Fabian Bader
@fabian.bader.cloud
#Security #Azure #EntraID #XDR #MDE #Identity #M365 #AD #PKI #KQL
Microsoft MVP
Tweets and opinions are my own
Microsoft MVP
Tweets and opinions are my own
Reposted by Fabian Bader
Attackers found a clever way to abuse legitimate, digitally signed software to load malware and it's working.
Expel Intel’s Marcus Hutchins (@malwaretech.com) breaks down a campaign that weaponizes Greenshot, a legit screenshot tool, to evade detection at multiple layers. 🧵
Expel Intel’s Marcus Hutchins (@malwaretech.com) breaks down a campaign that weaponizes Greenshot, a legit screenshot tool, to evade detection at multiple layers. 🧵
October 23, 2025 at 4:48 PM
Attackers found a clever way to abuse legitimate, digitally signed software to load malware and it's working.
Expel Intel’s Marcus Hutchins (@malwaretech.com) breaks down a campaign that weaponizes Greenshot, a legit screenshot tool, to evade detection at multiple layers. 🧵
Expel Intel’s Marcus Hutchins (@malwaretech.com) breaks down a campaign that weaponizes Greenshot, a legit screenshot tool, to evade detection at multiple layers. 🧵
Microsoft Defender just got the September 2025 update
◽Improved core service startup behavior
◽ Security fixes for missing input validation of RPC services
◽Fixed threat exclusion handling
◽Restored performance optimization for network file access
learn.microsoft.com/en-us/defend...
◽Improved core service startup behavior
◽ Security fixes for missing input validation of RPC services
◽Fixed threat exclusion handling
◽Restored performance optimization for network file access
learn.microsoft.com/en-us/defend...
October 21, 2025 at 9:18 PM
Microsoft Defender just got the September 2025 update
◽Improved core service startup behavior
◽ Security fixes for missing input validation of RPC services
◽Fixed threat exclusion handling
◽Restored performance optimization for network file access
learn.microsoft.com/en-us/defend...
◽Improved core service startup behavior
◽ Security fixes for missing input validation of RPC services
◽Fixed threat exclusion handling
◽Restored performance optimization for network file access
learn.microsoft.com/en-us/defend...
Reposted by Fabian Bader
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...
One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens
While preparing for my Black Hat and DEF CON talks in July of this year, I found the most impactful Entra ID vulnerability that I will probably ever find. One that could have allowed me to compromise ...
dirkjanm.io
September 17, 2025 at 1:20 PM
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...
Did you ever asked yourself: What does Swiss cheese and Conditional Access have in common?
Either way, if you want to learn about (un)documented Conditional Access Bypasses, then join me on Monday at the Workplace Ninja Summit 25
#WPninjas
wpninjas25.sched.com/event/27VE4/...
Either way, if you want to learn about (un)documented Conditional Access Bypasses, then join me on Monday at the Workplace Ninja Summit 25
#WPninjas
wpninjas25.sched.com/event/27VE4/...
Workplace Ninja Summit 2025: What does Swiss cheese and Conditional A...
View more about this event at Workplace Ninja Summit 2025
wpninjas25.sched.com
September 13, 2025 at 2:07 PM
Did you ever asked yourself: What does Swiss cheese and Conditional Access have in common?
Either way, if you want to learn about (un)documented Conditional Access Bypasses, then join me on Monday at the Workplace Ninja Summit 25
#WPninjas
wpninjas25.sched.com/event/27VE4/...
Either way, if you want to learn about (un)documented Conditional Access Bypasses, then join me on Monday at the Workplace Ninja Summit 25
#WPninjas
wpninjas25.sched.com/event/27VE4/...
Sentinel UEBA got a welcome set of new data sources
◽Defender XDR device logon events
◽Entra ID managed identity signin logs
◽Entra ID service principal signin logs
◽AWS CloudTrail
◽GCP audit logs
◽Okta MFA
techcommunity.microsoft.com/blog/microso...
◽Defender XDR device logon events
◽Entra ID managed identity signin logs
◽Entra ID service principal signin logs
◽AWS CloudTrail
◽GCP audit logs
◽Okta MFA
techcommunity.microsoft.com/blog/microso...
Microsoft Sentinel’s AI-driven UEBA ushers in the next era of behavioral analytics | Microsoft Community Hub
Co-author - Ashwin Patil
Security teams today face an overwhelming challenge: every data point is now a potential security signal and SOCs are drowning in...
techcommunity.microsoft.com
September 10, 2025 at 10:09 AM
Sentinel UEBA got a welcome set of new data sources
◽Defender XDR device logon events
◽Entra ID managed identity signin logs
◽Entra ID service principal signin logs
◽AWS CloudTrail
◽GCP audit logs
◽Okta MFA
techcommunity.microsoft.com/blog/microso...
