spencer

If you’ve spent any amount of time in cybersecurity you know that blindly following “industry standards” can sometimes do more harm than good. For example, disabling legacy network protocols is great, until it impacts your manufacturing devices. In this guest blog post I elaborate on this and I share some common pitfalls when designing and implementing security policies. At the end I share some advice for designing policies that work in reality. Ps - Big thanks to @ninjaone for allowing me to share a blog on their website! 🙏 Read here: see.ninjaone.com/umroX

One funny observation about this AI wave is that many companies existed before AI and never said a lick about it… But now they are “AI native” I believe authenticity matters more now than ever.

My core methodology around finding control paths in Active Directory: Unsafe users/groups - everyone, domain users, domain computers, authenticated users, etc. Unsafe permissions - FullControl, Modify, Delete, ForceChangePassword, etc. It’s literally that simple. 

@runresponder Powershell is a great start

@techspence what tool would you use to scan your file server shares for clear-text credentials (as a sysadmin). as a pen tester I'd use something like CME : )

My goto AD toolbelt: PowerView (custom) PrivescCheck (custom) PingCastle ScriptSentry Spray-Passwords (custom) SpoolSample secretsdump[.]py AMSI Bypass (custom) bypass-clm (custom) ADExplorer ADeleg Rubeus Certify BloodHound/SharpHound Locksmith SharpSCCM Inveigh PowerUpSQL Nmap

@Solvist_de Haha nice

Until I stop having conversations where me mentioning LAPS to someone is the first time they have ever heard it, I won't stop making content about this...

@davemccollough Let’s go!!

Started documenting my PenTest+ journey on GitHub. Adding new notes and technical refs as I go. Feel free to follow along if you're studying for this cert. github.com/dave-mccolloug…

CISA published an advisory on endpoint hardening after Stryker. The RBAC guidance is solid. Multi Admin Approval for Intune is not a complete solution either. An attacker with Global Admin can create the second approver account themselves. That is a five minute delay, not a defense. What actually stops this: no standing GA roles, PIM with fresh FIDO2 at activation, and a session revocation circuit breaker that fires the moment bulk wipes start. We have been on Handala/Stryker since March 12. Here is what CISA got right and what they missed. threathunter.ai/blog/cisa-got-… #Stryker #Handala #CISAAlert #IdentitySecurity #MDR

@CroodSolutions Well dang. I’d happy take 30-40 degrees from ya

These temperatures do not belong in March.

@IceSolst It seems like (anecdotally) that there’s actually a non-small number of folks adopting MCP and moving forward with it, building products and services around it even. At what point is it what we get vs fighting for something else?

The frustration with MCP is imo an issue in itself. You don’t want to adopt a system that just pisses people off and frustrates your devs, just because a minority are pushing for it. Th sentiment around MCP is generally negative, for good reasons (see great video below).

@KATLGable Stocking up on hot sauce now I guess

@techspence Sometimes I try blending the two - with mixed results, usually linkedin.com/pulse/back-fro…

Two things (out of many) that I love: Cybersecurity Comedy 👋 if that’s you too…

@CroodSolutions @spellerrer Haha thought the same thing

@spellerrer @techspence The version in Windows or the version in Halo?

What’s on everyone’s bingo card as being the next big zero day?

Don’t forget to read my article all about how to properly secure yourself from this attack, which goes more into detail then the MSFT article: mobile-jon.com/2026/03/16/how…

I know there are commercial solutions that do similar… But this is a huge huge win for less resourced orgs

How many sign-in logging bypasses can Azure Entra ID contain? At least 4.

@wbmmfq Paging @M_haggis sounds wild

A fun new-ish #Clickfix payload has been using Node.js to deploy a local SOCKS proxy, then connecting to Tor over that to download a secondary payload. Maybe I'll do a bit more of a writeup of it later. We'll see how the day goes.

Default rules don’t stop modern attacks. We integrate live intelligence - LoLBins, vulnerable drivers, abused certificates - directly into application control policies. So when you move from “Audit” to “Enforce,” you’re not guessing. You’re enforcing against tools that have already been weaponized in real-world breaches, not hypothetical risks, not generic blocklists, but proven abuse patterns. Move from audit mode to real enforcement. Start your MagicSword trial: magicsword.io/plan

🚨 NEW VIDEO DROP FROM PANDA 🐼 I got a full walkthrough of @ThruntingLabs from @Kostastsale and this platform is different - no simulations. You are investigating REAL intrusions with REAL telemetry - query actual EDR logs in Elastic, Splunk, or Azure Log Analytics. If you're in blue team / SOC / IR or aspiring to be - I highly recommend checking it out 🔗 youtube.com/watch?v=YC-E5D…

@ImposeCost I’d buy 2x

Need new shirt. Impose HEAVY Costs. 😅

“We have to impose heavy costs. We need to do it more often, and we need to do it in a more routine and coordinated fashion,” Lind said. He added that those responses will not necessarily mirror the attacks themselves: “We don’t have to cyber them because they’ve cybered us.” 🔥

@curi0usJack @L1NKD34D How dare you

It's over.

@CDyac9 I remember playing with ms17-010 on my lab. It crashed a DC I tested it on and I thought it was amazing lol

@techspence LOL… I don’t want anything to burn down, but I did enjoy MS08-067 and MS17-010 :)

@EvanKlein338226 Yeah this is not an uncommon phenomena. That’s why I say 99% of vulns don’t matter. Most you can safely auto patch, then use your precious time on the 1%

Real talk. Had a client last week bragging about their AI scan finding 200+ "vulns" - 80% were informational findings they'd never fix, 15% were false positives, and maybe 5% were actually exploitable. Finding vulns ≠ fixing vulns ≠ reducing risk. The remediation gap is where security actually happens.

Sorry folks but, "we found 137 vulnerabilities we never knew were there thanks to AI" doesn't mean you're all of a sudden protected.