Skip to content
PwnDefend
  • Base
  • Comms Room
    • Customer Feedback
    • Company Information
    • Security Management
  • Services
    • Consulting Services
      • Enterprise Security Posture Assessment
      • Cyber Security Assurance & Security Testing Services
      • IT Security Healthchecks
      • Active Directory Assessment Services
      • Managed Remediation Services
    • Emergency Cyber Incident Response Support
    • Our Success Stories
    • Partner Services
  • Blog
  • Privacy
Education

Password Spraying Office 365

Clearly this is for penetration testing, not for evil! So if you have to pentest Office 365 you might want to be attacking the authentication services. This will be aligned to the tenant you are testing, as always make sure you have authorisation.

Deploy to your favourite LINUX instance or WSL etc.

Read more “Password Spraying Office 365” →
Hacking

Office 365/Azure Pentest Tools

I’m not going to talk about these… yet… and there’s duplicates because I think it’s useful to see where they can be used in different scenarios. Expect this list to grow!

Read more “Office 365/Azure Pentest Tools” →
Defense

Defending Against Direct Authentication Attacks in Microsoft Office 365

Whilst conducting security testing and assurance activities, I went looking to show logon events in Office 365. My first query was on IdentityEvents, this led to a view of a multi month attack by a threat actor/s against a tenent, followed by exploring the rabbit hole of logs and computer systems. This blog summarises some of the methods and findings when considering threat hunting and authentication defences for Office 365. (bear with me I am tired so this might need a bit of a tune up later!)

Read more “Defending Against Direct Authentication Attacks in Microsoft Office 365” →
Guides

Enable Number Matching in Azure MFA

Introduction

MFA was the “silver bullet” but friction and security kind of go hand in hand, the idea of a push notification and simple “authorise” is great in theory, but in practise it is vulnerable to brute force and human error. In this post we are going to check out enabling number matching authentication in Azure.

This is just one configuration option, as you can see there are loads of options for methods and specific configurations. Bear in mind the pros and cons for each one, for example SMS based 2FA can be vulnerability to SIM swapping attacks. I’m going to focus on Number Matching in Authenticator for this post: Read more “Enable Number Matching in Azure MFA” →

A screenshot of a computer Description automatically generated with medium confidence Threat Intel

CVE-2021-38647 – Open Management Infrastructure (OMI) RCE – Linux…

Situation

Ok so the situation is as per usual a bit fluid, when this first dropped I was looking at this with a “azure” lense, however as time goes on it appears this likely also covers any Linux distro with the Azure/SCOM/OMS agents installed. This may change the profile of risk considerable, not only from a public facing attack surafce but highly likely from a lateral movement persspective. I’m going to keep updating this as more intel comes in. (sorry I’d be clearer if I had a clearer picture myself)

This week 4 vulnerabilities were disclosed which affect Azure virtual machines running the Open Management Infrastructure (OMI) agent (think PowerShell remoting). As above the scope seems to be slightly wider with regard to SCOM/AZURE and OMS/Sentinel etc. agents for Linux (I want to confirm all of this but for now it seems this is the position)

Essentially these vulnerabilities allow for both network-based remove code execution (RCE) and local privilege escalation (LPE).

  • There is evidence of exploitation in honeypots.
  • There is a public proof of concept available for the RCE.
  • The internet facing attack surface from a global perspective seems low based on the data in Shodan and Censys however I’m not convinced this is currently giving a clear picture.
    • So, check your azure networks, Vms and firewalls would be a sensible idea

Read more “CVE-2021-38647 – Open Management Infrastructure (OMI) RCE – Linux hosts” →

Defense

Hardening Office 365 PowerShell Access

Only admins can use PowerShell, right? Wrong! In Office 365 and Azure AD standard users can connect using PowerShell.

In this quick post we are going to look at how to disable users from being able to read other users data using the MSOL cmdlets. (this also appears to limit AzureAD cmdlets access as well)

Disable MSOL Read Access

Run the following command as a global admin: Read more “Hardening Office 365 PowerShell Access” →

Recent Posts

  • Microsoft Outlook Elevation of Privilege Vulnerability (CVE-2023-23397)
  • The Long Game: Persistent Hash Theft
  • The Hacker on a Train
  • Adopting an Attacker Mindset to Defend Healthcare
  • Caught: A Hacker Adventure

Recent Comments

No comments to show.

Archives

  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • March 2020
  • February 2020
  • January 2020
  • October 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018

Categories

  • Architecture
  • Breach
  • Company News
  • CTF
  • Defence
  • Defense
  • Education
  • Fiction
  • Getting into Cyber
  • Guides
  • Hacking
  • IOT
  • Leadership
  • News
  • OSINT
  • Reviews
  • Strategy
  • Threat Intel
  • Uncategorized
  • Vulnerabilities
Copyright (c) Xservus Limited