Loris Ambrozzo
@lorisambrozzo.bsky.social
Security Consultant @baseVISION
Interested in anything related to cloud security and identity topics
Interested in anything related to cloud security and identity topics
Pinned
Loris Ambrozzo
@lorisambrozzo.bsky.social
· Dec 11
Insight into the Azure instance metadata service from an attacker and defender perspective
Insight into the Azure instance metadata service with analysis on a Windows server and detection in Microsoft Defender XDR
lorisambrozzo.medium.com
Check out my first blog post about "Insight on Azure Instance Metadata Service from an attacker and defender perspective" 🛡️⚔️!
lorisambrozzo.medium.com/insight-into...
#MicrosoftAzure #IMDS #MicrosoftSentinel #MicrosoftDefenderXDR
lorisambrozzo.medium.com/insight-into...
#MicrosoftAzure #IMDS #MicrosoftSentinel #MicrosoftDefenderXDR
Disabling a user account during a security incident removes them from all Microsoft Teams. Private channel membership is not automatically restored. This #KQL query lists all private channels the user was removed from.
github.com/lorisAmbrozz...
github.com/lorisAmbrozz...
November 7, 2025 at 10:06 AM
Disabling a user account during a security incident removes them from all Microsoft Teams. Private channel membership is not automatically restored. This #KQL query lists all private channels the user was removed from.
github.com/lorisAmbrozz...
github.com/lorisAmbrozz...
While diving into Defender XDR Attack Disruption with x.com/nicolonsky, I noticed that the Enterprise App Microsoft Defender for Identity (formerly Radius Aad Syncer) is responsible for the response actions in Entra ID. The #KQL query lists these actions.
github.com/lorisAmbrozz...
github.com/lorisAmbrozz...
April 17, 2025 at 10:53 AM
While diving into Defender XDR Attack Disruption with x.com/nicolonsky, I noticed that the Enterprise App Microsoft Defender for Identity (formerly Radius Aad Syncer) is responsible for the response actions in Entra ID. The #KQL query lists these actions.
github.com/lorisAmbrozz...
github.com/lorisAmbrozz...
That's a simple one but could be quite useful also in combination with other #detections. 💥Since a few days, it's possible to use #KQL to detect when a global admin elevates access to manage all subscriptions and management groups.
github.com/lorisAmbrozz...
github.com/lorisAmbrozz...
February 7, 2025 at 6:45 AM
That's a simple one but could be quite useful also in combination with other #detections. 💥Since a few days, it's possible to use #KQL to detect when a global admin elevates access to manage all subscriptions and management groups.
github.com/lorisAmbrozz...
github.com/lorisAmbrozz...
Check out my first blog post about "Insight on Azure Instance Metadata Service from an attacker and defender perspective" 🛡️⚔️!
lorisambrozzo.medium.com/insight-into...
#MicrosoftAzure #IMDS #MicrosoftSentinel #MicrosoftDefenderXDR
lorisambrozzo.medium.com/insight-into...
#MicrosoftAzure #IMDS #MicrosoftSentinel #MicrosoftDefenderXDR
Insight into the Azure instance metadata service from an attacker and defender perspective
Insight into the Azure instance metadata service with analysis on a Windows server and detection in Microsoft Defender XDR
lorisambrozzo.medium.com
December 11, 2024 at 6:45 AM
Check out my first blog post about "Insight on Azure Instance Metadata Service from an attacker and defender perspective" 🛡️⚔️!
lorisambrozzo.medium.com/insight-into...
#MicrosoftAzure #IMDS #MicrosoftSentinel #MicrosoftDefenderXDR
lorisambrozzo.medium.com/insight-into...
#MicrosoftAzure #IMDS #MicrosoftSentinel #MicrosoftDefenderXDR