Tag

Threat_detection

4 briefs RSS

Entra ID Microsoft Authentication Broker DRS Sign-In from Suspicious ASN

Detects Microsoft Entra ID sign-in activity where the Microsoft Authentication Broker requests the Device Registration Service from a suspicious ASN, indicating potential OAuth phishing or adversary-in-the-middle device registration.

Microsoft Entra ID cloud identity azure entra_id sign-in_logs threat_detection initial_access persistence +1

2r 3t 3w ago

medium advisory

Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource

2 rules 2 TTPs

Detects successful Microsoft Entra ID sign-ins where the client application is the Microsoft Authentication Broker (MAB) and the requested resource identifier is outside a short list of commonly observed first-party targets, potentially indicating abuse to obtain tokens for unexpected APIs or enterprise applications.

Entra ID cloud identity azure entra_id microsoft_entra_id sign_in_logs threat_detection initial_access

2r 2t May 18, 2026

high advisory

Detection of PowerShell HackTool Scripts by Author Attribution

2 rules 1 TTP

This rule detects potential PowerShell HackTool scripts by identifying script block content containing known offensive-tool author handles or attribution strings, indicative of attackers using public tooling with minimal modifications.

powershell execution windows threat_detection

2r 1t Jan 23, 2024

high advisory

Suspicious Execution from WebDAV Share

2 rules 1 TTP

This rule detects attempts to execute content from remote WebDAV shares, where attackers may abuse WebDAV paths, public tunnels, or host@port UNC paths to execute tools or scripts, reducing local staging on the victim's file system.

Windows +5 execution webdav threat_detection

2r 1t Jan 3, 2024