Clément Notin

Have you ever wondered how to decrypt “encrypted stub data” 🔐 fields in Wireshark when analyzing Kerberos, RPC, LDAP... traffic? ➡️ Ask no more! medium.com/tenable-techbl… 1. get Kerberos keys 2. give keys to Wireshark in a keytab file 3. get decrypted RPC! Works with NTLM too 😉

💡 TIL: @SystemInformer (Process Hacker) doesn't catch short lived processes! I always thought it captured all process creations like Procmon. But it actually relies on polling which misses events between refreshes🕵️‍♂️❌ Confirmed by this feature request: github.com/winsiderss/sys…

@DrAzureAD Congrats! Looking forward to reading it hopefully

Got some great news last week! My research paper titled "Inside Hackers' Mind: A Qualitative Study of Offensive Security Tool Developers" was accepted to be presented at the iceis.scitevents.org conference at the end of May 🎉 This is (hopefully) the last paper of my PhD dissertation in @uniofjyvaskyla. Thanks to all the hackers who participated in the interviews; the world will now have a better understanding of the great minds behind the offensive tools used daily by thousands!

@insecureagents hi! Have you thought about submitting your podcast to Apple Podcasts? It’d make it easier to subscribe outside of Spotify

@gonzague @home_assistant @ajax_systems C'est pour ça qu'ils travaillent sur un nouveau (qui n'est pas encore celui par défaut) #home-dashboard" target="_blank" rel="nofollow noopener">home-assistant.io/dashboards/das…

Bizarre je pensais que quand tu installais un @home_assistant "neuf" il n'y avait plus ce tableau de bord méga intimidant par défaut? (Ici juste en connectant une alarme @ajax_systems on a tellement d'infos qui remontent..)

@Mister_MDM Great post! Thanks for sharing the results and also the methodology

Ever wondered what those S 1 12 1 entries in your Administrators group actually represent With the new AADSidToNameV2Support feature, Entra group and role SIDs are automatically translated into real names and stored on the device (cached) Here is the blog that explains how it works patchmypc.com/blog/windows-f… #Intune #MSIntune #Windows #Entra #Windows11 #Azure

@kfosaaen hi! I sent you a DM in case you didn't see it drowned in the spams we get nowadays... I'd love to get your feedback if you the occasion🙏

@CapnChaotik @SwiftOnSecurity I recognize a Novotel room 😉 the glass can be made like frosted glass, electrically, by a button press

@SwiftOnSecurity This was a room in a hotel I stayed at years ago. At the very least there was a controllable blind you could lower between the bedroom and that shower.

The conspiracy that this is a attempt to stop unrelated people sharing the room is compelling. Yeah the bathroom is going to be a completely transparent wall pretty soon.

@NathanMcNulty Always feel odd to see that peeking behind the curtains 😉

Microsoft operates the largest AD forests (plural) in the world Primarily, enhancements to AD are not made for you, but you may benefit from them AD is legacy for customers, just not yet for Microsoft

@JimSycurity So true 😅

@cnotin Do you have AD? Then yes, Windows 2000 is still haunting it. :p

👻 Is Windows 2000 still haunting your Active Directory? AD trusts created in the Win2k era never get the WITHIN_FOREST flag, even after later upgrades ➡️ you could misclassify safe internal trusts as risky external ones 💥 ⚠️when "trustAttributes=0" tenable.com/blog/active-di…

@sapirxfed I’ve looked at it a couple times

@cnotin this one is new to me, seems cool! github.com/silverhack/mon… did you use it in the past?

Day 7 – #DiaryOfWannabeResearcher Sharing something small but helpful today. Discovered a Graph API that takes a tenant ID and gives back the default domain + tenant name. I didn’t know it existed, and it helped me a lot. Might help someone else too.🤭 learn.microsoft.com/en-us/graph/ap…

@smlpth Oh interesting! Added to the queue, thanks!

I gave a 1h interview on a podcast called Education Futures, talking about recent advancements in AI and their potential impacts on parents and educators. I think many of you will find it interesting and useful. Link to Spotify, Apple Podcast and YouTube below.

@NathanMcNulty @sapirxfed @merill Ah damn! I’ll try to get a look at some to see if I can find default strings 🤞 Hopefully for us all of them aren’t that sophisticated

@cnotin @sapirxfed @merill You mean attacker tools that fill out the description? Not sure :( But we have an MDR that sees this all the time - axios, OfficeHome, etc. where most things get left as default So many of these criminals have no idea what they are doing, just following guides/forum support...

If you were an attacker, add a secret to an application. What would you write for the description of the secret? Would you leave it empty? Do you have real-world info on this? @merill 🤭

@sapirxfed @merill I even have a nastier one: null byte! Not visible in the Entra admin center, but you see it in the Graph API list devices output

@merill Lol, emoji?? True story: I once found a new register device with this displayname: 😈

@sapirxfed @merill "IMPORTANT DO NOT DELETE" It’s loud but hopefully scary enough 😅

@NathanMcNulty @sapirxfed @merill Do you have some in mind? 👀

@sapirxfed @merill lol, based on what I've seen, attackers just run tools as-is... which means if tools are adding a unique description, there's a chance for detection If they use the UI and leave it blank, it uses the portal default, which I suspect most do (or put initials in there)

@merill Haha indeed 😅 I agree with the test title and reco 👌

@cnotin We share more about the why and how to remediate in the docs and no. Adding creds is not a recommendation LOL 😂 x.com/merill/status/…

This is a really good question and is one of tests in the new Zero Trust Assessment that we released release yesterday. Yes, apps with expired creds are BAD. Especially if the apps have privileged permissions to various APIs. It's a ticking time bomb since an attacker that gets into your tenant can add new credentials and stay hidden for years. What's worse, at some point in the future, you might see a credential and assume it's a legitimate and active app. You might think it's unlikely, but this is exactly how Microsoft was impacted (see one of the reports we published on how they attacker pivoted from a test tenant that had a very old/unused app with privileged perms). As part of SFI, at Microsoft we are ruthless about test tenants and inactive apps. The tenants are monitored daily and anything that's not needed or not in use is purged asap. With the Zero Trust Assessment, we are now giving you the same visibility into your tenant. However, this is just step one. You need to do the work to action them. Check out aka.ms/zerotrust/demo for more.

@merill Otherwise I’m afraid admins will assume an incorrect fix which is to just delete these creds, or worse add fresh new ones 😅 rather than cleaning the app

@merill Ok I see what you mean. That this app could be re-used later by attackers. Ok so the issue is of a privileged app, now unused and improperly cleaned (deleted or at least its privileged removed). Exp. creds are the symptom that it’s a ghost app, ready for cleaning. Not the issue!