Speakers
Synopsis
For organizations using Microsoft Entra ID (the artist formerly known as Azure Active Directory) and O365, it’s fairly well understood that a set of default logs are readily available for use, no matter what log management tooling an organisation is using. However, this standard logging has its limits.
As a defender, this presents a set of challenges. With the release of post exploitation kits like GraphRunner, which is focused on interacting with the Microsoft Graph API, the backbone that services Entra ID, O365 and more; probing and information gathering is streamlined. Further, while GraphRunner is a post exploitation toolkit, there are authentication functions available in it that highlight how adversaries could use the OAuth authorisation code flow to their advantage.
To combat this lower barrier to entry, defenders need to take advantage of the visibility additional data sets provide but perhaps aren’t aware of. These additional data sets can provide defenders additional insight, detect suspicious activity and can serve as a hunting ground when confronted with an adversary using techniques like those found in GraphRunner.
Because GraphRunner contains numerous modules and is written in PowerShell, an adversary can customise it to their own needs. While I won’t be able to cover all the possible permutations, my goal is to show the kinds of capabilities GraphRunner brings while identifying events that defenders can use to hunt and detect suspicious activities in an Entra ID / O365 tenant.
Takeaways:
Attendees will come away from this talk with:
- A greater understanding of GraphRunner and its capabilities
- Awareness of the logging available for the Graph API beyond the standard sign-in and audit logging
- Ideas around how to detect and hunt within Entra ID and O365 tenants for these kinds of activities
