Hello Reader,
Welcome back to Sunday Funday! This week we are going straight in to topics I see as current research blind spots. We are going to be focusing on Entra ID aka Azure AD and what evidence you can find when people run tools like Bloodhound/Sharphound. I look forward to your thorough responses as we work as a community to overcome lack of knowledge.
The Prize:
$100 Amazon Giftcard
An apperance on the following week's Forensic Lunch!
The Rules:
- You must post your answer before Friday 1/10/25 7PM CST (GMT -5)
- The most complete answer wins
- You are allowed to edit your answer after posting
- If two answers are too similar for one to win, the one with the earlier posting time wins
- Be specific and be thoughtful
- Anonymous entries are allowed, please email them to dlcowen@gmail.com. Please state in your email if you would like to be anonymous or not if you win.
- In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post
What evidence is left behind in Azure when an attacker runs Bloodhound or any derivative like Sharphound. You should document at least two scenarios:
1. Default logging
2. Turning on any optional logging you want to test.
Your response can be a link to your own blog, an email, a document etc.. Bonus points if you point out specific indicators that can be searched for or alerted off of.
Post a Comment