Christophe Poirier

@techspence And Who is the more powerfull QSECOFR or Administrator ? Do you know that AS400 command name inspired the powershell command name structure like DSPMSG WKKACTJOB ? Read in a Ms article about Ps history

Coding by hand is going to be a long lost art. Kind of like cobol programmers, AS400 administrators and Active Directory engineers.

@techspence An unplanned power off of big datacenter hosting many critical customer applications after the main breaker tripped due to human error. Many devices never restart. Switch router server disk array san ... during the night. Need to call all possible team member to help

You haven’t experience true fear as an IT admin… until you’ve done a system 21 on an as400. What else can you include in that category? 😅

@SecurityTrybe Nirsoft USBDeview can display it for years nirsoft.net/utils/usb_devi…

Windows keeps a permanent record of every USB device you’ve ever plugged in even after it’s removed.

MDE can detect Responder activity #mde #blueteam this case it was inveigh.

@techspence @PyroTek3 Yes Control paths analysis my favorite pingcastle feature since the begining. And useful to quickly display astual state and progression. Identical control paths not displayed for easier reading.

There is a super awesome bloodhound-like feature in PingCastle health check reports. It’s called “Control Paths.” It’s really really good. A little clunky and not nearly as verbose as bloodhound, but it gets the job done at finding low hanging fruit. PingCastle has built-in logic to detect when there are super dangerous control paths like the one shown in the screenshot. Aka Everyone with insecure permissions on the domain root. Yet another reason why PingCastle is an underrated tool.

@ITSupportBlog Real experience. Two days ago my admin account was "Contained" after a Lssa minidump attempt. I just re enabled my account to see what's happen. Yesterday I discovered that user GPO was no more applied when I rdp to server. Nltest dclist ko etc.. Rpc was denied on DC by contained

Microsoft Defender now prevents threats on endpoints during an attack Predictive shielding in Defender not only responds instantly during an attack but also jumps ahead of attackers, predicting and preventing the next move before it happens with just-in-time hardening controls that block specific attacker techniques to protect critical assets. It acts in two steps: 1. As soon as a compromised asset is contained, Defender predicts the attack paths and tactics the adversary will use next, in many cases narrowing down tens of thousands of possible pathways to just a few with the highest likelihood. 2. Then, it jumps ahead of the attacker and shields those pathways by using just-in-time hardening methods, giving the attacker nowhere to go. Learn more: techcommunity.microsoft.com/blog/microsoft… YouTube: youtu.be/jDRmPoXIaL8?si… #SkilledByMTT #MicrosoftIgnite

@techspence Started with pre release of Windows 2000 in 2000 before the RTM was available. With Echange 5.5 sync with connector agreement, Compaq Proliant not HP. Nostalgia... and the first vbs loveletter and Code Red attacking IIS.

Active Directory is 25 years old this year. My very first exposure to AD was in 2005. Back when I was the “IT guy” for my parents office. Then I got to really start to cut my teeth on AD in 2011, when I got my first IT job in Help Desk. One ironic thing is, the things I thought were normal back then are the things I write up as findings on internal pentests. This is a good reminder of what AD administration was like in the beginning vs what’s required now. techcommunity.microsoft.com/blog/coreinfra…

@NathanMcNulty And do you think Domain auditing(SACL at the domain) is included in this automatic setting. Because there is an issue with recommended MDI Sacl setting. The sdprop process raise 4780 each hour as descendant object is not well managed. I opened an incident with MS support.

Defender for Identity can now automatically configure Windows Event Auditing on your Domain Controllers when using the new v3 sensor 🥳 #configure-windows-event-auditing-with-the-defender-for-identity-sensor-v3x" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/defender…

@Pineapple_JoJo @NathanMcNulty Yes get same issue on another customer when 4662 was activated. 1 .3 million events was lost by 24 hors. It was a request from à SOC managed team. I warned them before but they did not listent to me. And they did not know what a Sacl is.

@NathanMcNulty Last time we tried to enable advanced auditing the flood of 4662 events took out our domain controllers at the knees. We had to back it out. Interested to see how this goes for other people.

@NathanMcNulty And expect to get 4719 eventid

@techspence Invoke-dhcpcheckup github.com/akamai/Invoke-…

Active Directory hardening is free…outside of your time. Overall - PingCastle Passwords - FGPP, LAPS, Lithnet Permissions - ADeleg/ADeleginator Applocker - Applocker Inspector/Applocker gen ADCS - Locksmith Logon scripts - ScriptSentry GPO - GPOZaurr Baselines - CIS/Microsoft Attack surface - ASRGen What am I missing?

@techspence You can also quickly get these dangerous delegations from the delegation section on a pingcastle report. And I import data to powerbi

Delegated permissions in Active Directory: silent but deadly 💩💨🤢 For example: Some random user with “FullControl” of the Domain Controllers OU Nessus didn’t find it… The IT team didn’t know it was there… It wasn’t discovered on past pentests… 🧵I found it almost immediately...

Are you monitoring Laps password change ? Encountered a case where Laps password no more change. The local password length was greater than the Laps GPO Evenid 5 admpwd in Applicatio and expirationtime attribute never change. Local admin can block password change. #windowslaps

@techspence A long long time ago, a Microsoft guy said to me. If you have got an issue with AD. First check DNS, 2 check DNS and 3 check DNS.

When it’s not DNS, what is it?

@0gtweet And remember if Turn off Automatic Root Certificates Update is not enabled and windows update is not reachable on your network, you can get 20 seconds time out before connecting to an untrusted certicate application. ie rdp running with a self signing certificate.

Freshly installed Windows contains only 17 root certs in the TRCA. When you browse, new certificates magically appear on the list. I assume (and hope) it's somehow limited and not all root certs are automatically added just because website presents it. Anyone knows how it works?

Today at the post office. ID and Password 😞, the best password manager.

@mysmartlogon Yes and NLA , no printer redir ...

Should I request the presence in a GPO of RDP connection timeouts ? (this will be an informational rule)

@Carlos_Perez I have seen another case, they does not like Protected users because they have to relog each 4 hours.

today for the second time this year I heard as an excuse that a security team does not want to put high priv accounts in Protected Users Group because they have to use FQDNs when they use RDP from a jump box 🤦‍♂️

Sunset effect or Indépendance Day soon. St Raphaël south France

@techspence Found / deployed on two big customers. The better way to detect misconfigurations or cases where kerberoast is not working. And you need to monitor all downgrade, because it's easier for an admin to remove it instead of fix kerberoast issue.

Raise your hand if you use or have seen protected users being used in more environments than you have fingers...