Have I Been Pwned? Detecting Entra ID Persistence Before Your SIEM Even Existed

The text discusses the persistence techniques attackers use to maintain unauthorized access to Entra ID after initial token-based entry methods, such as phishing, which allows them to bypass token expiration, password resets, and MFA re-enrollment. These methods include illicit consent grants, rogue device registration, FIDO2 security key registration, guest user invitation, and federation trust backdoors. Each technique exploits weaknesses in standard security protocols and configurations, enabling attackers to sustain access without being detected. The text highlights the importance of real-time configuration monitoring over traditional log-based detection, as the latter often fails to identify persistence once established. It suggests using tools like Stream.Security's CloudTwin™ to build a real-time model of the cloud environment's state, providing a more comprehensive approach to detecting and addressing potential security breaches.