Fabian Bader

📢If you missed my talk about Azure Attack Path at the @identitysummit, I just updated my blog with content created for the conference. New analytic rules, demo attack script and the slides are not available. #Azure #Security #Defend #Attack #Sentinel cloudbrothers.info/en/azure-attac…

Did anyone already notice this webshell dropped with the name spinstallp.aspx It's a different minified ASPX webshell #SharePoint virustotal.com/gui/file/2f270…

If you leave the house overnight and forget your charger at home

It's a great way to have a cheap and somewhat private VPN. I have two 1€ VPS set up in different countries using this method.

A rare, but highly welcome change. Microsoft changed the license requirement for Token protection from Entra ID P2 to P1. This will protect more customers in the long run and lead to a more secure ecosystem. learn.microsoft.com/en-us/entra/id…

A fun read on attacking "AI SOC" github.com/robomotic/soc-…

So much data...

UniqueTokenIdentifier and SessionID are strong identifiers that help you in detection, incident response and forensic #XDR #Entra techcommunity.microsoft.com/blog/microsoft…

If you want to quickly evaluate if you are exploitable: github.com/LuemmelSec/Pen…

Sorry to disturb your weekend. There is a SharePoint 0day actively abused. Do not only focus on the rule of MSRC for hunting, other blogs also share different files and folders in use! Additional info: MSRC: msrc.microsoft.com/blog/2025/07/c… Blog by @eyesecurity_: research.eye.security/sharepoint-und…

0day in on-prem #SharePoint - guidance inside

Microsoft is aware of active attacks targeting on-premises SharePoint Server customers, exploiting a variant of CVE-2025-49706. This vulnerability has been assigned CVE-2025-53770. We have outlined mitigations and detections in our blog. Our team is working urgently to release…

Interesting change in the docs : By default, system-preferred MFA is Microsoft managed and enabled for all users. learn.microsoft.com/en-us/entra/id….

This is big. In #XDR there is now a new table in preview: GraphApiAuditEvents It's the "free" version of the MicrosoftGraphActivityLogs and will enable more companies to detect threats without having to pay a lot of money. learn.microsoft.com/en-us/defender…

Deception is more than a buzzword — it’s a strategy. In his session “Cyber Deception: A story about honeypots and canaries”, Fabian Bader shows how to detect attackers before traditional alerts trigger. #wpNinjaS

The slides from #TROOPERS25 are now available🔥 The key point in the talk is that Device Registration Service is often forgotten in Conditional Access, leading to various abuse. This talk introduces one of the examples and explains lateral movement tips. troopers.de/downloads/troo…

16 online tickets left!

This tweet thread discusses how to use #Kusto explorer to graph data on the fly. ➡️ Get kusto explorer: aka.ms/ke ⬇️ Read on!

Creating on-the-fly graphs with #Kusto is nice via make-graph, but what if Kusto could natively handle graphs as a data source just like it does with tables? Meet Persistent Graphs, now in preview: 📎learn.microsoft.com/en-us/kusto/ma… ➡️ azure.microsoft.com/en-us/updates/…

In the first 2 hours, just over 25% of the online tickets have been sold. If you happen to miss out during this round 1, don't worry -- we'll have another round of tickets available in September too!

Exposing your multi tenant service principal secret to everybody is not just bad security but it’s completely wrong. Great finding by @_harleo - Sad to see that @Synology handled the disclosure so badly. Use managed identities! modzero.com/en/blog/when-b…