Tech Brandon

@DHAhole @misstennisha @intigriti @zbraiterman @thejonmccoy @BentleyAudrey @Jhaddix @DanielMiessler @jeff_foley @bishopfox @C0d3Cr4zy @caseyjohnellis @MrJeffMan @SW_Samii @0xTib3rius @OliviaGalluccii @rana__khalil @Infosecpat @J3ssa @luizfernandorg @ethicalhacker @irawinkler @CyberWarriorSt1 @ebelardo73 @NahamSec @CSKIP71 @HackingDave @soundslikerhea @Whimmery @Neogenxz @Maekshyft @BrendonKelleyBK @_JohnHammond @JohnnyCiocca #FF @Ell_o_ @PyroTek3 @_wald0 @likethecoins @shenetworks @TheDrPinky @mattacusmaximus @summer__heidi @TechBrandon @JackRhysider @0xteknogeek @riskybusiness @ch0mpaa @k3nundrum @blackgirlshack @Gerald_Auger

Who knew a really long string could make an Entra ID login disappear from the logs entirely? In our #blog, @nyxgeek breaks down how overflowing #Azure's sign-in logging mechanism allowed access tokens to be issued without a single log entry. Read it now! hubs.la/Q047xTVc0

The recording of my @Disobey_fi talk was published just now. youtu.be/DQ4dnXibaoM

@HackingLZ @IceSolst Imma need those gift cards pronto tho

Last night, John Daghita – a U.S. government contractor who allegedly stole more than $46 million in cryptocurrency from the U.S Marshals Service – was arrested on the island of Saint Martin by the French Gendarmerie’s premier elite tactical unit in a joint operation with the @FBI.   Thanks to the International Cooperation Team Serious Crime Unit of the French Gendarmerie National in Saint Martin, and the Groupe d’intervention de la Gendarmerie nationale of Guadeloupe for the outstanding coordination.   FBI will continue working 24/7 with our international partners to track down, apprehend, and bring to justice those who attempt to defraud American taxpayers—no matter where they try to hide.

In Active Directory, there is a method that’s been around for many years which changes the password last set date but not the actual password. This is what I call a “fake password change” since the account appears to have a recent password when scanning for old passwords based on password last set, but the underlying password hasn’t actually changed. I spoke about this in my 2015 @BSidesCharm talk which was my first conference talk. More details including step-by-step screenshots are here: adsecurity.org/?p=4969 Why does this happen? There are times where service account (or admin accounts) need to have password changes, but someone doesn’t want to do the work to change them. The ability to fake a password change requires modify rights on the pwdLastSet attribute which provides the ability to check/uncheck the setting “User must change password at next logon”. This setting is enabled when you want the user to change their own password when they logon. How does this work? This is simple to do when you have rights on the target account (in this example the password last changed in August 2025). We open up Active Directory Users and Computers (ADUC), double-click on the target account to open up the account properties and then click on the Account tab. From here we check the box for “User must change password at next logon” and click Apply. The PasswordLastSet date is now blank. Which makes it seem like the account has never had a password set. We continue with our process where we uncheck the box for “User must change password at next logon” we checked and then click Apply. After performing this action, the password change date has now been set to the current date and time even though the password itself hasn’t been changed since August 2025. We have successfully faked a password change! Why does this happen? This happens because the “User must change password at next logon” option is used to force a user to change their password at next logon. With it checked, Active Directory is waiting for the user to attempt to logon which is when the user is directed to change their password. During this time the PasswordLastSet value is blank since it is waiting for a new password. Once the user changes their password, the checkbox is effectively removed and the current date and time are set for the user’s passwordlastset property (technically this is the “pwdlastset” attribute, but the AD PowerShell cmdlets use that property). An attacker could use this technique for an account with an old password they discover and have control of the account (with the ability to flip this bit). This would show that the password changed without it actually changing. Detect fake Active Directory password changes at scale I wrote a PowerShell script that will scan either the Active Directory Admins or All Users in the domain to see if there’s a fake password change that has been performed on them. github.com/PyroTek3/Activ…