br.carbs

@kushlulx What did you do?

Fffffffffffff right before mythic week c'mon man🤢🩸🤢🤢🩸🐍🐍©️🖤

Automated security testing for AI models github.com/promptfoo/prom…

Taken from the Stryker Handala / Intune Detection Pack v2 "Check PIM role settings for Global Administrator, Intune Administrator, and Cloud Device Administrator. If you see only the "Require Azure MFA" checkbox and no Authentication Context configured, you have the same gap that enabled the Stryker wipe. Configure Authentication Context with FIDO2 or certificate-based auth today. Enable Intune Multi-Admin Approval for wipe, retire, and delete actions. Tenant Administration > Multi Admin Approval. Under 10 minutes. No additional licensing required. Deploy Rule 13 (bulk wipe threshold alert). Five wipes in 15 minutes from a single identity fires the alert. Wire it to a Logic App that calls revokeSignInSessions on the triggering account via Microsoft Graph. " link to Detection Pack v2 blog and direct download. Please share so others can lock down their InTune environments please threathunter.ai/blog/iran-hand…

Microsoft Defender for Endpoint curated list of resources for DFIR, by @Cyb3rMik3 github.com/cyb3rmik3/MDE-…

🚨 CVE‑2026‑20965: Azure Identity Token Flaw Enables Tenant‑Wide Compromise via Windows Admin Center Cymulate Research Labs has disclosed a high‑severity vulnerability in the Azure AD Single Sign‑On (SSO) integration of Windows Admin Center (WAC). The flaw allows an attacker with local administrator rights on a single machine to escalate privileges, execute remote code, and move laterally across all Azure VMs and Arc‑connected systems within the same tenant—even without valid Azure credentials. Any Azure VM or Arc‑joined machine running an unpatched Windows Admin Center Azure Extension below version 0.70.00 is exposed. Since version 0.69.0.0 was only released in January 2026, this effectively means all deployments with the WAC Azure extension are at risk unless updated. For defenders, the critical questions now are: What is the blast radius, and which internet‑facing Azure or Arc‑connected VMs are running the vulnerable WAC Azure extension? These systems could provide attackers with a foothold for remote code execution and lateral movement across the tenant. The below Defender XDR advance hunting KQL query that helps security teams quickly identify Azure and Arc‑joined VMs running the WAC Azure extension so they can prioritize patching and containment.🫡 #Cybersecurity #WACAzureExtension #RCE #DefenderXDR

Is 2026 the year you start reducing your on-premises Active Directory footprint? If so, we have published some customer case studies with lessons learnt that may help you with your own journey. learn.microsoft.com/en-us/entra/ar…

@NathanMcNulty Any how-to’s for this?

If you have on-prem AD, you can easily extend Hello for Business, Platform SSO, and security keys to AD Install a module, run a command to set up cloud Kerberos trust, and then configure device policy to use cloud trust Need help? Let me know! x.com/NathanMcNulty/…

Be extra boss - go passwordless ;) Hello for Business and Platform SSO are pretty easy to configure, and even passkeys on mobile aren't too bad You don't have to move everyone all at one time - start a pilot, migrate in phases, start reducing password use as soon as possible :)

Get ready, folks. 🌟 You’re about to witness ONE. BIG. BEAUTIFUL. ABSURDLY. EPIC. THREAD. 🧵🔥 Some say this might be the MOST EPIC and MOST RIDICULOUSLY LONG identity thread ever written 📗 Bookmark this Honestly… the cover image alone deserves a like + retweet DO IT 😂

@vxunderground The one where they used Claude by tricking it into doing bad things?

Call me old fashioned, but I HAVE NOT read the new AnthropicAI report thingie about the AI hacker attack cyber nerd whatevers. Despite this, I am extremely skeptical of the report and it's findings.

@NathanMcNulty @Xenoulis1 @IAMERICAbooted @merill Passkey via Windows Hello for Business.

@NathanMcNulty @Xenoulis1 @IAMERICAbooted @merill VERY nuanced question: I have a user who auths with passkey to resources in another tenant (B2B). User needs to reboot to authenticate. Would this be their tenant’s settings requiring sign in frequency?

Hey @IAMERICAbooted @NathanMcNulty @merill I am putting together a core high-level architecture for essential CAPs for a Entra ID tenant. I have put the design together below and wanted to see if I was missing anything and linked to the AU Essential Eight ISM controls.

If you have complex Conditional Access (CA) Policies, understanding them and identifying gaps is a challenge. Our CA Optimizer Agent is great way to enhance security & save time. Learn about updates to this agent and how it simplifies security management techcommunity.microsoft.com/blog/microsoft…

@NathanMcNulty How widespread or big of a threat is token theft with phishing resistant MFA and conditional access risk policies?

🎯 All users, all resources, require MFA Requiring MFA for select apps in Conditional Access policies, like Office 365, leaves huge gaps while prompting users for MFA the same number of times as targeting all resources MFA is added to the SSO token and used for future requests

@FrankLesniak @NathanMcNulty What? MDE can’t see DNS queries if Secure DNS is enabled? That seems backwards to me.

Does anyone know what bearing, if any, the "Use secure DNS" setting in Edge has on Defender for Endpoint? The CIS Benchmark for Edge recommends disabling the setting, which I am trying to rationalize. Ping @NathanMcNulty

This was postponed to October 1, so you still have time to check this out If you have logs you can query, I think this is a good starting point. Let me know if you have improvements :) let targetAppIds = dynamic([ "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "04b07795-8ddb-461a-bbee-02f9e1bf7b46", "1950a258-227b-4e31-a9cf-717495945fc2", "0c1307d4-29d6-4389-a11c-5cbe7f65d7fa" ]); SigninLogs | where AppId in (targetAppIds) | where TimeGenerated >= ago(30d) | where AuthenticationRequirement != @"multiFactorAuthentication" | where parse_json(Status)["errorCode"] == '0' | where parse_json(Status)["additionalDetails"] !startswith 'MFA requirement satisfied'

Tomorrow is the last day. If your Authentication methods doesn't look like this, I hope it's just because you are using Dark Mode ;)

Please stop using Private browser sessions for cloud admin accounts Look, we all know we shouldn't be using admin accounts while signed into our productivity account, but if you're gonna do it, at least use browser profiles so you can enforce compliance #how-is-a-prt-used" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/entra/id…

@merill Is there an article or blog post about the dangers of having guest accounts? I haven’t seen anything super concrete other than the guests being able to access data someone granted them access to

Love this write up from Tony on how can easily build a diy governance solution for guests.

@NathanMcNulty New phone: sign in Old phone: scan QR code displayed on new phone New phone: create a passkey This was my experience and it seems straight forward.

One simple change would fix Microsoft Authenticator migration while still keeping device-bound security On the new phone, you shoud be able to pick the account, log in, answser MFA on the old phone, and done But no, we have to delete the accounts and re-add them all by finger

@cyber_razz A Brute force would be a lot more than just hundreds.

SECURITY+ KNOWLEDGE CHECKPOINT A SOC analyst detects that an attacker has gained access to a user’s account by repeatedly guessing passwords until successful. After reviewing logs, the analyst confirms there were hundreds of failed login attempts followed by one successful attempt. Which of the following BEST describes this type of attack? A. Dictionary attack B. Brute-force attack C. Credential stuffing D. Pass-the-hash attack