Skip to content
Search
Get A Demo
Try For Free
    Get A Demo
    Try For Free
      April 23, 2024

      Security Detection Update - 2024-4-23

      Welcome to our weekly security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we've made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we'll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you're lucky.

      Introduction and Overview

      This week was all over the place! Windows and Cloud Services were the focus of this detection engineering week!

      New Detections

      This update introduces:

      Azure: Privileged Graph API Role Assignment

      These roles can be used for standard administrative activity, but they can also be leveraged by attackers to exfiltrate data, modify users, and make other admin level alterations to your Entra directory. For more information on how this is being abused see the Microsoft article on Midnight Blizzard/NOBELIUM here or the SpecterOps blog post here.

      • Status: Enabled
      • Log type requirement: Azure Entra Directory Audit

      Google Workspace: Custom Admin Role Created

      These can be created for legitimate reasons as organizations may prefer the ability to limit scopes of certain default roles or avoid their use entirely. They can also be leverage by Threat Actors to maintain persistence in an environment and attempt to avoid detection.

      • Status: Enabled
      • Log type requirement: Google Workspace

      Microsoft 365: MFA Device Registered Without Device Details

      This is a net new device and could be the result of normal activity like a user adding an alternate authenticator app that isn't using the Microsoft Authenticator like Duo, 1Password, etc. It also could be indicative of a Threat Actor attempting to add an MFA option they control to satisfy MFA requirements in Microsoft 365 environments.

      • Status: Enabled
      • Log type requirement: O365 ... MS365 .... Azure Entra Active Directory

      Registry Value Tampering: RestrictedAdmin Mode Enabled

      RestrictedAdmin mode is disabled by default on most systems. Threat actors have been observed enabling RestrictedAdmin mode to bypass RDP MFA controls or steal and reuse credential hashes. However, some administrators may choose to enable RestrictedAdmin mode as a part of their security controls. All changes to RestrictedAdmin mode should be expected and authorized. Investigate any unauthorized changes. For more information about RestrictedAdmin mode and related adversarial techniques see our blog post here.

      • Status: Disabled
      • Log type requirement: Windows or Blumira Agent for Windows

      Tag(s): Product Updates , Blog , Product Release Notes , Detection Update

      Amanda Berlin

      Amanda Berlin is the Senior Product Manager of Cybersecurity at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An...

      More from the blog

      View All Posts
      Product Updates
      11 min read | August 5, 2025

      July 2025 Product Releases

      Read More
      New Blumira Pre-built Compliance Reports
      Compliance Security Frameworks and Insurance
      7 min read | July 17, 2025

      Blumira's Compliance Reports: Making Audit Assessments a Breeze

      Read More
      Blumira API
      Product Updates
      5 min read | July 15, 2025

      Streamline Your SecOps with the New Blumira API

      Read More