloud environments like Azure and Microsoft 365 solutions. Since Microsoft EntraID is the most common central IDP solution for these environments, it is important to identify the possible paths attackers can use to move from a device to possible crown jewels that live in these Cloud solutions. In this blog post, I wanted to talk about how adversaries can use Entra ID Joined or Hybrid Joined devices to move laterally to the cloud, using EntraID SSO features, and how they can get a foothold on these devices. This blog post is based on a Red-Teaming scenario I encountered in a real-life, and is written from a Blue-Teaming perspective.
22 min read
Entra ID Purple Team Tokens PRT Stealing