mstdn.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A general-purpose Mastodon server with a 500 character limit. All languages are welcome.

Administered by:

Server stats:

13K
active users

#knowledgedrop

1 post1 participant0 posts today
13reak :fedora:<p>Apparently, Microsoft broke the API a bit when retiring some of its parts</p><p><a href="https://techcommunity.microsoft.com/blog/microsoft-entra-blog/action-required-msonline-and-azuread-powershell-retirement---2025-info-and-resou/4364991" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">techcommunity.microsoft.com/bl</span><span class="invisible">og/microsoft-entra-blog/action-required-msonline-and-azuread-powershell-retirement---2025-info-and-resou/4364991</span></a></p><p>The Microsoft Extractor Suite broke.</p><p>➡️ Workaround:</p><p>You can get up to 50.000 events via the Azure Web Portal. So filter for a username or a small timeframe.</p><p>⚠️ Note: you cannot download everything via the Web Portal, after 50.000 events, it'll just stop.</p><p><a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/Azure" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Azure</span></a> <a href="https://infosec.exchange/tags/Cloud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cloud</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a></p>
13reak :fedora:<p>Interesting defense against attacks: </p><p>Move your SSH <code>authorized_keys</code> to a different location and set the rights to <code>0444</code>. Then an attacker needs root rights to place an SSH backdoor.</p><p><a href="https://isc.sans.edu/diary/31986" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="">isc.sans.edu/diary/31986</span><span class="invisible"></span></a></p><p><a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a> <a href="https://infosec.exchange/tags/hardening" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>hardening</span></a></p>
13reak :fedora:<p><a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/Knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Knowledgedrop</span></a></p><p>Attackers are still actively exploiting firewall "../" vulnerabilities. Be aware and patch your firewalls!</p>
13reak :fedora:<p>Most organizations do not have multi-factor authentication (MFA) enabled for their Azure service principals.</p><p>Why? </p><p>You need a special license <strong>for every single application</strong> you want to enable MFA for.</p><p><a href="https://infosec.exchange/tags/cloud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cloud</span></a> <a href="https://infosec.exchange/tags/azure" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>azure</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a> <a href="https://infosec.exchange/tags/pentesting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>pentesting</span></a></p>
13reak :fedora:<p>Watch out with your <u>Azure Automation Account</u> / <u>Runbooks</u>.</p><ul><li>they often include hard-coded credentials</li><li>their output is not protected. So attackers can see your results</li><li>they can use <u>Shared Resources</u> (i.e. credentials or certificates)</li><li><u>Hybrid Worker</u> and <u>Azure Arc</u> allow access to your on-premise infrastructure </li></ul><p>Dangerous stuff if not managed correctly!</p><p><a href="https://infosec.exchange/tags/cloud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cloud</span></a> <a href="https://infosec.exchange/tags/azure" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>azure</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a> <a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dfir</span></a> <a href="https://infosec.exchange/tags/pentesting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>pentesting</span></a> <a href="https://infosec.exchange/tags/privilegeescalation" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>privilegeescalation</span></a></p>
13reak :fedora:<p>How to reconstruct OneDrive?</p><p>OneDriveExplorer (by <span class="h-card" translate="no"><a href="https://infosec.exchange/@Beercow" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@<span>Beercow</span></a></span>) can reconstruct OneDrive from <code>&lt;UserCid&gt;.dat</code> or SQLite databases etc.</p><p>Check it out:<br><a href="https://github.com/Beercow/OneDriveExplorer" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/Beercow/OneDriveExp</span><span class="invisible">lorer</span></a></p><p><a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/artifact" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>artifact</span></a> <a href="https://infosec.exchange/tags/azure" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>azure</span></a> <a href="https://infosec.exchange/tags/onedrive" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>onedrive</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a></p>
13reak :fedora:<p>Today a pentester asked me if attackers really use brute force.</p><p>Yes, they do, especially in cloud environments. That's why multi factor authentication (MFA) is so important there.</p><p><a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a> <a href="https://infosec.exchange/tags/purpleteam" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>purpleteam</span></a> <a href="https://infosec.exchange/tags/cloud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cloud</span></a></p>
13reak :fedora:<p>I hear very often that the cloud is secure because Multi Factor Authentication (MFA) is enabled, so all accounts are secure. </p><p>What about the service accounts and the (break glass) global administrator account?</p><p>Or in Azure: do you have a conditional access policy that excludes accounts from MFA?</p><p>What about MFA phishing with evilginx?</p><p>=&gt; Apply a defense-in-depth strategy also in cloud environments.</p><p><a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a> <a href="https://infosec.exchange/tags/cloud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cloud</span></a> <a href="https://infosec.exchange/tags/mfa" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>mfa</span></a> <a href="https://infosec.exchange/tags/multifactorauthentication" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>multifactorauthentication</span></a></p>
13reak :fedora:<p>How to filter zeek logs:</p><p><code>cat conn.log | zeek-cut &lt;columns&gt; | column -t | less -S</code></p><p>(column and less display the columns aligned and readable)</p><p><a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a> <a href="https://infosec.exchange/tags/NIDS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NIDS</span></a> <a href="https://infosec.exchange/tags/zeek" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>zeek</span></a></p>
13reak :fedora:<p>I encountered some third party firewall logs recently. Timestamps were in Linux format and requests in hexdump. We knew the IP range of the attackers and that they uploaded a webshell.</p><p><code>grep</code> is an awesome tool for that. Looking for successful (code 200) uploads (POST requests) from IP:</p><p><code>grep -e "666.666.666.... POST 200" firewall.log &gt; attack.txt</code></p><p>To find the script I searched for the longest request since most legitimate requests were rather short. Word count can give us that with <code>-L</code>:</p><p><code>cat attack.txt | wc -L</code><br>1337</p><p>And let's extract that longest line with grep:</p><p><code>grep -e "^.{1337}$" attack.txt</code></p><p>Hex requests could then be parsed easily with Cyerchef's <code>From Hex</code>.</p><p>Hope that helps someone! Adjust to your needs. :blobsmile: </p><p><a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dfir</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a> <a href="https://infosec.exchange/tags/firewall" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>firewall</span></a> <a href="https://infosec.exchange/tags/bash" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bash</span></a></p>
13reak :fedora:<p>I noticed today that a lot of people are struggling with antivirus alerts, specifically Microsoft Defender:</p><p>1) try to understand the alarm itself and at which point in the attack this would happen: phishing email = early, credential access (especially admin credentials) or suspicious C2 IPs = middle, ransomware/data upload = late.</p><p>2) what should be the attackers previous and next step then? (just look at 1 again: early/middle/late)</p><p>3) can you see this previous/next step in the logs? Look especially for evidence of execution. Attackers want to "do" something. Executables, scripts, PowerShell, command line, services, scheduled tasks?</p><p>If you cannot see any previous or any next steps, ask yourself if you're blind (are your logs empty? Timeframe not available?) or if there really aren't any. If there aren't any, it's likely a false positive. If there are, escalate.</p><p>Happy hunting!</p><p><a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a> <a href="https://infosec.exchange/tags/microsoftdefender" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>microsoftdefender</span></a> <a href="https://infosec.exchange/tags/antivirus" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>antivirus</span></a></p>
13reak :fedora:<p>Velociraptor <code>tempfile</code> is gone when your <code>SELECT</code> query terminates.</p><p>That means if you start with a <code>LET tmp = SELECT ...</code> and continue in your main query, the <code>tempfile</code> is already gone at your main query!</p><p>Took me a while today to figure this out...</p><p><a href="https://infosec.exchange/tags/dfir" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dfir</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a> <a href="https://infosec.exchange/tags/velociraptor" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>velociraptor</span></a></p>
13reak :fedora:<p>If using Kubernetes on Azure (AKS), the following logs exist:</p><ul><li>activity logs (enabled by default) </li><li>resource logs (disabled by default) </li><li>AKS logs (disabled by default) </li><li>container insights (disabled by default)</li></ul><p>Remember to turn on your logs :blobwink: </p><p><a href="https://infosec.exchange/tags/DFIR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>DFIR</span></a> <a href="https://infosec.exchange/tags/knowledgedrop" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>knowledgedrop</span></a> <a href="https://infosec.exchange/tags/cloud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cloud</span></a> <a href="https://infosec.exchange/tags/azure" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>azure</span></a> <a href="https://infosec.exchange/tags/aks" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>aks</span></a> <a href="https://infosec.exchange/tags/kubernetes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>kubernetes</span></a> <a href="https://infosec.exchange/tags/k8s" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>k8s</span></a></p>

