Audit log query graph API for Microsoft 365 rolling out in May. Has anyone found the actual documentation for the new API? Asking for a friend 💀 #m365 #DFIR

'Microsoft Signed my Malware'

Doug Bienstock (Jared Wilson), Mandiant
Jared Wilson (@doughsec) , Mandiant
Barry Vengerik (@BarryV), Mandiant 14/15

🚨 NetScaler vulnerability CVE-2023-4966 is being actively exploited. It can lead to VDI session hijacking, including MFA bypass. There are no logs on the appliance to monitor for exploitation. Upgrade now and investigate your environment!

mandiant.com/resources/blog…

#DFIR

Today we launched a 🔎 scanning tool for orgs to search their Citrix netscalers for evidence of CVE-2023-3519 post-exploration. You can run this direct on the ADC or against a forensic image. With public POCs out there expect more exploitation!

mandiant.com/resources/blog…
#DFIR

👀👀
learn.microsoft.com/en-us/azure/az…

Yuge deal for investigators and defenders!

#DFIR #Microsoft365 #cloudsecurity

👏🏽👏🏽💪🏽

The alternate title was 'What's attestation signing? It's about certs, it's about trust babe'
A Microsoft-signed malicious driver we discovered during an IR turned up quite a bit more badness after some hunting by our threat intel team:
mandiant.com/resources/blog…
#dfir Mandiant

Testing out Microsoft Entra ID (Azure AD) Authentication Strength Conditional Access.. what am I doing wrong here? All conditions satisfied but policy result fails, love it
#Microsoft365

🙀 ADFS Malware hot off the presses attributed to #NOBELLIUM / #APT29
Instead of Golden SAML why not embed code to look for a magic value during claims processing that allows you to obtain a Security Token for any user and add in an MFA claim to boot?
#DFIR

Dr. Nestori Syynimaa ⚙ Rev - Infra & Supply Chain Technician ⛈📦🛠️ The 'bypassMFA' param sets a federated token claim saying MFA already happened.

ICYDK, there's a setting to ensure that AAD MFA is always performed & rejects MFA if performed by identity provider

federatedIdpMfaBehavior -> rejectMfaByFederatedIdp

docs: docs.microsoft.com/en-us/windows-…

🎉 This is a huge feature all orgs should be using. All of my recent M365 IRs (BEC, UNC and APT) have started with the TA registering the first MFA for a dormant 😴 account.
#dfir #microsoft365

Platform single sign on is coming to macOS!

What does this mean? Users can now sign into a mac with their AD/Azure AD credentials just like Windows users.

Users will then get single sign on to ALL THE APPS with a PRT token just like on Windows.

See techcommunity.microsoft.com/t5/microsoft-e…