BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.nsec.io//2024//L3NFCM
BEGIN:VTIMEZONE
TZID:EST
BEGIN:STANDARD
DTSTART:20001029T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20061029T070000Z
TZNAME:EST
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
END:STANDARD
BEGIN:STANDARD
DTSTART:20071104T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=11
TZNAME:EST
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000402T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060402T080000Z
TZNAME:EDT
TZOFFSETFROM:-0500
TZOFFSETTO:-0400
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20070311T030000
RRULE:FREQ=YEARLY;BYDAY=2SU;BYMONTH=3
TZNAME:EDT
TZOFFSETFROM:-0500
TZOFFSETTO:-0400
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-2024-3PL9BZ@cfp.nsec.io
DTSTART;TZID=EST:20240517T100000
DTEND;TZID=EST:20240517T103000
DESCRIPTION:For organizations using Microsoft Entra ID (formerly known as A
 zure Active Directory) and O365\, it’s fairly well understood that a set
  of default logs are readily available for use\, no matter what log manage
 ment tooling an organization is using. However\, this standard logging has
  its limits.\n\nLast fall\, the team at Black Hills Information Security r
 eleased a post exploitation kit called GraphRunner. This tool is focused o
 n interacting with the Microsoft Graph API\, which is the backbone that se
 rvices Entra ID\, O365 and many other services in the Microsoft cloud. The
  release of GraphRunner and future tools like it streamlines a number of a
 ctivities that an adversary would perform after gaining access\, making it
  simpler for anyone to use. While GraphRunner is a post exploitation toolk
 it\, there are authentication functions that highlight how adversaries cou
 ld use the OAuth authorization code flow to their advantage.\n\nAs a defen
 der\, this presents a set of challenges. Less sophisticated adversaries ha
 ve a lower barrier to entry once they have gained access to the Graph API 
 than they did before. It also highlights that the standard logging may not
  be sufficient to gain visibility into actions like the refreshing of toke
 ns or other activities that a tool like GraphRunner provides.\n\nThis talk
  is designed to provide insight into additional data sets that Microsoft c
 loud users have access to but may not be as widely deployed. These additio
 nal data sets can provide defenders additional insight\, detect suspicious
  activity and can serve as a hunting ground when confronted with an advers
 ary using techniques like those found in GraphRunner.\n\nBecause GraphRunn
 er contains numerous modules and is written in PowerShell\, an adversary c
 an customize it to their own needs. While we won’t be able to cover all 
 possible permutations\, our goal is to identify data sets and events that 
 can assist defenders while using GraphRunner as a representative of the ki
 nds of methods that adversaries might use.\n\nAttendees will come away fro
 m this talk with:\n-A greater understanding of GraphRunner and its capabil
 ities\n-Awareness of the logging available for the Graph API beyond the st
 andard logging\n-Ideas around how detections and hunts can be designed to 
 identify GraphRunner activity
DTSTAMP:20260415T013557Z
LOCATION:Salle de Bal
SUMMARY:GraphRunner and Defending Your Microsoft Tenant - John Stoner
URL:https://cfp.nsec.io/2024/talk/3PL9BZ/
END:VEVENT
END:VCALENDAR