Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,328 questions
Vulnerability Alert - Virtual Machine contains an Entra browser cookie of the user account
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 38%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECH%3C/text%3E%3C/svg%3E)
Carl Hansen
20
Reputation points
Hi Team,
We received a Defender alert recently telling us that there is a Virtual Machine that contains an Entra browser cookie of a user account, providing lateral movement to a Key Vault. This happened after one of our Admin users logged in to Azure Portal within the VM. I tried to replicated this but we are not getting alerts for my account with identical privileges.
We have upgraded software in the VM and cleared cache and cookies for the affected user, but we still get the alerts. There seems to be no documentation on this issue, or how to remediate. The only recommendations in Defender are to update software in the VM, nothing about how to remove the Entra cookie.
Is anyone able to assist?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 0%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESW%3C/text%3E%3C/svg%3E)
Silvia Wibowo 4,006 Reputation points Microsoft Employee2024-11-26T23:18:03.34+00:00 Hi @Carl Hansen , have you asked the affected Admin user to remove browser cookies from the VM? You'd need to delete persistent cookies from Entra authentication cookies.
-
Carl Hansen 20 Reputation points
2024-11-27T01:35:45.96+00:00 Hi @Silvia Wibowo , we had them clear all browser data from the browser and it has still been alerted on by Defender. Today we have deleted the user data folder and everything under it. I will check tomorrow if Defender alerts on the same issue.
-
Carl Hansen 20 Reputation points
2024-11-28T04:13:33.2066667+00:00 Deleting the user data did not fix the issue, we are still getting Defender alerts for the same cookie. I have no idea where else it is seeing this cookie, or how it even read it to begin with.
-
Silvia Wibowo 4,006 Reputation points Microsoft Employee
2024-11-28T04:46:28.56+00:00 Hi @Carl Hansen, what does "Remediation" tab (in the screenshot you shared above) tell you to do?
More info: Remediation Actions in Microsoft Defender XDR.
-
Carl Hansen 20 Reputation points
2024-11-28T04:52:31.4033333+00:00 Hi @Silvia Wibowo , it shows only one recommendation: "Machines should have vulnerability findings resolved". Clicking into that, then shows the following:
- High - W8GQQS - Update Microsoft .net Core - Update
- High - MIVPAG - Update Openssl Openssl - Update
- High - SDVKSN - Update Python Python - Update
None of this refers to the Entra cookie. Is this just a mislabelled finding from Defender? Why does it show an attack path using the cookie, but not say anything about it in remediation? Very confusing.
-
Silvia Wibowo 4,006 Reputation points Microsoft Employee
2024-11-28T22:23:51.71+00:00 Hi @Carl Hansen, Defender is saying that the machine is vulnerable, you should update the affected software to remove the vulnerability. Furthermore, it's explaining what the potential attack on the vulnerability: the cookie can be used for lateral movement. So even if your cookie is deleted, the vulnerability is still there until you update the listed software.
Please check Defender Unified Action Center to determine whether you can approve pending remediation action or other action such as isolating device.
Sign in to comment
Sign in to answer