◽Defender XDR device logon events
◽Entra ID managed identity signin logs
◽Entra ID service principal signin logs
◽AWS CloudTrail
◽GCP audit logs
◽Okta MFA
techcommunity.microsoft.com/blog/microso...
Token Protection in Microsoft Entra Conditional Access for Windows is now GA! 🎉
#EntraID #Token
learn.microsoft.com/en-us/entra/...
#EntraID #Token
learn.microsoft.com/en-us/entra/...
August 22, 2025 at 4:56 PM
Token Protection in Microsoft Entra Conditional Access for Windows is now GA! 🎉
#EntraID #Token
learn.microsoft.com/en-us/entra/...
#EntraID #Token
learn.microsoft.com/en-us/entra/...
Two years ago I published a two part series on #MSGraph logs and how to use them for threat hunting.
Now comes part 3 and the logs are finally available to the masses.
#EntraID #KQL #Security
cloudbrothers.info/en/detect-th...
Now comes part 3 and the logs are finally available to the masses.
#EntraID #KQL #Security
cloudbrothers.info/en/detect-th...
Detect threats using GraphAPIAuditEvents - Part 3
For a long time now, defenders had the ability to monitor behavior of human- and workload identities in Entra tenants not only through AuditLogs but with high level of insight with the MicrosoftGraphA...
cloudbrothers.info
August 15, 2025 at 3:57 PM
Two years ago I published a two part series on #MSGraph logs and how to use them for threat hunting.
Now comes part 3 and the logs are finally available to the masses.
#EntraID #KQL #Security
cloudbrothers.info/en/detect-th...
Now comes part 3 and the logs are finally available to the masses.
#EntraID #KQL #Security
cloudbrothers.info/en/detect-th...
Reposted by Fabian Bader
Recently, we announced the finalists for the most special of the #GoldenClippyAwards The #ChuckNorris award is for heroes in multiple areas: @nathanmcnulty.com @fabian.bader.cloud @bindertech.se @knudsenm.bsky.social@mortenknudsen.net Congratulate them/reshare for these rockstars! #MVPBuzz #WPNinjas
August 11, 2025 at 12:48 AM
Recently, we announced the finalists for the most special of the #GoldenClippyAwards The #ChuckNorris award is for heroes in multiple areas: @nathanmcnulty.com @fabian.bader.cloud @bindertech.se @knudsenm.bsky.social@mortenknudsen.net Congratulate them/reshare for these rockstars! #MVPBuzz #WPNinjas
A rare, but highly welcome change. Microsoft changed the license requirement for Token protection from Entra ID P2 to P1.
This will protect more customers in the long run and lead to a more secure ecosystem.
learn.microsoft.com/en-us/entra/...
This will protect more customers in the long run and lead to a more secure ecosystem.
learn.microsoft.com/en-us/entra/...
Microsoft Entra Conditional Access token protection explained - Microsoft Entra ID
Learn how to secure your environment with token protection in Microsoft Entra Conditional Access policies.
learn.microsoft.com
July 24, 2025 at 4:39 AM
A rare, but highly welcome change. Microsoft changed the license requirement for Token protection from Entra ID P2 to P1.
This will protect more customers in the long run and lead to a more secure ecosystem.
learn.microsoft.com/en-us/entra/...
This will protect more customers in the long run and lead to a more secure ecosystem.
learn.microsoft.com/en-us/entra/...
🚨 PSA - Zero day in SharePoint on-prem is actively exploited!
◽ Have Defender AV active
◽ Don't disable AMSI integration of SharePoint
◽ Keep an eye out for the alerts outlined in the article
◽ Look for post exploitation with the hunting query
msrc.microsoft.com/blog/2025/07...
◽ Have Defender AV active
◽ Don't disable AMSI integration of SharePoint
◽ Keep an eye out for the alerts outlined in the article
◽ Look for post exploitation with the hunting query
msrc.microsoft.com/blog/2025/07...
Customer guidance for SharePoint vulnerability CVE-2025-53770 | MSRC Blog
| Microsoft Security Response Center
Customer guidance for SharePoint vulnerability CVE-2025-53770
msrc.microsoft.com
July 20, 2025 at 4:39 AM
🚨 PSA - Zero day in SharePoint on-prem is actively exploited!
◽ Have Defender AV active
◽ Don't disable AMSI integration of SharePoint
◽ Keep an eye out for the alerts outlined in the article
◽ Look for post exploitation with the hunting query
msrc.microsoft.com/blog/2025/07...
◽ Have Defender AV active
◽ Don't disable AMSI integration of SharePoint
◽ Keep an eye out for the alerts outlined in the article
◽ Look for post exploitation with the hunting query
msrc.microsoft.com/blog/2025/07...
