24/7 Active Directory Incident Response Contact: Tel. +49 (0) 6221 7569637 E-mail: incident-response@ernw.de

#TROOPERS25 AD & Entra ID Security track resources, on the @ERNW_ITSec blog @Insinuator Featuring @Jonas_B_K @martinhaller_IT @TEMP43487580 @JsQForKnowledge @fabian_bader @_dirkjan @ShitSecure @DrAzureAD @kazma_tw @subat0mik @unsigned_sh0rt @ericonidentity https://t.co/dmbl9iZSPj

.@MCTTP_Con 2025 was a great event, thanks again @CyberWarship for so many things! Slides & transcript of my keynote can be found in this @Insinuator post: https://t.co/Wq0GQFDDWq

Ready to make your mark? At AEG, we turn ambition into action. Let’s bring your dreams to life. Join us

New post: Windows Hello for Business – The Face Swap

That's a very interesting new training from the fine folks of @ERNW_ITSec Research: https://t.co/5ZzFeGCIli

The #mcttp event is over and I am on my way home. Thanks again for having me this year again. Special thanks to @CyberWarship and Sonja for taking care of us during October fest. Truly amazing event and I finally got to meet @Enno_Insinuator and @DrAzureAD IRL. Also awesome to

Commonly Abused Administrative Utilities: A Hidden Risk to Enterprise Security, by @HobbsDale https://t.co/onHGZAxw3h

Sliding into your DMs: Abusing Microsoft Teams for Malware Delivery https://t.co/pdQBNqHmcY

Malicious Encoded PowerShell: Detecting, Decoding & Modeling https://t.co/D2VJlJYizw

Kudos also to @SecurityThunder and @kidtronnix

Prefetch Files in Windows Forensics #DFIR https://t.co/Rk5sdPEzhP

New post: Jigsaw RDPuzzle: Piecing Attacker Actions Together

Overview of some posts which I wrote while being the DRI for #IPv6 @Apple https://t.co/r2LZY2XoMc

Domain Admin shouldn’t logon to workstations. Here’s one way to restrict DA logins to workstations: Create a GPO… Computer Config → Windows Settings → Security Settings → Local Policies → User Rights Assignment → ‘Deny log on locally’ & ‘Deny log on through RDP’ → add

Active Directory Hardening Series Part 1 Disabling NTLMv1 https://t.co/9gla1vtQ18 Part 2 Removing SMBv1 https://t.co/KOqpamarcW Part 3 Enforcing LDAP Signing https://t.co/oW2Ymvu1ZW Part 4 Enforcing AES for Kerberos

Highly recommend everyone read the latest @MsftSecIntel blog, especially if you are involved in identity or cloud security. It details how threat actors can pivot between both your on-premises and cloud identity planes and cause destruction across both. Without proper guardrails

Fleet dashcams for commercial vehicles. Full integration with telematics for video exceptions, driver coaching and accident video. Live view. In &/or Out recording.

🚨 Microsoft admins, are your conditional access policies weak? 😱 @fabian_bader shares some common bypasses in our latest https://t.co/v0cFtrPykt podcast episode! 🔒 Dive into this thread for must-know insights to secure your tenant! 🧵👇 #Cybersecurity #MicrosoftEntra

The Windows Registry Adventure, contd., by @j00ru #5: The regf file format https://t.co/rxLCJvSVxe #6: Kernel-mode objects https://t.co/8Iir8GMuEt #7: Attack surface analysis https://t.co/1Xj8GASqbq #8: Practical exploitation of hive memory corruption

The Windows Registry Adventure, by @j00ru #1: Introduction and research results https://t.co/sp1c4x5SA8 #2: A brief history of the feature https://t.co/Wt6YK9v2nn #3: Learning resources https://t.co/tIte5saaOA #4: Hives and the registry layout

NTUSER.DAT Forensics Analysis 2025 #DFIR https://t.co/qKoDvJcF4j

Registry Hive #DFIR https://t.co/cnWPAAMimg Data Types https://t.co/n0BLXidPBk DT cont. https://t.co/XHQ6jrkfLc DT 4 https://t.co/2WMfh3O1Zk DT 5 https://t.co/nwqogub4XP DT 6 https://t.co/RzO6DmJypl DT 7 https://t.co/PNOubac5dO DT 8