Jonathan Crowe

@dfinke @jsnover Done! Thank you, sir.

@jonathanscrowe @jsnover Go subscribe and hit notify and you'll know when I post it Plus have a look around at the catalog of other videos @DougFinke/videos" target="_blank" rel="nofollow noopener">youtube.com/@DougFinke/vid…

🚨 Starting in ~30 min: Jeffrey Snover & I live! From Pipelines to Agentic Pipelines – PowerShell roots meet agentic AI wave. Jump in for convo & insights. Live: meetup.com/nycpowershellm… Drop 🔥 if watching! #PowerShell #AgenticAI @jsnover

Threat/risk model for AI agents (@openclaw).

𝗖𝗹𝗮𝘄𝗱𝗯𝗼𝘁 𝗶𝘀 𝗮𝗻 𝗶𝗻𝗳𝗼𝘀𝘁𝗲𝗮𝗹𝗲𝗿'𝘀 𝗱𝗿𝗲𝗮𝗺 𝘁𝗮𝗿𝗴𝗲𝘁 There have been a lot of conversations in the past couple of days regarding how awesome ClawdBot is. I tried it in order to understand how it works and it's crazy how much you stand to lose if you get compromised on the same machine you’re running ClawdBot. Everything it knows about you sits in plaintext in two predictable directories: ~/.clawdbot/ and ~/clawd/. In ~/.clawdbot/, there's config.yaml with all your API tokens (OpenAI, Anthropic, GitHub, Telegram). Your full conversation logs in sessions/. Channel credentials and webhook tokens. Everything needed to impersonate you across your infrastructure. In ~/clawd/, there's MEMORY.md with your curated long-term memory. Daily logs in memory/YYYY-MM-DD.md capturing everything you've shared. USER.md, TOOLS.md, HEARTBEAT.md documenting your setup, preferences, routines. Session transcripts with secrets you thought were private. Modern infostealers scrape config directories automatically. When you get popped, they could exfil both directories in seconds. They will read your memory files for context: who you are, what you're building, how you communicate, who you work with. Now they don't need to guess. They can craft hyper-targeted phishing using your own words and relationships. Or just blackmail you with what you've shared. Clawdbot knows you better than almost anyone. That knowledge is unencrypted, in known locations, waiting to be scraped. Make sure: • Run Clawdbot in isolated environments for sensitive work • If you're compromised, rotate everything because they have your entire context Your Clawdbot workspace is part of your attack surface now. Treat it that way.

The big corpos probably didn’t see it coming that a community of hobbyists could build the most useful tools with AI and end up using the next gen of open source models to run all that stuff on-prem under their desk

@it_unprofession how do we book you for keynotes?

Here’s the secret to organizations that are “more secure” than others…. They have people who care, even if they are not rewarded or recognized for it. That’s it. Everything stems from that. People who honor their commitment and responsibilities.

Having responded to probably hundreds of incidents at this point, from ransomware to APT's, in my experience, the lack of knowledge on how to adequately secure Entra applications and service principals continues to be the biggest knowledge gap most defending teams have. You should be able to securely configure apps, detect compromise of apps and understand how to investigate compromise of apps. It seems overwhelming at first, but it isn't. Get started like this Secure them: •Use managed identities where possible - negates the need for credential handling •Limit privilege - reduce both the permissions granted and add additional API specific restrictions (i.e don't grant read/write all to all SharePoint sites, just the ones an application needs to access). This includes pushing back on vendors or internal teams that request privilege not required •High privileged applications should have no direct owners - lower privileged users can be granted direct ownership of an app, don't do this, govern the ability to manage applications via Entra ID roles •Configure credential restrictions such as requiring shorter lived secrets or enforcing use of certificates •Remove unused apps and service principals, this can prevent existing high privileged apps being leveraged and reduces your supply chain compromise footprint for multitenant apps •Monitor risk events for service principals like you would users Detect compromise of them: •Alert on application creation or application credential creation - may be noisy in large environments, but a good starting point •Alert on credentials being added to service principals - credentials generally live on the application object, service principal credential creation should be rare •Alert on permission consent - this can detect not only malicious activity but permission creep •Alert on anomalous resource access - does your app usually access only Azure Storage, and suddenly it accesses Microsoft Graph? - this may indicate a compromised credential •Alert on anomalous ASN or location access - does your app usually access only from a specific ASN or country, and suddenly that changes? - this may indicate a compromised credential Many of these are covered by Defender for Cloud Apps and other tools out of the box, but it is worth ensuring you are covered down and what they actually mean. Investigate compromise of them: Know how to query the following logs and understand the events surfaced •Entra ID sign in data - filter on service principal sign in events via the Entra portal or Kusto in the Defender XDR portal •Entra ID audit logs - filter on events related to the service principal via the Entra portal or Kusto in the Defender XDR portal. Service principals can be used to further establish persistence, such as creation of users or additional service principals, rinse and repeat for any malicious additions to your environment •Microsoft Graph - was the compromised app used to access data via Microsoft Graph? You can query via the Defender XDR portal using Kusto to find these events •Defender for Cloud Apps - did the compromised app access other M365 services? You can query via the Defender XDR portal using Kusto to find these events •Unified Audit Log - you can retrieve the events related to the compromised app via the audit functionality inside the Defender XDR portal

