Matt Zorich Profile picture
adversary hunting @Microsoft GHOST 👻 | author of The Definitive Guide to KQL - https://t.co/HWozKuj5IQ | tweets are my own
Mar 6 5 tweets 2 min read
This is your yearly reminder to go and deploy Microsoft Entra ID Password Protection to improve your password complexity in on-premises Active Directory if you're licensed for it. Over the years, I have collected a list of misconceptions about how this product works, see below: 1. Does not require your DCs to have internet access, the password ban list is distributed from a proxy server/service.
2. Does not require each on premises password reset event to talk to Azure.
3. Does not require Microsoft Entra/Azure AD Connect.
Feb 27 9 tweets 2 min read
I often read posts on Reddit, here and other social media about adversary in the middle (AiTM) token / cookie theft, and I think people are confused about the security controls available to them to combat it. Let's take a step back, what is AiTM? Think of AiTM as phishing v2.0, instead of just harvesting your username and password, an AiTM attacker will proxy your connection to a legitimate site through their own malicious infrastructure, frameworks such as Evilginx help facilitate this.
Sep 4, 2023 9 tweets 3 min read
We are often asked to explain token theft to customers, and the impacts of it, via both adversary in the middle and token theft from devices. I have a go to list of resources I often point customers towards. First, the Token Tactics blog I helped write - microsoft.com/en-us/security… @JeffreyAppel7 has a really great blog he keeps updated about protections against AiTM such as Windows Hello for Business, and what is best suited to use - jeffreyappel.nl/aitm-mfa-phish…
Aug 23, 2023 9 tweets 3 min read
Lots of people are new to M365/Microsoft Entra ID forensics, so I thought I would put together a completely free & open-source forensics 'kit' to learn. First, somewhere to store your data, Kusto Free tier is perfect, zero cost and no card required - aka.ms/kustofree To look at sign in data, you can use PowerShell to retrieve Microsoft Entra ID sign in data (or you can just export it from the Azure Portal UI) - learn.microsoft.com/en-us/powershe…
Dec 19, 2022 4 tweets 3 min read
In the last couple of months, I have spent a heap of time back in on-premises Active Directory and collated a list of resources you may find useful -

BloodHound Edges - bloodhound.readthedocs.io/en/latest/data…

AD Security - adsecurity.org/?page_id=4031 ired.team notes - ired.team/offensive-secu…

SID History Persistence - adsecurity.org/?p=1772

How AdminSdHolder & SDProp work - techcommunity.microsoft.com/t5/ask-the-dir…

Recovering from systemic identity compromise - learn.microsoft.com/en-us/azure/se…
Nov 2, 2022 6 tweets 2 min read
Configuring Windows firewall on your workstation fleet is an underrated security improvement - those devices shouldn't be talking to each other on a lot of the same ports often used for lateral movement. I wrote some #KQL to help build firewall rules out without breaking things. Find devices that have had no inbound SMB in the last 30 days - github.com/reprise99/Sent…