#dfir #knowledgedrop

The most important logfiles in #azure are:

ENABLED by default:

1) Tenant Logs: Sign-In Logs & Audit Logs
2) Subscription Logs: Activity Logs
3) Security Logs (Risky Users)

DISABLED by default:

4) Resource Logs
5) Diagnostic Logs: Operating System Logs
6) Diagnostic Logs: Application Logs

#m365 also has:

7) Unified Audit Log (UAL) - enabled by default
8) (specialized logs for applications like Exchange, SharePoint, etc. - an extract is also in UAL)

#dfir #knowledgedrop

If you need to acquire #azure / #m365 logs, be aware that the webUI only allows extracting a small amount.

If you want to extract all the logs, have a look at github.com/invictus-ir/Microso

You need "global reader" permissions and watch out with conditional access policies - they can block your access and result in really weird error messages (e.g. that the module does not exist).

Most important logs are (usually) SignIn logs and UAL.

A PowerShell module for acquisition of data from Microsoft 365 and Azure for Incident Response and Cyber Security purposes. - invictus-ir/Microsoft-Extractor-Suite
GitHubGitHub - invictus-ir/Microsoft-Extractor-Suite: A PowerShell module for acquisition of data from Microsoft 365 and Azure for Incident Response and Cyber Security purposes.A PowerShell module for acquisition of data from Microsoft 365 and Azure for Incident Response and Cyber Security purposes. - invictus-ir/Microsoft-Extractor-Suite