Vlado Vajdic

5.3K posts

Vlado Vajdic

Vlado Vajdic

@vvlado

Identity protection

Sydney Katılım Şubat 2009
638 Takip Edilen377 Takipçiler
Vlado Vajdic retweetledi
SpecterOps
SpecterOps@SpecterOps·
NTLMv1 is still out there. And now it’s easier than ever to break. @skylerknecht walks through how Google’s rainbow tables make NT hash recovery practical, no third-party service required. Check it out! ⤵️ ghst.ly/4vqx9Id
English
3
62
157
7.3K
Vlado Vajdic retweetledi
Red Canary, a Zscaler company
Red Canary, a Zscaler company@redcanary·
The scales are officially shifting. ⚖️ For a long time, endpoint threats were the undisputed heavyweight of the security world. But the 2026 Threat Detection Report reveals a trend that even our most veteran experts find surprising: Identity threats are now nearly equal to endpoint threats in total volume. As Red Canary evolves from its endpoint roots to broader visibility, this "leveling out" is an insight you simply can’t ignore. 🛡️ Download the full report: bit.ly/451V7Pg
English
0
2
4
1.1K
Vlado Vajdic retweetledi
Omar Sakr
Omar Sakr@omarsakrpoet·
After Oct 7, the government enabled Israeli Australians impacted by the attack to get up to $75K in compensation. There are 250,000 Lebanese Australians, many with family suffering from the illegal attacks and war crimes perpetrated by Israel. What help is being offered to us?
Omar Sakr tweet media
English
21
461
846
8K
Vlado Vajdic
Vlado Vajdic@vvlado·
@MPECSInc Yes that works assuming there is no replication conflicts.
English
1
0
0
26
Philip Elder
Philip Elder@MPECSInc·
ACTIVE DIRECTORY SYSVOL REPLICATION WORKAROUND IF A DC IS TOMBSTOMBED Replication Event Log Error: 4012 DFS-R Replication There are times where a quick FSMO Seize, dead DC flatten, metadata clean-up, and re-install of a fresh OS to DCPromo back in does not work and we end up with two, or more, DCs not happy because replication hasn't happened past the tombstone day. We can tweak that setting to get replication going again: # ToDo Change the Tombstone Number to Re-Enable a healthy SYSVOL wmic.exe /namespace:\\root\microsoftdfs path DfsrMachineConfig set MaxOfflineTimeInDays=365 Remember to reset the setting to the default of 60 days. # ToDo Reset it BAck wmic.exe /namespace:\\root\microsoftdfs path DfsrMachineConfig set MaxOfflineTimeInDays=60 In the quoted recovery it turned out that someone had set the tombstone to 30 days which was part of our problem. But, we didn't discover that until we got Active Directory to actually start on both servers. Finding a Microsoft Property with this explanation has been difficult so far. Dell: dell.com/support/kbdoc/…
Philip Elder@MPECSInc

ACTIVE DIRECTORY: FULL RECOVERY COMPLETED We just walked through a 4 hour process to recover an Active Directory domain where the PDCe VM had its storage pulled out from under it. A recovery was done but the recovered PDCe image was 1 week back from the secondary DC! Oh-Oh! Nothing showed up to the on-site IT until today when things went into a form of lockdown mode. The loose process: 1: DFS-R BURFLAGS ** Had to D4 on PDCe and D2 on Secondary *** That failed ** Had to D4 on Secondary and D2 on Primary *** That worked *** Replication still failed 2: ADDS Complained about 31 days for no replication ** Had to adjust the tombstone on both ** Replication still failed 3: FSMO Roles Conflict ** Seized FSMO Roles on secondary ** Both Secondary & old PDCe showed the correct FSMO Role Holder after this step ** But everything still wanted OldPDCe! :-( 4: Re-Run BURFLAGS ** D4 on new PDCe and D2 on OldPDCe 5: DCDiag points out to disabled Inbound/Outbound Replication ** Enable it using RepAdmin *** NOTE: A "-" means removing the DISABLE *** NOTE: A "+" means setting the DISABLE Users started tagging the IT Admin that things were starting to connect again! Why 4 hours? Sifting through those logs was painful. :-( Oh, and when it comes to "lingering objects" in the logs for replication blogs, do _NOT_ run the steps the "search assistant" comes up with!!! 8-O Dig into the actual Help on the server and Microsoft Learn and a couple of blogs that show how its done. Another one pulled out of the hat!

