Cloudbrothers
Azure Attack Paths Posts Categories About me Talks english
Cloudbrothers
/images/avatar.png

Work and live with IT

/going-passwordless-whfb-scril/images/Preview.png

Going passwordless with Window Hello for Business and SCRIL

Fabian Bader published on  included in Active Directory Azure AD Entra ID FIDO2 Passwordless PowerShell Security Identity and Access

…or SCRIL in a hybrid environment. What could possibly go wrong?

Way before the term “passwordless” was used by Microsoft to promote the use of alternative authentication methods besides a password there already was a way to go passwordless. In Active Directory there is a feature called SCRIL to achieve exactly this. SCRIL which is short for “Smart card is required for interactive logon” is an effective way to prevent any interactive sign-in to a domain joined machine using a password for the user that holds this attribute.

Read More
/sentinel-pester-framework/images/Preview.png

Sentinel Pester Framework

Fabian Bader published on  included in Sentinel PowerShell Pester Analytics Rules KQL

When you work with one or multiple Microsoft Sentinel workspaces you may find it necessary to not only deploy Analytics rules and other configuration artifacts using a version controlled source control (CI/CD) to limit human error and enforce consistency. But you might also want to independently verify your deployment on a regular basis.

I certainly did and set out to write a test driven solution.

Since I love to use PowerShell and there is already a superb test framework, the tool to use for the task at hand was an easy choice: Pester.

Read More
/prem-global-admin-password-reset/images/Preview.png

From on-prem to Global Admin without password reset

Fabian Bader published on  included in AAD Sync Active Directory Analytics Rules Azure AD Entra ID Defender for Endpoint Identity and Access KQL Microsoft 365 Defender Sentinel Security
Updated information

Microsoft announced in August 2024 that “[…]as part of ongoing security hardening[…]” they will remove “[…]removed unused permissions from the privileged “Directory Synchronization Accounts” role[…]”.

Read More
/convert-sentinel-analytics-rules/images/Preview.png

Convert Sentinel Analytics Rules with PowerShell

Fabian Bader published on  included in Analytics Rules KQL Sentinel PowerShell

If you have worked with Microsoft Sentinel you will, at one point, stumbled over two different file formats for Analytics Rules: YAML and ARM.

The YAML format is mostly used to distribute Analytics Rules between people. All Analytics Rules you will find in the official Sentinel GitHub repo and others out there are offered in this format.

The ARM format is what you need to deploy the Analytics Rules when using a pipeline or even if you want to import them using the UI in Microsoft Sentinel. The content of the file are in the JSON format.

Read More
/prevent-phishing-based-domain-registrations/images/Preview.png

Prevent phishing based on domain registrations

Fabian Bader published on  included in Analytics Rules Defender for Endpoint KQL Sentinel Microsoft 365 Defender

Business email compromise and phishing are just two of the threats sent to hundreds and thousands of email inboxes around the world every day. As defenders, we use various tools and methods to limit the delivery of these emails to the intended target.

In most cases, the attackers start by registering a domain that closely resembles the target company’s own domain name, or simply include the company name in the domain (e.g. microsoftsonliine[.]com).

Read More