Sebocat

2.9K posts

Sebocat banner
Sebocat

Sebocat

@Sebocat

#InfoSec #Bluehat #SystemEngineer - loves #Deep #Tech #House #Techno Mastodon: https://t.co/sTwkVKFJMV

Everywhere Katılım Ekim 2009
246 Takip Edilen117 Takipçiler
Sebocat retweetledi
Formula 1
Formula 1@F1·
HE’S DONE IT!!! 🤩 LEWIS HAMILTON WINS THE BARCELONA-CATALUNYA GRAND PRIX!!! 🏆🎉 #F1 #BarcelonaGP
Formula 1 tweet media
English
3.7K
62.5K
279.1K
7.1M
Sebocat retweetledi
AppControl.ai
AppControl.ai@Appcontrolai·
This is a weekly reminder that users (nor agents) should hold the privilege to run unvetted code from anywhere. It's the single biggest mistake orgs have made and keep making against the principle of least privilege. The time to start controlling what code to allow is now! #acfb
English
0
2
2
87
Sebocat
Sebocat@Sebocat·
@NathanMcNulty I also like the built-in browser rendering, no need for Adobe, PDF X-Change would also be an alternative ☺️ but if Adobe is in use, wouldn't App Control mitigate an attack with that CVE? Not sure if AppLocker could do it, too
English
1
0
2
54
Nathan McNulty
Nathan McNulty@NathanMcNulty·
Better yet, just remove Adobe Reader and use the built-in browser rendering by default If users need some special feature only in Reader, make it available in your MDM on request Now do this for every unnecessary app you deploy to all users, instant security/vuln management win
Haifei Li@HaifeiLi

Fun fact about the Adobe Reader 0day: actually, it's the "AdobeCollabSync.exe" ("C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe") process who communicates to the attacker-controller server, not the "Acrobat.exe". Therefore, if you're hunting the threat with your e.g EDR telemetry, you may want to look at that "AdobeCollabSync.exe" process too. #threatintel

English
13
17
169
24.2K
Sebocat
Sebocat@Sebocat·
@wdormann @NathanMcNulty @TheWMIGuy @arekfurt Are these VMs Domain-Joined or EntraID-Joined? "Smart App Control is disabled on devices enrolled in enterprise management. We suggest enterprises running line-of-business applications continue to use App Control for Business." #smart-app-control" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/windows/…
English
0
0
1
28
Sebocat
Sebocat@Sebocat·
@TheWMIGuy @NathanMcNulty So without the ISG option it would be blocked or would Store Apps still be able to be installed (supposing that winget is not deactivated/controlled per GPO)? As i remember there is the additional option "Enforce Store Applications" in App Control Policies?
English
1
0
1
54
Sebocat
Sebocat@Sebocat·
@techspence Would be awesome if every company would just implement the official MS Edge Security baseline, where browser extensions are blocked by default ☺️
English
1
0
2
66
Sebocat
Sebocat@Sebocat·
@UK_Daniel_Card UnigetUI is excellent - i use it as managed installer in App Control (fka WDAC) ☺️
English
0
0
1
22
mRr3b00t
mRr3b00t@UK_Daniel_Card·
@Sebocat @therealshodan I'm not sure..... potentially (sorry I think yes honestly Notepad++ should say not me)
English
1
0
1
57
mRr3b00t
mRr3b00t@UK_Daniel_Card·
Notepad++ had a security incident, their download page is 'interesting...... #SlavaUkraine (but from corporate security point of view I'm still wondering what my actions should be.... there's been no IOCs released)
mRr3b00t tweet media
mRr3b00t@UK_Daniel_Card

'The incident began from June 2025. Multiple independaent security researchers have assessed that the threat acotor is likely a Chinese state-sponsored group, which would explain the highly selective targeting obseved during the campaign.' #NotepadPlusPlus #Notepad #Compromised #Cyber #Incident

