ryan mc

Long-awaited parallel (threaded) queries arrive in MSTICPy! 🏃‍♀️🏃‍♀️🏃‍♀️ Split big queries into separately executing chunks or across multiple workspaces and clusters.

🚨Small update for TokenTacticsV2 ▫️Two new device platforms ▫️Linux, since it's now supported by Conditional Access ▫️OS/2, because it's not 😁 github.com/f-bader/TokenT…

@svrooij @janbakker_ @DrAzureAD MS indicated that they would release conditional access policies that restrict the issuance of family refresh tokens. I don’t believe that ever came into fruition.

@janbakker_ @DrAzureAD @svrooij Yep! That is the most recent public list that I’ve published.

@DrAzureAD @svrooij @detectdotdev Do you mean this one? github.com/secureworks/fa…

Official confirmation from Microsoft that there is no supported way to rotate nor change DPAPI backup keys! Compromised keys? ➡️ Burn the domain and rebuild a new one 💥

I know a lot of excellent people are looking for jobs right now. We have several openings at @redcanary, including my peer, Senior Director of Detection Engineering, and a Threat Hunter on a team I lead. I hope you'll consider applying or sharing. redcanary.com/job-openings/

Small update to roadtx, with thanks to @Flangvik for the idea: you can now do the interactive authentication with a "borrowed" ESTSAUTHPERSISTENT cookie from a browser, to get tokens or have an authenticated browser session.

New blog is out! OneDrive to Enum Them All trustedsec.com/blog/onedrive-… Major updates: • database storage • logging of previous runs • easily append digits or strings to usernames • stale job detection • skip tried usernames Special thanks to @DrAzureAD and @thetechr0mancer!

@DrAzureAD brings some valid points. MemberLevel user can read CA Policies. This has not always been understood, since the GUI and MS Graph requires roles for this, but not Azure AD Graph API. Also means, that if you have gaps in CA, those can be read by normal user

@Secureworks' latest Threat Analysis report "Tampering with Conditional Access Policies Using Azure AD Graph API" out now! 1️⃣ Regular users can read Conditional Access Policies (CAPs) 🤔 2️⃣ Administrators can modify CAPs without proper logging 😲 secureworks.com/research/tampe… #IWorkForSecureworks

@424f424f If you are curious how tokentactics exchanges the refresh tokens for other audiences, check out FOCI: github.com/secureworks/fa…

This Friday I'll be running an #AzureAD token workshop in @NorthSec_io conference, Montreal, Canada. Here are some teasers 😋 nsec.io/schedule-works…

Next version of #AADInternals will be published during the @BlackHatEvents #BHAsia on May 11th at #BHArsenal! Some teasers: ◾ Exploitation tooling for findings covered in our Briefings talk with @SravanAkkaram 😈 ◾ Totally re-written token handling 🤞 ◾ Automatic FOCI client handling (thx to @detectdotdev) 🔥

Into Windows security / forensics? I just released a post I started writing 3 years ago: blog.christophetd.fr/dll-unlinking/

I've long been interested in how EDRs work under the hood and how we can apply a more evidence-based approach to evasion. I'm happy to announce that I've written a book covering these topics with @nostarch which is now available for preorder 🎉 nostarch.com/book-edr

This quarter @Secureworks had two researchers in the @msftsecresponse researcher leaderboard🔥 Congratulations to all other researchers who made it, great job everyone! My colleague @SantasaloJoosua have had a fantastic streak this year keeping us all safe - so proud of working with him ❤ msrc.microsoft.com/leaderboard #WeWorkForSecureworks

@DrAzureAD @ManuelBerrueta Reads like an #aadinternals tutorial :)

@ManuelBerrueta 👀

#AADInternals TTP 👀

New chapter of #AzureAD Attack & Defense Playbook: Are you looking for a way to track and verify your identity security posture? @samilamppu, @PitkarantaM and I have worked on a solution which includes also comparison to recommendations and #MITRE mapping. github.com/Cloud-Architek…

I'll deliver a workshop, "Tokens, everywhere!" at @NorthSec_io, Montreal 🇨🇦 in May! In this hands-on deep-dive, I'll cover #AzureAD #OAuth implementation, different token types, #FOCI, and various attack scenarios. Check out details and get tickets at nsec.io

Check out this new doc that lists all the 🍪 cookies involved in an Azure AD authentication. 😀 learn.microsoft.com/azure/active-d…