". azure administrators can lock down user consent for applications and prevent users from installing and consenting to an app without approval from an administrator. i highly recommend this as a mitigation strategy as a way of reducing the attack surface of rogue apps in azure. c…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
80%
"just a tool to get them a list of new targets. and boy, does it work. the huntress soc swiftly intervened in this particular case and remediated the identity, inbox rules, and the installation of the sigparser application. there were numerous other indicators apart from the sigpa…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
76%
"and shadow workflows? indeed, we know this has happened before because a third of all rogue app signals are the only indication of malice for an identity. detection the sigparser application uses app id “ caffae8c - 0882 - 4c81 - 9a27 - d1803af53a40 ”. this information is easily …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1528Steal Application Access Token
48%
"just a tool to get them a list of new targets. and boy, does it work. the huntress soc swiftly intervened in this particular case and remediated the identity, inbox rules, and the installation of the sigparser application. there were numerous other indicators apart from the sigpa…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1586.002Email Accounts
37%
"the local entity that handles authentication and authorization for the installed application and acts on behalf of the user that has consented to the application. this essentially means that at this point, sigparser is now installed in the tenant and has the correct authenticatio…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1098.002Additional Email Delegate Permissions
35%
"which is the addition of an inbox rule that was completed following authentication from a suspicious as with a strong indicator of an active aitm attack in progress. the inbox rule in question is set up to reroute any email containing the domain name of a partner organization int…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Court is in session! In this blog post, we examine the use of a legitimate Microsoft 365 application called “SigParser” identified during an identity compromise. How are OAuth apps used during identity intrusions? Find out here!