Ever wanted to learn (or teach) PowerShell? I built an interactive game that teaches principles hands-on in a playful few-hour session. No prior PS experience is required. Originally designed to be instructed for groups, but works great solo too🙌🏻 Readme👇 https://t.co/NPxNdPiFUX

How Windows access tokens work #ThreatHunting #DFIR

ICYMI: Wrote a 2-piece blog to help you catch up from scratch on cloud authentication and authorization from a security perspective. Part 1: How AD, Entra, and Azure interact [ https://t.co/PkCFRV4b0w] Part 2: Access/Refresh Tokens, endpoint artifacts [ https://t.co/6Dt3Pxu28f]

PromptLock leverages Lua scripts generated from hard-coded prompts to enumerate the local filesystem, inspect target files, exfiltrate selected data, and perform encryption. These Lua scripts are cross-platform compatible, functioning on #Windows, #Linux, and #macOS 2/6

Was especially fun writing this one! Cloud ransomware is real and it's here!

Cookie theft has evolved. 🍪 Over the last year, stealing cookies on Windows devices has changed significantly for Chromium browsers like Chrome and Edge. Andrew Gomez dives into these changes, how threat actors adapt, & new detection opportunities.

I just started a new blog, and this is my first post. I took a bit of PTO, so this is a little record of some fun I had playing around with Intune during that time. It's about enrollment restriction bypass😄 https://t.co/o9CcXHN4b8

I found that using RegQueryMultipleValuesW to read sensitive registry values bypasses nearly all the EDRs I tested. Alongside NtOpenKeyEx with OpenOptions 0x04, you can read Windows secrets without touching the disk and without SYSTEM. More here: https://t.co/JIRHB23l1s

🚨 SOC Analysts, Incident Responders, and Detection Engineers, Be careful when using the new SessionId information in Entra ID. Learn why 👇 https://t.co/Bwg1rWsje4 #ThreatHunting #DetectionEngineering #IncidentResponse #DFIR

Entra Connect Attacker Tradecraft, by @hotnops Part 1 https://t.co/1TvCeC6zUW Part 2 https://t.co/9oU6rwbixx Part 3

This post is SO GOOD! I knew nothing about easy auth, It's so interesting! And the abuse ideas are so creative! It's not the first time i see how env variables on app lead to such things (See MI research by NetSpy). Go read it! https://t.co/uu4pgl574L

How to find the Entra ID sync server - A new NetExec module🔎 Inspired by the great Entra ID talks at #Troopers25, I looked into how to find the Entra ID sync server. Results: The description of the MSOL account, as well as the ADSyncMSA service account reference this server🚀

If you want to know how to bring your own IDP in Entra, and abuse OIDC protocols for persistence, my x33fcon talk is now on YouTube 😀

My latest blog post just dropped! This time it's about Entra 🆔 "High-Profile Cloud Privesc" revisits an old PowerShell trick to pivot from cloud to endpoint - or how to elevate to Global Admin from 'OneDrive Admin'-equivalent permissions https://t.co/m5pS7VAOeW

Wrote a security intro blog post on authentication and authorization in the cloud. Specifically about AD, Entra, and Azure, involving token-based authentication, and some attack scenarios. Part 2/2 is out soon! https://t.co/PkCFRV4IQ4

EntraPassTheCert. post-exploitation tool that allows attackers to request Entra ID's user P2P certificate and authenticate to a remote Entra joinned machine with it, by @TEMP43487580 https://t.co/llEOI3WQCs

Just released a WinDbg extension to read the IDT :) https://t.co/1BkmCBNTVP

After today’s talk at #TROOPERS25 I’m releasing BitlockMove, a PoC to execute code on remote systems in the context of a loggedon user session 🔥 https://t.co/zXbngHQZDD No need to steal credentials, no impersonation, no injection needed 👌

Troopers just started, and so many things are out already!! https://t.co/gA1ac3ymbD

Including nice tool release 🔥 https://t.co/4v2osVGTfA

Here is the second part of the Windows IPC series. As planned, I've started with RPC. The third and fourth parts will come soon. https://t.co/8LqgWzNhTF