Threat Research

A New App Consent Attack: Hidden Consent Grant

A New App Consent Attack: Hidden Consent Grant

  • Adi Malyanker | Security Researcher
  • Aug 13, 2024

Key findings An Application Consent attack, also known as an Illicit Consent Grant attack, is a type of phishing attack in which a malicious actor gains access to an application and then exploits permissions that have been granted to that app. Semperis researcher Adi Malyanker has discovered that under certain…

UnOAuthorized: Privilege Elevation Through Microsoft Applications

UnOAuthorized: Privilege Elevation Through Microsoft Applications

  • Eric Woodruff
  • Aug 07, 2024

This article details a series of Semperis security research team discoveries that resulted in the ability to perform actions in Entra ID beyond expected authorization controls, based on analysis of the OAuth 2.0 scope (permissions). Our most concerning discovery involved the ability to add and remove users from privileged roles,…

New Ransomware Statistics Reveal Increased Need for Active Directory Security and Resilience

New Ransomware Statistics Reveal Increased Need for Active Directory Security and Resilience

  • Mickey Bresman
  • Jul 31, 2024

By now, we’re all familiar with the need for an “assume breach” mindset where ransomware and other cyber threats are concerned. To better understand the necessity and challenges of this approach, we partnered with international market research firm Censuswide to ask organizations about their experience with ransomware attacks. What we…

How to Defend Against SPN Scanning in Active Directory

How to Defend Against SPN Scanning in Active Directory

  • Daniel Petri | Senior Training Manager
  • Jul 12, 2024

Service Principal Name (SPN) scanning is a reconnaissance technique that attackers use in Active Directory environments. This method enables attackers to discover valuable services and associated accounts, which can be potential targets for further attacks such as Kerberoasting. Related reading: Protect Active Directory against Kerberoasting What is SPN scanning? Understanding…

Identity Attack Watch: AD Security News, June 2024

Identity Attack Watch: AD Security News, June 2024

  • Semperis Research Team
  • Jun 28, 2024

As cyberattacks targeting Active Directory continue to rise, AD security, identity, and IT teams face mounting pressure to monitor the evolving AD-focused threat landscape. To assist IT professionals in comprehending and preventing attacks that involve AD, the Semperis Research Team publishes a monthly roundup of recent cyberattacks and provides additional…

How to Defend Against a Password Spraying Attack

How to Defend Against a Password Spraying Attack

  • Daniel Petri | Senior Training Manager
  • Jun 16, 2024

Active Directory remains a critical infrastructure component for managing network resources, login credentials, and user authentication. Yet its centrality makes it a prime target for cyberattacks. One such evolving cyberattack is password spraying, a threat that's gained in complexity in recent years. Password spraying attacks stand out due to their…

Identity Attack Watch: AD Security News, May 2024

Identity Attack Watch: AD Security News, May 2024

  • Semperis Research Team
  • May 31, 2024

As cyberattacks targeting Active Directory continue to rise, AD security, identity, and IT teams face mounting pressure to monitor the evolving AD-focused threat landscape. To assist IT professionals in comprehending and preventing attacks that involve AD, the Semperis Research Team publishes a monthly roundup of recent cyberattacks and provides additional…

How to Defend Against SID History Injection

How to Defend Against SID History Injection

  • Daniel Petri | Senior Training Manager
  • May 03, 2024

Security Identifier (SID) History injection is a sophisticated cyberattack vector that targets Windows Active Directory environments. This attack exploits the SID History attribute, which is intended to maintain user access rights during migrations from one domain to another. By injecting malicious SID values into this attribute, an attacker can escalate…