Cyber back to school: Microsoft Token Theft Unveiled

Cyber back to school: Microsoft Token Theft Unveiled

I am thrilled to participate in the Cyber Back to School initiative hosted during cyber awareness month! This session is all about Primary Refresh Token VS Access Token stealing in Microsoft Entra ID, and will show the practical countermeasures for each of them. I preferred to write a blog post for this instead of a PowerPoint deck since there are a lot of technical details and references I want to cover.
17 min read
Entra ID Cyber back to school Tokens AiTM
Using WDAC to ingest missing MDE events and detect token stealing

Using WDAC to ingest missing MDE events and detect token stealing

In a previous blog post I talked about how adversaries can exploit SSO capabilities of Hybrid or fully Entra ID joined devices. I mentioned the different ways we can steal tokens from the devices, either by using BrowserCore.exe or MicrosoftAccountTokenProvider.dll.
7 min read
Entra ID WDAC Tokens PRT Stealing
From hybrid / fully joined devices to Entra ID

From hybrid / fully joined devices to Entra ID

Adversaries are more and more interested in the data and infrastructure that lives in Cloud environments like Azure and Microsoft 365 solutions. Since Microsoft EntraID is the most common central IDP solution for these environments, it is important to identify the possible paths attackers can use to move from a device to possible crown jewels that live in these Cloud solutions. In this blog post, I wanted to talk about how adversaries can use Entra ID Joined or Hybrid Joined devices to move laterally to the cloud, using EntraID SSO features, and how they can get a foothold on these devices. This blog post is based on a Red-Teaming scenario I encountered in a real-life, and is written from a Blue-Teaming perspective.
22 min read
Entra ID Purple Team Tokens PRT Stealing