Skip to content
    April 23, 2024

    Security Detection Update - 2024-4-23

    Welcome to our weekly security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we've made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we'll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you're lucky.

    Introduction and Overview

    This week was all over the place! Windows and Cloud Services were the focus of this detection engineering week!


    New Detections

    This update introduces:

    Azure: Privileged Graph API Role Assignment

    These roles can be used for standard administrative activity, but they can also be leveraged by attackers to exfiltrate data, modify users, and make other admin level alterations to your Entra directory. For more information on how this is being abused see the Microsoft article on Midnight Blizzard/NOBELIUM here or the SpecterOps blog post here.

    • Status: Enabled
    • Log type requirement: Azure Entra Directory Audit

    Google Workspace: Custom Admin Role Created

    These can be created for legitimate reasons as organizations may prefer the ability to limit scopes of certain default roles or avoid their use entirely. They can also be leverage by Threat Actors to maintain persistence in an environment and attempt to avoid detection.

    • Status: Enabled
    • Log type requirement: Google Workspace

    Microsoft 365: MFA Device Registered Without Device Details

    This is a net new device and could be the result of normal activity like a user adding an alternate authenticator app that isn't using the Microsoft Authenticator like Duo, 1Password, etc. It also could be indicative of a Threat Actor attempting to add an MFA option they control to satisfy MFA requirements in Microsoft 365 environments.

    • Status: Enabled
    • Log type requirement: O365 ... MS365 .... Azure Entra Active Directory

    Registry Value Tampering: RestrictedAdmin Mode Enabled

    RestrictedAdmin mode is disabled by default on most systems. Threat actors have been observed enabling RestrictedAdmin mode to bypass RDP MFA controls or steal and reuse credential hashes. However, some administrators may choose to enable RestrictedAdmin mode as a part of their security controls. All changes to RestrictedAdmin mode should be expected and authorized. Investigate any unauthorized changes. For more information about RestrictedAdmin mode and related adversarial techniques see our blog post here.

    • Status: Disabled
    • Log type requirement: Windows or Blumira Agent for Windows

    Amanda Berlin

    Amanda Berlin is Lead Incident Detection Engineer at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An accomplished...

    More from the blog

    View All Posts