Welcome to our weekly security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we've made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we'll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you're lucky.
This week was all over the place! Windows and Cloud Services were the focus of this detection engineering week!
This update introduces:
These roles can be used for standard administrative activity, but they can also be leveraged by attackers to exfiltrate data, modify users, and make other admin level alterations to your Entra directory. For more information on how this is being abused see the Microsoft article on Midnight Blizzard/NOBELIUM here or the SpecterOps blog post here.
These can be created for legitimate reasons as organizations may prefer the ability to limit scopes of certain default roles or avoid their use entirely. They can also be leverage by Threat Actors to maintain persistence in an environment and attempt to avoid detection.
This is a net new device and could be the result of normal activity like a user adding an alternate authenticator app that isn't using the Microsoft Authenticator like Duo, 1Password, etc. It also could be indicative of a Threat Actor attempting to add an MFA option they control to satisfy MFA requirements in Microsoft 365 environments.
RestrictedAdmin mode is disabled by default on most systems. Threat actors have been observed enabling RestrictedAdmin mode to bypass RDP MFA controls or steal and reuse credential hashes. However, some administrators may choose to enable RestrictedAdmin mode as a part of their security controls. All changes to RestrictedAdmin mode should be expected and authorized. Investigate any unauthorized changes. For more information about RestrictedAdmin mode and related adversarial techniques see our blog post here.