joe

@MacmodSec They don't tend to document their bugs (because the dev didn't know it was a bug) or when they do stupid things like not validating input. :D

@joewaredotnet The catch is that AD doesn't validate that the timezone is composed of bytes between 0x30 and 0x39, and calculates the offset using a formula that can be overflown :) I'm not going to share it yet to let others play, but it's funny that you can't find that anywhere in MS docs :P

Quick christmas challenge - if you run the magic query (whenCreated>=21180101000000.+/959) in ANY Active Directory environment it will perform a full object dump. Why? :)

@MacmodSec The query date that results from the bug with 21180 is November 1981. I lived through 1981. :) 2024 works even better. Both are moot. Anything after the + (or -) should be a valid string integer value of HHMM **OR** should result in an UNDEFINED query.

@joewaredotnet It's definitely a bug, but it can be understood and replicated if you look closely. The query was specifically chosen to cause the date to precede AD, even though it's years in the future

@SamErde I'd like to thank the academy. It's an honor just to be nominated. 😹

Putting legit operations tools like ADFind, PuTTY, and WinSCP under the heading of "Commodity Malware" in a joint cybersecurity advisory feels sensational and irresponsible. (Did Forbes write this?! ) 😋 They might as well include Bash, PowerShell, & git! #page7" target="_blank" rel="nofollow noopener">ic3.gov/Media/News/202…

@LeoDArcy1 @NerdPyle I would never put domain controllers in the Cloud.

@joewaredotnet @NerdPyle I would also point out that if you have domain controllers hosted in Azure it's as easy to compromise the domain from the Azure plane as it is using Arc for on-prem. It's why you always want to put DCs in a separate subscription and limit the RBAC

@NerdPyle I have been thinking what I would most want out of AD, it comes down to better logging for client connections so I don't have to use wireshark to find things like SSL/TLS/Other info. And proper Property Sets, I should be able to put an attribute into multiple Property Sets.

@NarayananSubr @NerdPyle @NathanMcNulty You are hilarious Nara. :) I see it through my critical tier 0 on-premises infrastructure glasses.

@NathanMcNulty @NerdPyle Yep thankyou. :) Aware and was involved in raising the issue to MSFT last year, still not thrilled with the awkward position MSFT is bending me over into. :)

@joewaredotnet @NerdPyle Just in case you haven't seen it yet, we do have some controls to limit risk a little #local-agent-security-controls" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/azure/az… I'm still not a fan of a cloud management plane for my on-prem DCs, but when forced to...

@Ford who in the world thought that the domain email-ford.com was a good idea? Use subdomains so people don't have to investigate the domain to see if some bad actor registered it so they know if an email is legit or not. Just clueless.

I hate when one of the bugs I find is me not reading my own tool usage properly. It also means I failed on the intuitiveness of a given switch. Double fail. I mean you can't win them all, but still I hate fails even though I know and understand you find success through fails.

@DebugPrivilege Require, not prefer.

Nara is blogging now! blog.joeware.net/2023/09/18/619…

@elonmusk Dude, all due respect, you need to focus on what you are trying to run and less on what others are running. Ripping on FB does nothing to help your company get better. Once the news and magazine articles are all talking about how amazing X/Twitter has become, then talk shit.

The Facebook caved to far left pressure groups and now allows them to silently dictate policy in exchange for ad money politico.com/news/magazine/…

@grouppolicyguy I'm in, great idea! Let's kill it!

You learn something new every day--killing #GroupPolicy processing...accidentally, on purpose: sdmsoftware.com/tips-tricks/ho…

@securityweekly Hoarders, Server Room Edition

I want to create one of those "fixer-upper" shows, but instead of homes, we'll come in and renovate your server room. I just can't think of an excellent name for the show...

@HackingLZ @securityweekly And in some cases, moving back from the Cloud. :D

@securityweekly Wow a retro show! The kids are making shows about moving to the cloud 😂

Entra? Not great, not even good. Way better than Azure Active Directory though since it isn't Active Directory in any way shape or form and never was. Hopefully this will clear up some confusion for some people. I recommend people just call it MCI. Microsoft Cloud Identity.

New versions of AdFind (Still not malware) and AdMod released despite the dev saying no more. blog.joeware.net/2023/05/06/618… #activedirectory #adfind #admod

Remember DEC/TEC?? Now we have HIP, a lot of the same people with amazing content. And it is FREE!!! Go sign up! blog.joeware.net/2023/04/23/6178 #activedirectory