24/7 Active Directory Incident Response Contact:.Tel. 49 (0) 6221 7569637.E-mail: incident-response@ernw.de.

Windows Hello for Business – Past and Present Attacks, by @insinuator #TROOPERS25.

RT @DirectoryRanger: 24/7 Active Directory Incident Response Contact:.Tel. 49 (0) 6221 7569637.E-mail: incident-response@ernw.de.

Step-by-Step Guide: How to setup conditional access reauthentication policy for PIM.

Registry Hive #DFIR.Documentation Data Types Data Types cont. Data Types 4

RT @0x534c: Detect anomalous external OAuthApp activity using 🆕ActorInfoString 🔥. KQL Code:..

Dissecting RDP Activity #DFIR.

RT @netbiosX: Enumerate Domain Users Without Authentication

Microsoft Entra Dangerous Defaults, on @heisec.

RT @TEMP43487580: Also dropping the link to the new feature added to BAADTokenBroker.

RT @ShitSecure: The slides from the talk can be found here:.

RT @fabian_bader: My colleague Pascal did an outstanding job dismantling a info stealer that was found in the onboarding phase of a new cus….

RT @SpecterOps: This is your reminder to join @Jonas_B_K's talk happening soon at #TROOPERS25! Hear how security boundaries become attack h….

RT @Enno_Insinuator: Love this one ;-) #TROOPERS25 #maketheworldasaferplace .(from this talk: .

EntraPassTheCert. post-exploitation tool that allows attackers to request Entra ID's user P2P certificate and authenticate to a remote Entra joinned machine with it, by @TEMP43487580.

RT @ttdennis: Yesterday at #Troopers25, @twillnix and I published some of our research on Bluetooth headphones and earbuds. We found that….

RT @AlmondOffSec: Following @ShitSecure's TROOPERS talk and release of BitlockMove, we're releasing our internal DCOMRunAs PoC made by @SAE….

RT @DrAzureAD: Slides from my @WEareTROOPERS talk are available at

Forensic Differences Between Windows 10 and Windows 11 #DFIR.

Precious Gemstones: The New Generation of Kerberos Attacks.

Automating MS-RPC vulnerability research.