“attack surface. stealthware : farm - to - table evil apps on the other hand, the azure app ecosystem also gives hackers the tools to build apps from the ground up that are designed to wreak havoc. i ’ m talking about farm - to - table, small - batch, home - grown, ethically - sou…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
88%
“? well, both of them burn when exposed to direct sunlight. but more importantly, both will evolve to the point where your current defenses are meaningless after enough time has passed. so onward we press to find new avenues of identifying and breaking their attack chains. one are…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
86%
“in the huntress partner tenancy, but they ' re way more prevalent than we anticipated. some of these apps had been around for years by the time we uncovered them. and if you take anything from this article, let it be this : statistically speaking, there ’ s a good chance that you…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
85%
“to a single user were more likely to be stealthware. the addition of classifying oauth permissions into groups based on what they allowed hackers to do during intrusions and detecting rare apps that also had powerful permissions raised the hit rate significantly. following our pr…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
85%
“sense of dread in me : how many are out there? in searching for the answers to these questions, we ended up getting way more than we bargained for. the systems at play : how oauth apps work hold onto your butts, because here ’ s a crash course in azure applications and how they w…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
75%
“re interested in that kind of thing. the hunt in motion with our threat model ironed out, it ’ s time to dive into the data and figure out the answer to the question : “ aside from that one termite, how many more are out there? ” to do this, myself and staff threat ops developer …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
73%
“6 months of researching oauth application attacks | huntress tl ; dr : if you administer at least one microsoft 365 tenant, audit your oauth applications right now. statistically speaking, there ’ s a good chance your tenant is infected with a malicious app. i wrote an open - sou…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
50%
“own user authentication, calls the graph api, wrangles the data from the api about your tenant ’ s enterprise applications and app registrations, and runs some hunting logic against the results. it ’ s quick and rough around the edges, but the idea here is to empower azure admins…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
46%
“that myself and other staff at huntress found themselves in when we started to look at the data about azure applications and how they ' re used maliciously in our partner tenants. so come along with us for a wild ride as we rip up the kitchen floorboards and uncover exactly how b…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1528Steal Application Access Token
41%
“6 months of researching oauth application attacks | huntress tl ; dr : if you administer at least one microsoft 365 tenant, audit your oauth applications right now. statistically speaking, there ’ s a good chance your tenant is infected with a malicious app. i wrote an open - sou…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1588.002Tool
41%
“crates, pry open doors if they ’ re stuck, and if you ’ re lucky, even escape from a massive underground research facility in the deserts of new mexico. if you got that last reference, you pass the vibe check. a crowbar alone is neither good nor bad. it ’ s useful in many differe…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1528Steal Application Access Token
35%
“to a single user were more likely to be stealthware. the addition of classifying oauth permissions into groups based on what they allowed hackers to do during intrusions and detecting rare apps that also had powerful permissions raised the hit rate significantly. following our pr…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1525Implant Internal Image
34%
“? anyone who has spent time administering a large, complicated system of authentication and authorization will tell you that attackers love to find the unpatchable cracks of the system to perform exploitation. any red teamer who has run a kerberoasting attack will tell you that t…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1528Steal Application Access Token
31%
“that myself and other staff at huntress found themselves in when we started to look at the data about azure applications and how they ' re used maliciously in our partner tenants. so come along with us for a wild ride as we rip up the kitchen floorboards and uncover exactly how b…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
There’s never just one termite. Huntress has spent the last 6 months researching and cracking down on malicious OAuth applications. Read about what we’ve found in this blog!