Prevent bad actors from maintaining persistence | Microsoft 365 | Implement these policies
Вставка
- Опубліковано 28 чер 2024
- Bad Actors are achieving persistence in Microsoft 365 using techniques that aren't protected by default.
Want to understand how to protect against them?
Check out my latest blog and UA-cam video where I show you how these techniques work along with the policies you can put into place to detect and prevent them from happening.
Blog: tminus365.com/prevent-bad-act...
Run a Free Assessment against CIS: app.cloudcapsule.io
Intro Music- Jordyn Edmonds • Love That
Table of Contents:
00:00 -Intro
00:59 -Initial User Compromise
03:08 -Overview of Persistence
05:12 -Joining an Additional MFA Method
06:42 -Join an Additional Device
08:24 -Registering Applications
11:19 -Creating Inbox Rules
13:15 -Protections you can put into place
23:52 -Entra Admin Policies
32:12 -Intune Admin Policies
34:03 -Security admin policies
37:58 -Exchange admin policies
38:24 -CIS Mappings
39:22 -Automated CIS Assessment
🚀 What You'll Learn:
Real-Life Applications: See firsthand what techniques bad actors use to maintain persistence in Microsoft 365 after initial user compromise.
💡 Why Watch?
Understand the protections you should have in place across customers that AREN'T ON BY DEFAULT.
👍 Engage with Me:
Loved this tutorial? Hit 'Like', subscribe, and share this video with colleagues who could benefit from my content. Have questions or your own tips to share? Drop a comment below - I'd love to hear what techniques you are seeing across customers.
____________________
Give this video a thumbs up if you enjoyed watching 👍
#microsoft #cybersecurity #blueteam #stayvigilant
Thanks for watching the video Prevent bad actors from maintaining persistence | Microsoft 365 | Implement these policies - Навчання та стиль
Hello team,
Comments: minute 24:23
Pre-requirement for CAP user action "register or Join device"
If you plan to create the conditional access policy for the user action "register or Join device", you need to have in EntraID-->Devices-->Device Settings--> Option: "Require MFA to register or join devices with Microsoft Entra" set to NO.
Amazing material, I see you r videos like I am in a very serious class, this is the knowledge that make difference
Here for the biceps :-) Seriously thanks for the details and the time !
@41:00 - can we printer a report and see what needs to be done to fix what's needs to be fix?
Minute 28:28
is there any way to setup a prefered MFA method, meaning that from admin setup the priority for the authentication methods
i.e.:
1. Passkey
2. Authenticator Passwordless
3. Authenticator Nubmer matching.
How can I know what is the primary MFA verification method that user is using to verify his identity?
Minute 35:09: who are the tenantadmins, are only the Global admins or any admin will receive the message, i.e.: will intune admin receive this alert?
minute 31:04 App consent
is there any way to reduce the extra workload to user consent to the admins?
minute: 31:54: admin consent request
how the admins can know if the app that is requesting the permissions is secure or not?
In the option "Allow user consent apps from verified published from selected permissions"
All users can concent for permissions classfied as "low impact"
do you know where can I find the low impact, medium impact and high impact permissions?
Does MS not block Tor nodes by default ?
they do not
@@t-minus365 wow, good to know