Blogs

Microsoft Defender for Identity Hidden Feature Custom Logs Location

Although Microsoft did not document this feature yet, it is possible to set a custom location for your log files for Microsoft Defender for Identity since sensor version 2.197. In this short blog post, I will describe how to set up a custom location for the Microsoft Defender for Identity log files. Introduction The Microsoft Defender…

Microsoft Defender Vulnerability Management Authenticated Scan Security Risks

Microsoft Defender Vulnerability Management is a service that provides advanced vulnerability management capabilities. Microsoft Defender Vulnerability Management includes many features, including Asset Discovery and Inventory Windows Authenticated Scans, which can run scans on unmanaged Windows devices. Unfortunately, the authenticated scan comes with serious security risks. In this blog post, I will go through the security risks…

Microsoft Defender for Identity JSON API

In my previous blog post, I described the inner workings of the Microsoft Defender for Identity REST API during the deployment of the sensor. In this blog post, I will explain the inner workings of the REST API when communicating with the cloud and how to interact with it using my updated Microsoft Defender for…

Microsoft Defender for Identity Auditing Checker using Sentinel

A few months ago, I wrote a tool to check the Microsoft Defender for Identity Configuration, which you run on a domain controller. Running the tool is a snapshot at that time. What if you want to monitor the configuration using your SOAR solution for misconfigurations? Well, I created a PowerShell script that creates an…

Microsoft Defender for Identity sensorDeployment API

Microsoft Defender for Identity is a cloud-based security solution to monitor your on-premises identities. Since it is a cloud-based security solution, it must communicate with the cloud. In this blog post, I will describe how Microsoft Defender for Identity communicates with the cloud during the installation of the sensor. Introduction I started monitoring the installer…

Microsoft Defender for Identity Encrypted Password

After installing a Microsoft Defender for Identity sensor, the SensorConfiguration.json contains information about the sensor, including an encrypted password when using an authenticated proxy server. I wanted to see if I could decrypt the password and if I could set a proxy without the need to reinstall the Microsoft Defender for Identity sensor. I found…

Microsoft Defender for Identity Recent Bypasses Comments

Recently I have seen some videos and read some blog posts about bypassing Microsoft Defender for Identity. I agree that there are possibilities to bypass Microsoft Defender for Identity, but in this blog post, I would like to add some notes about these bypasses. Comments Conclusion Like every security product, there are bypasses for Microsoft…

Microsoft Defender for Identity Auditing

Microsoft Defender for Identity monitors your domain controllers by capturing and parsing network traffic and leveraging Windows events directly from your domain controllers. Auditing needs to be enabled for the Windows events to appear in the event viewer. Unfortunately, auditing is not on by default. Microsoft created a great docs page on configuring Windows event…

Microsoft Workload Identities Leaked Credentials

Microsoft announced four new detections in Azure Active Directory Identity Protection last month. One of the four detections is “Workload Identities Leaked Credentials.” During a Microsoft webinar where I demonstrated this new feature in Microsoft Identity Protection, multiple people requested the tool I created, so I decided to release it. This blog post will briefly…

Loading…

Something went wrong. Please refresh the page and/or try again.