This Week's/Trending Posts

Hand-Picked/Curated Posts

Most Popular/Amcache

Hand-Picked/Weekly News

The Most/Recent Articles

my apps

Daily Blog #775: An Azure log entry to look for when a threat actor is in

 




Hello Reader,

 One of the trends I've been noticing when a threat actor first gets into Azure or Microsoft 365 accounts is they will immediately look to see how many other third party services they can access from that account. This allows them to expand their reach into additional services, clouds and systems without needing any additional credentials. Within Azure this is called 'My Apps' and you can reach it by click on your user profile picture in the upper right hand corner and then clicking on My Apps on the bottom left as shown below.


 When you click on 'My Apps' you'll then see the list of integrated apps your user has been provisioned for:


 As you can see here my user has been provisioned for SSO access into AWS, which means with this one compromise account I could pivot into AWS with the same credentials. For larger enterprises there can be a large number of these applications available all allowing authentication with my existing credentials. 


To see this in the logs go to Entra ID and then Signin Logs and you can see the user accesses to My Apps as shown below.


So the next time you are working an Azure incident, make sure to keep an eye out for My Apps access and then you can begin the long process of determining how many apps you are going to have to review to determine total impact.

 

 

Read More
Daily Blog

Daily Blog #774: Forensic Lunch Test Kitchen 3/11/25

 


Hello Reader,

Tonight Evan and I were 'vibe debugging', trying to get the models to fix their own code. We were successfully able to get it to fix issues with the storage of the configuration file, but we left the stream being unable to start a memory capture process. Tune in tomorrow for more!

 

 

Read More
sandpiper

Daily Blog #773: Sandpiper Trade Secrets and Cyber Dallas 2025

 


Hello Reader,

Just an announcement that I'll be moderating a panel on legal cybersecurity issues on March 26, 2025. I'll be joined by my colleague Jonathan Rajewski and a host of inside and outside counsels as well as the Honorable Ada Brown. If you are interested or just want to learn more please click this link to read about it and register. 


https://www.crai.com/insights-events/events/49021/

Read More
sunday funday

Daily Blog #772: Sunday Funday 3/9/25


 

Hello Reader,

It's Sunday! This week's challenge is vibing. If you haven't heard about 'vibe coding' it's what Evan and I have been doing in our streams, letting the AI do all the coding and just 'vibing' along. This week I want to see you resurrect old unmaintained tools and see what you can do with them!


The Prize:

$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 3/14/25 7PM CST (GMT -6)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful
  6. Anonymous entries are allowed, please email them to dlcowen@gmail.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post
  8. AI assistance is welcomed but if a post is deemed to be entirely AI written it will not qualify for a prize. 


The Challenge:

 Pick an unsupported DFIR project of your choice and bring it back to life! Add new features and make it work on modern systems. While you are not required to 'vibe code' (AI coding) in this instance it's fully encouraged! Send me links to writeups or github repo's when your done!

Read More
ual

Daily Blog #771: Solution Saturday 3/8/25


 

Hello Reader,

 This week Phill Moore has brought us the winning answer but as his conversation on X showed it was an answer that could have had additional findings if all of the new logging sources were turned on. Let's celebrate Phill's win and know that blogs will be coming to explore his results and what log sources can be turned on to give even more information. 


The Challenge:
 
What log entries are left behind when the following scenarios occur:
 
1.  A user searches their own mailbox
 
2. A user searches their own onedrive
 
3. An administrator searches their own mailbox
 
4. An administrator searches their own one drive
 
5. An administrator searches someone else's mailbox
 
6. An administrator searches someone else's onedrive 
 
The winning answer:


Read More
margarita shotgun

Daily Blog #770: Forensic Lunch Test Kitchen 3/7/25

 


Hello Reader, 

Tonight Evan and I took an express train to the coast and brought a Jimmy Buffet inspired web interface to Margarita shotgun with one prompt and two fixes. Here is the prompt:

 "create a web interface as you proposed earlier to allow the user to be able to configure, run, manage and monitor the tool. This should not require nodejs or react, things like flask and bootstrap or htmx would be better. I want the server and front end to be self contained within the script and while it can add additional libraries it should not require additional programs/servers/framework or systems to be installed outside of just python modules. The interface should be modern, resiazble, sortable on any fields displayed and have an overall theme of Jimmy Buffetts classic tale of wasting away again in margartivalle. Thematic elements of shotguns, limes, margatitas, salt shakers and phrases like its five oclock somewherfe are encouraged. If you cannot generate the art images ascii art is acceptable. Quotes from Jimmy Buffet are desriable and welcome in the interface. The http server and web mode should start if someone runs the script without options, it should then return a text string telling them the localhost url to visit to view the page. "

and with that the Claude 3.7 model in Cursor actually did generate a full Margaritaville themed web dashboard for a tool that never had one! Next week we will actually test the tool to see if works! Tomorrow though stay tuned to see who won this week's Sunday Funday Challenge!

 

 

Read More
margarita shotgun

Daily Blog #769: Forensic Lunch Test Kitchen

 


Hello Reader,

 Tonight Evan and I used Cursor with the Clause 3.7 model to bring back to life the popular tool Margarita Shotgun ( GitHub - ThreatResponse/margaritashotgun: Remote Memory Acquisition Tool ) ! We got it to update the code to modern python 3 (the code hasn't been updated in 7 years) , suggest improvements and add a new interactive UI using the rich library... and it worked! Tomorrow night we will have a test environment in AWS to see what else needs to be fixed.

 

Read More
htcia

Daily Blog #768: HTCIA Boston April 8, 2025

 


Hello Reader,

I'll be at the HTCIA Boston meeting on April 8, 2025 along with my colleagues Adam Hart, Kaya Overholzer speaking on some fun topics. 

 

Adam is going to be speaking on Ransomware forensics and negotiations

Kaya is going to be speaking on ATM Jackpotting

and I'll be talking about Windows Hello Forensics. 

 

I hope to see some of you there!

Read More
Subscribe to: Posts ( Atom )