XPGoD

@d0rkph0enix @_BSidesKC Sorry I didn’t make it

Spent my Saturday with a few hundred of my fellow security pals, learning, soldering stuff and things, CTFing, broadcasting analog Hackers, the usual. Another @_BSidesKC in the books!

@M_haggis Although you weren’t as chatty as Mauricio Valezco or Bhavin Patel, it was wonderful meeting you all years ago. The content will always be fantastic, and I wish you a wonderful period of relaxation before we hear from you again.

After 5.5 years, today is my last day at Splunk. It's been the best run of my career. Shipped a ton of security content, wrote blogs, built tools, and got to help defenders all over the world operationalize the work fast. Huge thanks to the threat research crew. Sharpest, most generous people I've ever worked with. You made me better every day. Taking some time now to breathe, think, and see what's on the horizon.

@IAMERICAbooted @NathanMcNulty Hella accurate.

Haha nice!! The Activity Logs in production environments have all sorts or neat stuff in there to uncover first party services fun facts. I know thats a heavy topic of your research. That, and the UAL for SharePoint. They have undocumented crawlers in there . One that annoys the most is app@sharepoint. It creates so much noise lololol

@IAMERICAbooted That’s kinda bonkers. But thanks

@AFP I thought they were supposed to captured 33 people

Twenty-two people are to stand trial in France from Monday on charges of murder and other serious crimes centred on a Masonic lodge accused of running hit squads u.afp.com/SbNE

@IAMERICAbooted Yeah and it’s mostly in my view those CSPM vendors. I did a hefty PoC on around 7 and just the registration of those were super sketchy. This is akin to “yeah the app needs administrator to work” when the real answer is they don’t quite know what the perms are really.

Do you know why Entra App Registrations are such a topic for security? Because there's no good way to secure the secret or cert+key, yet so many vendors require them, internal apps using the M365 APIs require them, and they end up exposed everywhere. Moreover, to this day, I've yet to meet one org that understands the dangers associated with the APIs.

@XPGoD OH GOD, IT’S SO GOOD

Ok, fam. I need your mayhem. 😂 I am in Minneapolis for work. The work, tomorrow, is a Segmentation Panel for a Customer Event; I am on said panel. I'm having dinner with another member of the panel, and we have agreed that we are both tired of using the house analogy

@d0rkph0enix lol ¯\_(ツ)_/¯

@kindnessuae @segoslavia Be careful. Tanium and other toys and tools will just utterly kill ingestion if you get charged by it. Or silence those that should be doing what they need to

@segoslavia Script Block Logging fills that gap. Event ID 4104 captures deobfuscated commands that Sysmon simply cannot see.

Technical question for SOC Analysts: How do you track and review Powershell logs/history when investigating an incident? Note that Sysmon doesn't collect all logs for Powershell.

@IAMERICAbooted Haha. Ching Chang goes the Microsoft till

Happy almost Monday to all you poor blokes who have 10k Agents enabled in your tenant registry and have no idea what they're doing in your environment :p

When I left I was still some kind of Break the Glass Lite bullshit. Thankfully they didn’t call me when the Okta/Entra cert expired on a Sunday…. Their sheer luck was a user who had an active session that saved that ass. Thank god I am not there. They have no idea what Lifecycles, Management, or Requirements are at the basic level

@XPGoD Omfg lololololol. I'm so sorry you had to live through that

At my previous org, I was a Global admin and IdP super admin (and many more admins with the entire security stack). At my last org, what did global admin mean? All of M365 and Power Platform. All of it. Exchange, SharePoint, Teams, Entra, Intune, Purview, Security Center, Apps Admin Center, Admin Center, power Platform Admin, Power BI Admin, everything. Yes everything. That was Global Admin.

@imog @0xMatt This is accurate. Even salesforce DKIMs the “sandbox” emails (thank god) as they did not do this for quite a while. So if you’re not setup on that… do it!

@0xMatt What is the solution to this scenario? CEO was getting spoofing to our clients, strong DKIM/DMARC/SPF fixed it. But we do have salesforce in there. So not a current problem for us, but if it becomes one I don't have a plan yet.

Confused that you have strong DKIM/DMARC rules & configured SPF, yet people are still spoofing your CEO's mail in fraud attempts? This may be because you included Salesforce, Mailchimp, or other SaaS in your SPF. Abusers can use free/fraudulent accounts there to spam "as" you.

@NickBenderKMBC When I was a kid. You always waited for the St. Patty storm from the Alberta Clipper in UP of Michigan to determine: yes spring is here

❄️Snow chances are trending higher from late Sunday afternoon through Sunday night. While the chance of at least 1 inch of snow may seem low (20% to 40%), some weather models are forecasting much higher amounts. There are still many uncertainties, but one thing is certain: northerly winds Sunday evening and night could gust as high as 55 mph—near severe thunderstorm strength. Any snow falling during this time would have significant impacts. March has been known to produce some blockbuster snowstorms and blizzards, and we aren’t there yet, but this is something to pay close attention to.

@XPlaneOfficial @justinryanio Did he leave? I haven’t seen him in a minute. He has a black topped rarri… I hope nothing bad happened :(

@XPGoD @justinryanio Thank you! (Although Randy is not here :D)

Here’s a first look at X-Plane 12 on Apple Vision Pro! With visionOS 26.4 and NVIDIA CloudXR 6.0, the simulator streams wirelessly at up to 4K/120fps to your headset. And if you have a physical yoke or throttle, ARKit uses image detection to recognize them and place them inside your virtual cockpit. 🤯 It’ll be available later this spring.

@NickVasos Lightning can reach.

Lees Summit, MO - storm 17 mi away.

@ben_williams_wx I think right at sunset you will see a discrete cell in Cass/Jackson

Watching this sleeper target near KC later today. Good heating/cape, 3000 ML cape at sundown, profiles favor photogenic supercells/tors, the problem may be storm mode, as bulk shear is mostly parallel to the front, but there is a window for discrete storms or a lead sup…

@JacobLanierWx @fox4kc Maybe it should conditionally be a separate watch. Not fill the void like nobody looks. The OK watch is 50/40% but KC is 60/40? There is an actual tornado now.. idk maybe the new CIG stuff generated confusion.

@XPGoD @fox4kc FWIW the tornado risk around KC stays low in my opinion. The higher tornado probabilities are up in Iowa which is also included in this same watch.

⚠️ The entire Kansas City Metro is now in a Tornado Watch until 4 AM Saturday (though it should be canceled before then). Damaging 60mph & a brief tornado remain possible in tonight's storms. @fox4kc #KCwx #MOwx #KSwx