spencer

The accountability for developer endpoint security doesn't fall entirely on IT/Security or even the devs themselves. Package managers and software vendors MUST also take accountability and improve security of their ecosystems.

msadminroles.com tracks which Graph API permissions can be used for each built-in Microsoft Admin role. And it also keeps track of changes, allowing you to compare the difference when roles are updated! 🚀 A challenge for those writing Microsoft Graph PowerShell scripts is knowing which Graph API permissions work for which Role. This is because there is no mapping between between the two, as they work on independent authorisation planes. I asked Microsoft about this challenge last year and it wasn't something they planned to solve... Yes, some Graph API endpoints provide a "least privileged role" in the documentation, but it doesn't solve the problem, which is why I built this utility. #Microsoft #Entra #Roles

cisco rce caught by managed honeypot, nice one!

@OderintMetuant It’s definitely not easy

@techspence How many organizations have implemented a true Zero Trust environment? I’m guessing very few. I think it’s more of a “wish” with little progress being made.

There’s going to be exponentially more software vulnerabilities discovered over the next five years. But still only a small percentage of those are going to materialize into something that’s going to hurt organizations. Instead of finding more vulns, we should put $$ and effort into: 1) figuring out which vulns could be really bad 2) coordinating discourse and remediation at scale 3) hardening systems so no single vuln can “bring us down”

@Smoky_D_Bear 💪

@techspence Move #3 to #1 and I will agree with you completely!

Cisco webshells 😰

@merill @m0bilej0n @NathanMcNulty @wpninjasus Can’t wait! 🤘

@m0bilej0n @techspence @NathanMcNulty @wpninjasus This is going to be fun 😁

Active Directory is indefensible

@Darkwebcomputer Unsurprising

@techspence I asked if we could stand up a domain controller and they said “we don’t make them anymore. We don’t know how”

Active Directory, for all its flaws, is still standing

@techspence Is that really your argument? You know ADFS is also still standing 😂

@merill @Slav636 I venture to guess our clients are different too which changes our perspectives. My clients skew SMB not as many enterprise

@merill @Slav636 I hear you, and actually agree, most CAN. But there’s hidden costs like the upskilling and training required to do so. That’s not to say an org shouldn’t make the move but it’s not as easy as it seems on the surface

@merddyn @merill Can you share what the deciding factor(s) were?

@techspence @merill I tried really hard to get a customer that was a net new greenfield to go Entra only. They just couldn’t wrap their heads around the idea, so we had to deploy AD.

@merill @NathanMcNulty @m0bilej0n I read your mind

@techspence @NathanMcNulty @m0bilej0n That is half the point I'm making

🏰🤼

@SwiftOnSecurity Evergreen tweet

Wireshark should add a button that lets you PayPal someone a $100 and they explain wtf is going on with this TCP stream

I have 6 kids and an amazingly supportive wife. I’ve been working from home since 2020. There’s 0% chance I could be as happy or productive working in an office. To each their own 🙏

One of the hardest problems in malware and threat research is access to realistic infrastructure that can be used safely. I had this crazy idea for awhile now. Some ideas sound unrealistic until enough pieces start coming together. But there more I used this infrastructure for my own research, the more obvious the next question became. Advanced deception infrastructure that trusted researchers could access on demand, not a toy lab. Something closer to real infrastructure, with physical machines, servers, exposed services, telemetry pipelines, and environments modeled around specific industries. The infrastructure has existed for a while, and I have been using it for different research purposes. At some point I thought If this is useful to me, it’ll be useful to others too. Researchers who want a well-built environment to safely detonate malware, observe telemetry, study tradecraft, and understand how threats behave in conditions that feel reain both short term long term. There are hard problems to solve around safety, trust, access control, isolation, abuse prevention, and operations. But this is getting closer to reality. The goal is to make high-quality deception infrastructure-as-a-servicemore accessible to trusted individual researchers, not only large enterprises. We are talking bare metal machines and access to full telemetry, from windowsevent logs to EDR and network. Windows, macOS and Linux. Still early, but it is finally starting to take shape. If this sounds useful to you as a researcher, or you want to help shape it, reach out. I would be open to parnter with folks I know.

@m0bilej0n @NathanMcNulty @merill Ugh I’ll just use MD5 then

@techspence @NathanMcNulty @merill Stand by my previous statement, In the year of our lord 2026, no version of NTLM is okay, just like basic auth is bad-sic auth.

@UK_Daniel_Card @claudeai Yesssss. Not everything needs an api

I've been using @claudeai loads for the last year to build tools which can: be used offline are without LLM integration at some point i will start making some LLM integrated tools.... But i think there's lots of value in security tooling that is isolated.