English
1
8
41
3.7K
Vlado Vajdic retweetledi
Steven Lim
Steven Lim@0x534c·
This article explores a novel attack technique that combines Ghost SPNs and Kerberos reflection to elevate privileges on SMB servers, highlighting a critical gap in traditional detection methods. It details how attackers can exploit stale or misconfigured Service Principal Names (SPNs) in Active Directory—termed "Ghost SPNs"—to manipulate Kerberos authentication and reflect service tickets back to the SMB server, gaining elevated access. The technique bypasses common defenses like LDAP filtering and SPN hygiene, making it stealthy and potent. Semperis emphasizes the need for proactive detection strategies and shares insights into identifying vulnerable configurations and mitigating the threat. semperis.com/blog/exploitin…
English
1
40
92
6.7K
Vlado Vajdic retweetledi
Jim Sykora
Jim Sykora@JimSycurity·
AdminSDHolder is kinda my jam. I wrote the e-book on it. If you work with Activity Directory, I highly recommend you give this a skim, or at least check the spoilers in the blog.
SpecterOps@SpecterOps

AdminSDHolder: the AD security feature everyone thinks they understand but probably don't. 😬 @JimSycurity went to the source code to debunk decades of misconceptions — including ones in Microsoft's own docs. Read more ⤵️ ghst.ly/3Lpmjzv

English
2
33
192
24K
Vlado Vajdic retweetledi
Mehmet Ergene
Mehmet Ergene@Cyb3rMonk·
🚨Detect Actor Token Abuse (#CVE-2025-55241) After verifying the details with @_dirkjan, I created a query to detect Actor Token abuse, regardless of the activity involved. The idea is simple: If these activities are S2S, they should originate from Microsoft service IPs. 🧐 Link to query: github.com/Cyb3r-Monk/Thr…
Mehmet Ergene tweet media
English
3
65
281
22.5K
Vlado Vajdic retweetledi
📔 Michael Grafnetter
📔 Michael Grafnetter@MGrafnetter·
Getting ready for my "Domain Controller Firewall: Fact or Fiction" session at #HIPConf25, focusing on the Infrastructure as Code (IaC) approach to Windows Firewall policy management, RPC filters, outbound traffic, hybrid environment challenges, and network service discovery.
📔 Michael Grafnetter tweet media
English
1
2
11
1.2K
Matt Johansen
Matt Johansen@mattjay·
Question I get asked a lot: if you want to figure out a windows pc is clean and secure without wiping it, what would you do? I have my answer but curious what you’d say.
English
47
1
112
19.9K
Vlado Vajdic retweetledi
Horizon3.ai
Horizon3.ai@Horizon3ai·
🚨 Fortinet RCE: There's a new critical vulnerability in #FortiSIEM. CVE‑2025‑25256 allows for unauthenticated #RCE attacks, allowing an attacker to gain complete control over the affected system. This includes accessing sensitive data, modifying or deleting system resources, and potentially installing malware or creating backdoors. Horizon3.ai customers are now able to run a Rapid Response test — if you haven't, confirm you're not exploitable at horizon3.ai/attack-researc…. #NodeZero #pentesting #infosec
Horizon3.ai tweet media
English
0
10
4
529
Vlado Vajdic retweetledi
Will
Will@BushidoToken·
ICYMI: Was just perusing the latest CrowdStrike 2025 Threat Hunting report (crowdstrike.com/en-us/resource…) and check this wild timeline for Scattered Spider - from account takeover to Entra ID bulk user export in <5 minutes 👀
Will tweet media
English
5
75
239
47.9K
Vlado Vajdic retweetledi
Fabian Bader
Fabian Bader@fabian_bader·
Wanna play around with #KQL and #Graph Microsoft just released sample datasets to play around and look at this gorgeous visualization for the #Bloodhound schema they offer! Thanks @cosh23 🥰 #bloodhound-entra-dataset" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/kusto/qu…
Fabian Bader tweet media
English
0
34
131
8.4K

Keşfet

@skylerknecht @Jerusalem_Post @MPECSInc @_dirkjan @Semperis @mattjay @cosh23 @elonmusk