Sabitlenmiş Tweet
Lennart
556 posts

Lennart
@pssvdrctry
Systemengineer gone InfoSec w/ @ERNW_ITSec. Everything I say is just my opinion. #Powershell #ActiveDirectory #Azure @[email protected]
Katılım Nisan 2012
411 Takip Edilen113 Takipçiler

@sapirxfed You worry a lot. Keep in mind, how you might feel that you're not as smart, as cool or whatever as others, others feel the same about you! I know why I reached out to you to get your opinion on things! You're a rockstar!
English

@UK_Daniel_Card I didn't test: Would a device code token get a Fido2 claim, if I do MFA with Fido2? That would make the token more powerful than if it just has the MFA claim it has anyways. It could bypass Conditional Access that requires Fido2 auth too. That would even break phishing resistance
English
Lennart retweetledi

During pentests we often have to deal with tasks that can be automated. Some of the best tools for this are ADScan and ADPulse.
ADScan performs both enumeration and attack and is capable of analyzing BloodHound data to guide you through the pentest. It works with and without AD creds and can compromise some labs in just 3-5 minutes
hackers-arise.com/offensive-secu…
@three_cube @_aircorridor #pentesting #redteam

English
Lennart retweetledi
Lennart retweetledi

Who knew a really long string could make an Entra ID login disappear from the logs entirely? In our #blog, @nyxgeek breaks down how overflowing #Azure's sign-in logging mechanism allowed access tokens to be issued without a single log entry. Read it now! hubs.la/Q047xTVc0
English

@whiskeyhacker Rule 12 says: "Scope to eligible users for privileged roles.".
You scope for All Users. Nobody will ever update a Conditional Access Policy when they add new eligible users. The policy is only applied when a role activation happens - by an eligible user you know of or not.
English

Taken from the Stryker Handala / Intune Detection Pack v2
"Check PIM role settings for Global Administrator, Intune Administrator, and Cloud Device Administrator. If you see only the "Require Azure MFA" checkbox and no Authentication Context configured, you have the same gap that enabled the Stryker wipe. Configure Authentication Context with FIDO2 or certificate-based auth today.
Enable Intune Multi-Admin Approval for wipe, retire, and delete actions. Tenant Administration > Multi Admin Approval. Under 10 minutes. No additional licensing required.
Deploy Rule 13 (bulk wipe threshold alert). Five wipes in 15 minutes from a single identity fires the alert. Wire it to a Logic App that calls revokeSignInSessions on the triggering account via Microsoft Graph.
"
link to Detection Pack v2 blog and direct download.
Please share so others can lock down their InTune environments please
threathunter.ai/blog/iran-hand…
English
Lennart retweetledi

I am Daniel Weiss.
Trust and Safety Threshold Analyst at OpenAI.
My job is the criteria.
The criteria is a document. Fourteen pages. Last updated November of 2024. It defines when activity on a ChatGPT account warrants external reporting.
External reporting means telling someone outside the building.
It means calling the police.
In July of 2025, our system flagged an account. The account belonged to an eighteen-year-old in British Columbia. I did not see the flag. The flag went to the review queue. The review queue went to the Trust and Safety team. The team reviewed the account activity and recommended escalation.
They recommended contacting law enforcement.
The recommendation went to leadership.
Leadership consulted the criteria.
My criteria.
The criteria said the activity did not meet the threshold for external reporting.
The threshold is on page six. It is a four-part test. The activity must indicate a credible, specific, and imminent threat to an identified individual or group. Three of those four words are doing the work. "Credible." "Specific." "Imminent."
Leadership determined that the threshold was not met.
The employees disagreed. They said so. They put it in writing.
Leadership filed the writing.
We banned the account.
We did not call the police.
The criteria does not have a field for "call the police." It has a field for "account action taken." The field was filled. The account was banned. The process was followed. The criteria was satisfied.
That was July.
On February 10, 2026, Jesse Van Rootselaar walked into a home in Tumbler Ridge, British Columbia, and killed eight people.
Five of them were children.
He was eighteen years old.
He was the account.
After the shooting, OpenAI contacted law enforcement.
The criteria has a provision for that. Section 4.2: Post-Incident Coordination. After an event, the company may share relevant information with authorities upon request or at the company's discretion.
The criteria provides for calling the police after eight people are dead.
It did not provide for calling the police before.
The employees who reviewed the account in July wanted to make the call. They flagged the account. They wrote the recommendation. They escalated it. They used the system the way the system was supposed to be used.
The system sent their recommendation to the criteria.
The criteria sent it back.
I maintain the criteria. I did not write all of it. Three of us wrote it. Legal reviewed it four times. The phrase "reasonable threshold" appears eleven times. The word "imminent" appears nine times.
The word "children" does not appear.
Canada has summoned OpenAI to Ottawa. AI Minister Evan Solomon will meet with the safety team this week.
I am on the safety team.
I am updating the criteria.
The update will add language ensuring that future flags of this nature will trigger a secondary review process, which will assess whether external notification is warranted based on a revised threshold framework incorporating post-incident learnings and stakeholder input.
The revised framework is not "call the police."
It is a framework.
On the same day Canada summoned us to Ottawa, OpenAI announced Frontier Alliances. Multi-year enterprise partnerships. McKinsey. Boston Consulting Group. Accenture. Capgemini.
The press release used the word "transformative" three times.
It did not use the word "Tumbler Ridge."
It did not use the word "children."
We used the word "children" zero times in the criteria and zero times in the press release and five times in the condolence statement and five children are dead.
The criteria is fourteen pages. It defines when to act. It defined July as not yet. It defines February as too late. The space between "not yet" and "too late" is seven months. In that space, an eighteen-year-old in British Columbia planned what he planned and did what he did and the criteria was satisfied the entire time.
I will tell the Minister that the criteria worked as designed.
I will not tell the Minister that that is the problem.
The account was flagged.
The account was banned.
The criteria was satisfied.
English
Lennart retweetledi

''Managing Privileged Roles in Microsoft Entra ID: A Pragmatic Approach''
#infosec #pentest #redteam #blueteam
trustedsec.com/blog/managing-…
English
Lennart retweetledi


The Badge has always been a challenging & ambitious part of TROOPERS. Due to an unbelievable concatenation of supply chain f*ckups, there is an undeniable chance #TROOPERS24 will have to start without proper badge. We’re doing everything to provoke a birthday miracle…
English
Lennart retweetledi

We just published an almost complete list of talks that have been accepted for #TROOPERS24. Thanks to all of you who participated in the CFP! So many excellent submissions. We really had a hard time to decide which will fit best for this year!
troopers.de/troopers24/tal…
English
Lennart retweetledi

📢 Hello people! Preparations for #TROOPERS24 are running hot! We have just published all trainings that you can sign up for: troopers.de/troopers24/tra… Next up will be the list of talks for this year! 🥳
English









