azurekid

<#
.SYNOPSIS
Retrieves stored WiFi profiles and their associated passwords from the local computer.

.DESCRIPTION
This function uses netsh commands to extract all saved WiFi profiles and their details including passwords (if available), authentication methods, and connection modes. It processes profiles in parallel for improved performance.

.OUTPUTS
System.Object[]
Returns an array of custom objects containing the following properties:

azurekid

let lookback = 1d;
let DeviceList =
    DeviceInfo
    | where
        Timestamp >= ago(lookback)
        // and MachineGroup contains "ATOS"
        // and MachineGroup contains "AZURE"
        // and MachineGroup contains "OGD"
        and MachineGroup !contains "OGD"
    | distinct DeviceName

azurekid

let lookback = 7d;
let DeviceList = 
    DeviceInfo
    | where MachineGroup contains "Azure"
    | where Timestamp >= ago(lookback)
    | distinct DeviceName
;
let ScanInformation =
    DeviceEvents
    | where

azurekid

Automating GitHub Organization Membership Requests with GitHub Actions

Managing membership requests for a GitHub organization can be a time-consuming task, especially for larger organizations. In this article, we will walk through a solution that leverages GitHub Actions to automate the process of adding new members to a GitHub organization. By using an issue template and a GitHub Actions workflow, we can streamline the membership request process and reduce manual work.

Introduction

GitHub Actions is a powerful tool for automating various tasks within your repository, including CI/CD pipelines, issue management, and more. One of the less common but highly useful applications of GitHub Actions is automating the management of organization memberships. This can be particularly beneficial for organizations with a large number of members or frequent membership changes.

Why Automate Membership Requests?

azurekid

$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
$session.UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Edg/131.0.0.0"
Invoke-WebRequest -UseBasicParsing -Uri "https://api.securityplatform.microsoft.com/account/capacities?api-version=2023-12-01-preview" `
-WebSession $session `
-Headers @{
"authority"="api.securityplatform.microsoft.com"
  "method"="GET"
  "path"="/account/capacities?api-version=2023-12-01-preview"
  "scheme"="https"
  "accept"="application/json"

azurekid

Detecting fasthttp Brute Force Attacks: A Comprehensive Guide

Introduction

In recent times, the fasthttp library has been leveraged in a new brute force campaign targeting Azure Active Directory (AAD) accounts. This high-performance HTTP server and client library for the Go programming language is designed to handle HTTP requests more efficiently than Go’s standard net/http package. However, its capabilities have been exploited by malicious actors to gain unauthorized access to accounts through brute-force login attempts and spamming multi-factor authentication (MFA) requests1.

In this blog post, we will explore how to detect such brute force attacks using Kusto Query Language (KQL) in Microsoft Defender. We will provide a detailed KQL query to help identify suspicious login attempts that may indicate a brute force attack.

Understanding the Threat

azurekid

Calculating the First Monday of a Given Week in Kusto Query Language (KQL)

Hey KQL heroes! 🌟 If you’ve ever had to wrestle with dates and weeks in your analysis, you’ll know it can be quite a challenge. But worry not, because today we’re diving into a nifty Kusto Query Language (KQL) script that will make calculating the first Monday of any given week a breeze. Ready to uncover some KQL magic? Let’s get started!

A Quick Peek at Our KQL Script

Before we jump into the code, let’s break down what we’re aiming to do. This script will help you find the first Monday of a specified week in a year. Imagine the power of pinpointing exact dates for all your planning, scheduling, and analytical needs!

The Variables in Play

azurekid

$permissions = Invoke-RestMethod -Uri 'https://graph.microsoft.com/beta/roleManagement/directory/resourceNamespaces/microsoft.directory/resourceActions?$filter=isPrivileged eq true' -Authentication Bearer -Token ($token.token | ConvertTo-SecureString -AsPlainText -Force)
$roles = Invoke-RestMethod -Uri 'https://graph.microsoft.com/beta/roleManagement/directory/roleDefinitions' -Authentication Bearer -Token ($token.token | ConvertTo-SecureString -AsPlainText -Force)

foreach ($role in $roles.value) {
    foreach ($value in $permissions.value.name) {
        if ($value -in $role.rolepermissions.allowedResourceActions) {
            $prived += $role.displayName | Sort-Object -Unique
        }
    }
}

azurekid

microsoft.directory/applications.myOrganization/allProperties/update
microsoft.directory/applications.myOrganization/credentials/update
microsoft.directory/applications/allProperties/allTasks
microsoft.directory/applications/allProperties/update
microsoft.directory/applications/credentials/update
microsoft.directory/authorizationPolicy/allProperties/allTasks
microsoft.directory/authorizationPolicy/guestUserSettings/update
microsoft.directory/b2cTrustFrameworkKeySet/allProperties/allTasks
microsoft.directory/bitlockerKeys/key/read
microsoft.directory/customAuthenticationExtensions/allProperties/allTasks

azurekid

Descriptor:
  Name: HaveIBeenPwned
  DisplayName: HaveIBeenPwned
  Description: This tool checks if an email address has been found in any of the data breaches in Have I Been Pwned (HIBP).
  SupportedAuthTypes:
    - ApiKey
  Authorization:
    Type: APIKey
    Key: hibp-api-key
    Location: Header