Rogue Apps Capability
Rich Mozeleski
Rogue Apps is Managed ITDR's latest capability to detect and remediate malicious enterprise applications in your Microsoft tenants. Rogue Apps detects two forms of malicious application: Traitorware and Stealthware.
Traitorware encompasses legitimate applications found by Huntress to be frequently abused by attackers.
Stealthware encompasses globally unique applications created by attackers post-compromise.
At launch, Rogue Apps will detect and disable Traitorware and Stealthware applications in your tenant(s), and disable identities with permissions delegated to these applications. Within the new Rogue Apps dashboard, partners will also be able to view all enterprise applications across all of their tenants for auditing.
Rogue Apps will be launched in Q1 2025.
Rich Mozeleski
Merged in a post:
Ability to see list of all Enterprise & Apps that have access to tenant.
R
Rick Kosick
Would be awesome to be able to see a summary of how many applications and Enterprise Applications have access to a customer's tenant. To find this normally, you have to log into Entra Admin Center, click APPLICATIONS->Enterprise Applications. Very easy to lose track of who has access and not something the average person would normally check. Here's what ours looks like... and it's a shockingly high amount of access!
Rich Mozeleski
Merged in a post:
Application Permission Alerting
D
Dan Birnseth
We recently experienced a breach where the attacker created several Enterprise applications with access to various Graph APIs. They did this after crafter forwarding/deletion rules in a user's email. It would be great to have some kind of alerting around when a user or application gets any administrative privileges. Also when any forwarding rules are created in email... because it's hard to know if they're malicious or not without asking the user.