Blogs

Microsoft Defender for Identity Multi-Forests Risks

Configuring Microsoft Defender for Identity is not rocket science, but it can be complex in a large organization with multiple forests and domains. Understanding the risks when implementing Microsoft Defender for Identity is critical. Even though the documentation regarding a multi-forest environment exists, it can sometimes be clarified. This blog post will describe my view…

Microsoft Defender for Identity OWIN HTTP Listener

My previous blog post mentioned that the Microsoft Defender for Identity sensor uses an OWIN HTTP listener. In this blog post, I will describe what the HTTP listener is for and how to interact with it. Introduction During my previous research, I saw something listening on port 444. I wanted to discover what it was…

Microsoft Defender for Identity Sensor Identification

Someone asked if I knew how to identify if a domain controller holds a Microsoft Defender for Identity sensor, remotely. It was an interesting question, so I took up the challenge. In this blog post, I will explain how I identified the presence of a Microsoft Defender for Identity sensor on a domain controller. Introduction…

Microsoft Defender for Identity Hidden Feature Custom Logs Location

Although Microsoft did not document this feature yet, it is possible to set a custom location for your log files for Microsoft Defender for Identity since sensor version 2.197. In this short blog post, I will describe how to set up a custom location for the Microsoft Defender for Identity log files. Introduction The Microsoft Defender…

Microsoft Defender Vulnerability Management Authenticated Scan Security Risks

Microsoft Defender Vulnerability Management is a service that provides advanced vulnerability management capabilities. Microsoft Defender Vulnerability Management includes many features, including Asset Discovery and Inventory Windows Authenticated Scans, which can run scans on unmanaged Windows devices. Unfortunately, the authenticated scan comes with serious security risks. In this blog post, I will go through the security risks…

Microsoft Defender for Identity JSON API

In my previous blog post, I described the inner workings of the Microsoft Defender for Identity REST API during the deployment of the sensor. In this blog post, I will explain the inner workings of the REST API when communicating with the cloud and how to interact with it using my updated Microsoft Defender for…

Microsoft Defender for Identity Auditing Checker using Sentinel

A few months ago, I wrote a tool to check the Microsoft Defender for Identity Configuration, which you run on a domain controller. Running the tool is a snapshot at that time. What if you want to monitor the configuration using your SOAR solution for misconfigurations? Well, I created a PowerShell script that creates an…

Microsoft Defender for Identity sensorDeployment API

Microsoft Defender for Identity is a cloud-based security solution to monitor your on-premises identities. Since it is a cloud-based security solution, it must communicate with the cloud. In this blog post, I will describe how Microsoft Defender for Identity communicates with the cloud during the installation of the sensor. Introduction I started monitoring the installer…

Microsoft Defender for Identity Encrypted Password

After installing a Microsoft Defender for Identity sensor, the SensorConfiguration.json contains information about the sensor, including an encrypted password when using an authenticated proxy server. I wanted to see if I could decrypt the password and if I could set a proxy without the need to reinstall the Microsoft Defender for Identity sensor. I found…

Loading…

Something went wrong. Please refresh the page and/or try again.