adversary hunting @Microsoft GHOST 👻 | author of The Definitive Guide to KQL - https://t.co/HWozKuj5IQ | tweets are my own
Mar 6 • 5 tweets • 2 min read
This is your yearly reminder to go and deploy Microsoft Entra ID Password Protection to improve your password complexity in on-premises Active Directory if you're licensed for it. Over the years, I have collected a list of misconceptions about how this product works, see below:
1. Does not require your DCs to have internet access, the password ban list is distributed from a proxy server/service. 2. Does not require each on premises password reset event to talk to Azure. 3. Does not require Microsoft Entra/Azure AD Connect.
Feb 27 • 9 tweets • 2 min read
I often read posts on Reddit, here and other social media about adversary in the middle (AiTM) token / cookie theft, and I think people are confused about the security controls available to them to combat it. Let's take a step back, what is AiTM?
Think of AiTM as phishing v2.0, instead of just harvesting your username and password, an AiTM attacker will proxy your connection to a legitimate site through their own malicious infrastructure, frameworks such as Evilginx help facilitate this.
Sep 4, 2023 • 9 tweets • 3 min read
We are often asked to explain token theft to customers, and the impacts of it, via both adversary in the middle and token theft from devices. I have a go to list of resources I often point customers towards. First, the Token Tactics blog I helped write - microsoft.com/en-us/security…
@JeffreyAppel7 has a really great blog he keeps updated about protections against AiTM such as Windows Hello for Business, and what is best suited to use - jeffreyappel.nl/aitm-mfa-phish…
Aug 23, 2023 • 9 tweets • 3 min read
Lots of people are new to M365/Microsoft Entra ID forensics, so I thought I would put together a completely free & open-source forensics 'kit' to learn. First, somewhere to store your data, Kusto Free tier is perfect, zero cost and no card required - aka.ms/kustofree
To look at sign in data, you can use PowerShell to retrieve Microsoft Entra ID sign in data (or you can just export it from the Azure Portal UI) - learn.microsoft.com/en-us/powershe…
Dec 19, 2022 • 4 tweets • 3 min read
In the last couple of months, I have spent a heap of time back in on-premises Active Directory and collated a list of resources you may find useful -
Configuring Windows firewall on your workstation fleet is an underrated security improvement - those devices shouldn't be talking to each other on a lot of the same ports often used for lateral movement. I wrote some #KQL to help build firewall rules out without breaking things.
Find devices that have had no inbound SMB in the last 30 days - github.com/reprise99/Sent…
