Josh LemonJul 19, 2025

"Iβ€―SPy" Entraβ€―ID Global Admin Escalation Technique

Datadog's Security Labs identified an abuse of Office 365 Exchange Online service principal (SP) allowing escalation to Global Admin. MSRC considers it "expected misconfiguration" so don't expect a fix.

🚨 Alert on new credentials added to SPs.
πŸ”₯ Monitor changes to federated domains (federationConfiguration).
πŸ•΅πŸΌβ€β™‚οΈ Hunt unusual Graph API calls to /domains, /credentials, and /federationConfiguration.

πŸ”— https://securitylabs.datadoghq.com/articles/i-spy-escalating-to-entra-id-global-admin/

#DFIR #ThreatHunting #EntraID #CloudForensics #M365 #ThreatDetection

Josh LemonJan 14, 2025

#Ransomware threat actors are increasingly abusing AWS's Server-Side Encryption (SSE-C) to encrypt S3 buckets without needing to drop malware. Most recently a TA known as #Codefinger is using this technique.

πŸ•΅ Make sure you're monitoring S3 and encryption activity via CloudTrail & GuardDuty.

https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c

#CloudForensics #FOR509 #AWS

Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C

The Halcyon RISE Team has identified a unique ransomware technique that encrypts Amazon S3 buckets with no known method to recover unless a ransom is paid...

Pen Test PartnersOct 16, 2024

With a rise in Adversary in the Middle (AiTM) phishing, we've seen attackers leverage trusted compromised accounts to launch multi-stage attacks and follow-on BEC activity. Too often, investigations end with "If only this data had been available!"

We are kicking off our 3-part series on handling Business Email Compromise (BEC) incidents in Microsoft 365! πŸ“§ In Part 1, Rachel dives into the key artefacts for investigating a BEC in M365 and where to find them.

πŸ‘‰ https://www.pentestpartners.com/security-blog/bec-ware-the-phish-part-1-investigating-incidents-in-m365/

This includes:

Why enabling Unified Audit Logging is essential for tracking attackers.

How to use Purview Content Search to analyse compromised mailboxes.

Pro tips for using Defender's Advanced Hunting to quickly scope the scale of an attack.

Stay tuned for more actionable insights in Parts 2 & 3!

#CyberSecurity #BusinessEmailCompromise #M365 #IncidentResponse
#MicrosoftDefender #EmailSecurity #DigitalForensics #DataRetention #ThreatHunting #CloudForensics

BEC-ware the phish (part 1). Investigating incidents in M365 | Pen Test Partners

TL;DR Review the key artefacts to ensure the best possible telemetry is available in the case of a Business Email Compromise (BEC). Keep an eye on data retention, where necessary export or forward data for investigations longer than 30 days. Verify and enable Unified Audit Logging, its free and gives broad visibility for 180 days.

Josh LemonSep 4, 2024

Join @Phillmoore and me tomorrow as we host the FREE online SANS APAC #DFIR Summit. The talks look fantastic and range from #CloudForensics, #ICS, #ransomware, and #AutomotiveForensics, to name a few.

πŸ—“ 6th Sept - 8am SGT / 9am JST / 10am AEST
πŸ”— https://www.sans.org/cyber-security-training-events/japan-september-2024/

APAC DFIR Summit & Japan September 2024 | Cyber Security Training

APAC DFIR Summit & Japan September 2024 (9-14 Sept) offers hands-on cybersecurity training taught by top industry practitioners. Attend in Tokyo, JP.

Forensic FocusApr 29, 2024
UPCOMING WEBINAR – Empowering Investigations With Data From The Cloud https://www.forensicfocus.com/news/upcoming-webinar-empowering-investigations-with-data-from-the-cloud/ #Cellebrite #cloudforensics
UPCOMING WEBINAR – Empowering Investigations With Data From The Cloud - Forensic Focus

Register for Cellebrite's upcoming webinar on empowering investigations with data from the cloud.

Forensic Focus
maryloudApr 26, 2024

Unlock the mysteries of cloud forensics with #CloudForensicsDemystified! πŸ•΅οΈβ€β™‚οΈ Discover effective tools and techniques for investigating security incidents in cloud environments. This guide covers data collection, analysis, and navigating complex infrastructures with confidence. Whether you're new to cloud forensics or a seasoned investigator, elevate your skills with this essential resource. #CloudForensics #Cybersecurity

Explore further and grab your copy today: https://packt.link/abm4S

Amazon.com

Forensic FocusApr 23, 2024
UPCOMING WEBINAR – Empowering Investigations With Data From The Cloud https://www.forensicfocus.com/news/upcoming-webinar-empowering-investigations-with-data-from-the-cloud/ #Cellebrite #cloudforensics #dfir
UPCOMING WEBINAR – Empowering Investigations With Data From The Cloud - Forensic Focus

Register for Cellebrite's upcoming webinar on empowering investigations with data from the cloud.

Forensic Focus
Forensic FocusApr 22, 2024
UPCOMING WEBINAR – Fireside Chat: Navigating The Cloud – Expert Insights On Emerging Cloud Threats And Complexities https://www.forensicfocus.com/news/upcoming-webinar-fireside-chat-navigating-the-cloud-expert-insights-on-emerging-cloud-threats-and-complexities/ #CadoSecurity #cloudforensics #dfir
UPCOMING WEBINAR – Fireside Chat: Navigating The Cloud - Expert Insights On Emerging Cloud Threats And Complexities - Forensic Focus

Join James Campbell, Co-Founder and CEO of Cado Security, and Robert Wallace, Senior Director at Mandiant, for a webinar on the evolution of cloud threats and the unique challenges posed by cloud environments when investigating and responding. 

Forensic Focus
Forensic FocusApr 16, 2024
UPCOMING WEBINAR – Fireside Chat: Navigating The Cloud – Expert Insights On Emerging Cloud Threats And Complexities https://www.forensicfocus.com/news/upcoming-webinar-fireside-chat-navigating-the-cloud-expert-insights-on-emerging-cloud-threats-and-complexities/ #CadoSecurity #DFIR #cloudforensics
UPCOMING WEBINAR – Fireside Chat: Navigating The Cloud - Expert Insights On Emerging Cloud Threats And Complexities - Forensic Focus

Join James Campbell, Co-Founder and CEO of Cado Security, and Robert Wallace, Senior Director at Mandiant, for a webinar on the evolution of cloud threats and the unique challenges posed by cloud environments when investigating and responding. 

Forensic Focus
Forensic FocusMar 11, 2024
Cado Security releases its H2 2023 Cloud Threat Findings Report to help security teams secure against cloud-focused threat actors. https://www.forensicfocus.com/news/cado-security-releases-h2-2023-cloud-threat-findings-report/ #CadoSecurity #cloudforensics
Cado Security Releases H2 2023 Cloud Threat Findings Report - Forensic Focus

Cado Security releases its H2 2023 Cloud Threat Findings Report to help security teams secure against cloud-focused threat actors.

Forensic Focus