English
20
14
246
59K
Sebocat
Sebocat@Sebocat·
@UK_Daniel_Card @therealshodan One question - if DEVs only updated over WinGet, should it be safe? Because Winget always got it from GitHub, but not sure if that was a 'safer' update path? 😵‍💫
English
1
0
1
38
Sebocat
Sebocat@Sebocat·
@UK_Daniel_Card @therealshodan Thanks for all the infos here, and very interesting and excellent conclusion 😎 i use VS Code instead of Notepad++ for nearly 2 years, did not regret it...
English
1
0
1
49
mRr3b00t
mRr3b00t@UK_Daniel_Card·
@therealshodan yes that's the same conclusion many (including me) have come to I think!
English
1
0
1
126
Sebocat
Sebocat@Sebocat·
@KI_NunoCarvalho @IAMERICAbooted It's still possible with Intune as Managed Installer and the default baseline from MS, Pahrules Supplemental Policy to Program Files, Program Data and Windows Folders, and installing software with a managed installer like Intune, ConfigManager, UnigetUI - depends on usecases ☺️
English
0
0
1
16
EZ
EZ@IAMERICAbooted·
Do you know how many times Ive seen WDAC enabled in an org? Absolutely Zero Friends dont let friends do WDAC. Friends let foes do WDAC so the foes head is on the chopping block :p PS: cyberark epm is an abstraction of wdac :p
English
7
1
27
4.8K
Sebocat
Sebocat@Sebocat·
@IAMERICAbooted From my AppLocker experience since nearly 12 years i can confirm, that it was a very painful and long way to get it in enforced state 😄 the most important thing is to have a dedicated team for packaging and deployment
English
0
0
2
122
EZ
EZ@IAMERICAbooted·
@Sebocat We'll see how that works out in the long term :p Availability incidents are very real. User experience incidents are very real.
English
1
0
3
392
Sebocat
Sebocat@Sebocat·
@UK_Daniel_Card @m0bilej0n @Mister_MDM @en4rab Wow, does this guy in the video really recommend to basically turn off secure boot, credential guard, HVCI or Windows Hello (for Business) in Windows 11? Or device based PKI-certificates binded to TPM for Always-On VPNV2? Very interesting 😃
English
1
0
3
78
EZ
EZ@IAMERICAbooted·
Would you hire an Active Directory admin that doesnt know Kerberos? Would you hire an M365 admin that doesn't know Oauth?
English
13
5
58
17.6K
Sebocat
Sebocat@Sebocat·
@UK_Daniel_Card @IAMERICAbooted @DebugPrivilege Yeah, i know that DAs hate PAWs and worldwide not many will use them 😂 it was very hard work to implement this in our company, but after years passed by, they learned to cope with it ☺️
English
0
1
1
747
mRr3b00t
mRr3b00t@UK_Daniel_Card·
@IAMERICAbooted @DebugPrivilege That's very lovely of you to say, I think it's created chasms in my brain and that I try to not remember anything because I will remember how insane everything in the world is :D x
English
1
0
1
88
Sebocat
Sebocat@Sebocat·
@NathanMcNulty And with App Control you're safe because of the default enabled feature 'Runtime FilePath Rule Protection' ☺️
English
1
0
1
48
Nathan McNulty
Nathan McNulty@NathanMcNulty·
Such is the case with most security measures, particularly authorization tools like app control and conditional access Having policies in place is much better than not having them, even if they have gaps Most attacks are opportunistic, automated, and can't recover from blocks
jungman@notajungman

@techspence and with that said, unless they did something radically wrong, it still probably made getting an initial foothold from outside a real PITA. Awesome that they had it deployed, and sometimes, when doing in flight engine repair, can't let perfect be the enemy of running in prod

English
3
3
25
9K
Sebocat
Sebocat@Sebocat·
@MyNameIsMurray @CyberCakeX @NathanMcNulty @CynicLib App Control with managed installer is one of the best features, ISG is interesting, too. We additionally test UnigetUI as another managed installer for a DEV scenario, works perfect. And App Control Manager from @CyberCakeX is an amazing tool, highly recommended 👌🏻
English
1
0
4
79
Murray
Murray@MyNameIsMurray·
@CyberCakeX @NathanMcNulty @CynicLib Including Microsoft's own features and released binaries. The standouts included anything using the WIP certificate signing, and a bunch of Optional Feature DLLs that had no signing at all. Combine that with no set app list, meant it was hugely disruptive as a solution.
English
1
0
1
105
Murray
Murray@MyNameIsMurray·
Anyone got any hints, links or other for how to best manage AppLocker policies in Intune? I'm noticing some "weirdness" that I'd like to find answers for, and everything just talks about creating an initial policy to block an app or two, and don't go into enough detail...
Murray tweet media
English
4
0
3
1.3K