Reposted by Fabian Bader
Part 8053 of eleventy billion on our path to killing NTLM: way way way way way better auditing.
support.microsoft.com/en-us/topic/...
support.microsoft.com/en-us/topic/...
Overview of NTLM auditing enhancements in Windows 11, version 24H2 and Windows Server 2025 - Microsoft Support
Summary of new auditing features and deployment details
support.microsoft.com
July 13, 2025 at 4:35 PM
Part 8053 of eleventy billion on our path to killing NTLM: way way way way way better auditing.
support.microsoft.com/en-us/topic/...
support.microsoft.com/en-us/topic/...
Reposted by Fabian Bader
June 29, 2025 at 6:36 PM
The latest on the Azure AD Graph retirement mentions two temporary outage tests and more guidance.
If something stops working it might be because of those tests.
#Entra #AADGraph
techcommunity.microsoft.com/blog/microso...
If something stops working it might be because of those tests.
#Entra #AADGraph
techcommunity.microsoft.com/blog/microso...
Azure AD Graph retirement
Migrate your applications using Azure AD Graph APIs scripts to Microsoft Graph before September 2025.
techcommunity.microsoft.com
June 29, 2025 at 8:49 AM
The latest on the Azure AD Graph retirement mentions two temporary outage tests and more guidance.
If something stops working it might be because of those tests.
#Entra #AADGraph
techcommunity.microsoft.com/blog/microso...
If something stops working it might be because of those tests.
#Entra #AADGraph
techcommunity.microsoft.com/blog/microso...
One of the results of the joined research with @dirkjanm.io is entrascopes.com
Basically the yellow pages for Microsoft first party apps.
#TROOPERS25
Basically the yellow pages for Microsoft first party apps.
#TROOPERS25
June 26, 2025 at 9:48 AM
One of the results of the joined research with @dirkjanm.io is entrascopes.com
Basically the yellow pages for Microsoft first party apps.
#TROOPERS25
Basically the yellow pages for Microsoft first party apps.
#TROOPERS25
Reposted by Fabian Bader
"One thing we have learned over years is that the world moves quickly, and building is easy but supporting is hard...."
Sydney Smith 2025
#StateOfTheShell
#PSConfEU 2025
Sydney Smith 2025
#StateOfTheShell
#PSConfEU 2025
June 23, 2025 at 9:34 AM
"One thing we have learned over years is that the world moves quickly, and building is easy but supporting is hard...."
Sydney Smith 2025
#StateOfTheShell
#PSConfEU 2025
Sydney Smith 2025
#StateOfTheShell
#PSConfEU 2025
Rerunning my test scenarios for the #TROOPERS25 presentation...
June 22, 2025 at 4:58 PM
Rerunning my test scenarios for the #TROOPERS25 presentation...
Reposted by Fabian Bader
Microsoft trying to be like @vxunderground, smh 😂
May 20, 2025 at 7:17 PM
Microsoft trying to be like @vxunderground, smh 😂
Reposted by Fabian Bader
Suspicious domain m365sessionlogin[.]com was registered through Njalla on 5/18/25. Domain itself does not resolve, but subdomains login, logon, and office365 indicate hosting at 80.78.30[.]154.
May 19, 2025 at 1:34 PM
Suspicious domain m365sessionlogin[.]com was registered through Njalla on 5/18/25. Domain itself does not resolve, but subdomains login, logon, and office365 indicate hosting at 80.78.30[.]154.
May 9, 2025 at 10:51 PM
Planning for some days off from work. What to put in the duffle back beside a good book and some sunscreen?
My new favorite card game of course.
#FOCI #FamilyOfClientID
My new favorite card game of course.
#FOCI #FamilyOfClientID
May 7, 2025 at 5:44 PM
Planning for some days off from work. What to put in the duffle back beside a good book and some sunscreen?
My new favorite card game of course.
#FOCI #FamilyOfClientID
My new favorite card game of course.
#FOCI #FamilyOfClientID
Application Based Authentication on Microsoft Entra Connect Sync is near. With this change you will be able to use a TPM backed certificate in Entra Connect Sync for authentication.
This is a welcome change to prevent the compromise of this high privileged account.
#Entra #Certificate
This is a welcome change to prevent the compromise of this high privileged account.
#Entra #Certificate
May 2, 2025 at 6:52 AM
Application Based Authentication on Microsoft Entra Connect Sync is near. With this change you will be able to use a TPM backed certificate in Entra Connect Sync for authentication.
This is a welcome change to prevent the compromise of this high privileged account.
#Entra #Certificate
This is a welcome change to prevent the compromise of this high privileged account.
#Entra #Certificate