I’ve discovered that a lot of IT admins have no idea how to search M365 audit logs so here you go: purview.microsoft.com/audit/auditsea…

@ninjaone I want to hear @it_unprofession's biggest IT grievance of the year.

🎉 IT Festivus contests are OPEN! Comment your answers ⬇️ for a chance to win: 💪 Feat of Admin Strength: your most heroic IT moment 😤 IT Grievance of the Year: what broke you this year? Prizes: LEGO Enterprise + Bose headphones. Join us Dec 18 at 1 PM ET 🔥 see.ninjaone.com/ujpYH

"How to defend against AI powered attacks? How to defend against ransomware attacks? How to defend against APT attacks? How to defend against cyber attacks? " Over the years we’ve seen it all. There’s no real difference when it comes to protecting your org from these attacks. It’s always the same tune: patch, separate, filter, harden, MFA It may be a new threat, but the countermeasures that work are always the same.

@_0b1d1 PDF and thank you!

Introducing a comprehensive SOC Incident Response Playbook a fully structured, 100+ page collection of real world runbooks built for modern security operations teams.

After Months of Development, FINALLY ready to share: Harden System Security🎉 ✅ Complete System Hardening ✅ Security Posture Analysis ✅ All-in-One Toolkit ✅ Built-in Intune support for Scalability ✅ Beautiful Modern UI ✅ CLI support github.com/HotCakeX/Harde… #Cyber #Windows

ps - I created an AD Security resource kit for IT admins. If you want to know where to start & what issues to look for, then this is for you. You can get access to it by signing up for my free email newsletter. If you're already a subscriber, DM me for the link! 👇 Access it here... go.spenceralessi.com/adsecurity

Am i doing this right? @techspence?

@techspence Congrats, Spencer, this is so cool and well-deserved!

I’ve been accepted into the Microsoft MVP Program, in Security - Identity & Access!!! This is such a super awesome honor, to be among so many folks that I admire. Me and Active Directory go back more than a decade. Started in Help Desk, not even knowing what a forest was, reset passwords and creating new user account. Fast forward to today… I now identify and abuse the same misconfigs I once made myself as a sysadmin. It’s really a full circle thing for me where I’m able to help IT teams week in and week out through internal pentesting. Help them correct and avoid the mistakes I made. The content I make and the stuff I share and try to be apart of is to serve one mission, to empower, educate, and arm IT/cybersecurity people. I appreciate the recognition and nomination by Jake Hildreth. Who is not just a friend and MVP himself, but also a tremendous asset to the community as well and a heck of a good dude. There’s too many others to name them all, who’ve been a guide and inspiration for the work I do. But special thank you to @securit360 and my boss @kamakauzy for allowing me to do work I’m passionate about and share that with all of you. I’m very much looking forward to continuing to spread the good word about Active Directory security. Thank you to the IT/cybersecurity/infosec community!!! 🙏💙

Attackers love low-hanging fruit. And insecurely installed 3rd-party software is one of their favorite snacks.. 🧵 Here’s how these issues turn into privesc goldmines (and how to fix them fast)

Question is… where did he learn that trick from?

I talk with a lot of cybersecurity experts, and almost everyone knows about the first of these two cartoons. It's great and a classic. But far fewer know about the second one, which is really quite important right now in our industry. #InjectAllTheThings

The constantly changing threat landscape requires eternal vigilance and fast reactions. Why, some of these vulnerabilities have only been public for as little as two years!