IAMERICA
@EricaZelic
Followers
7,107
Following
3,869
Media
1,269
Statuses
23,194
Your perception is not my reality. Posts don't represent my employer(s).
0.0.0.0/0
Joined June 2018
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Rio Grande do Sul
• 134797 Tweets
Madonna
• 126157 Tweets
Boeing
• 119118 Tweets
Nathan
• 92350 Tweets
Irak
• 64008 Tweets
عدنان البرش
• 41958 Tweets
#SRHvRR
• 35919 Tweets
Olimpiade
• 28951 Tweets
Bhuvi
• 22955 Tweets
KPLC
• 19730 Tweets
Bruno Mars
• 19651 Tweets
Marselino
• 19279 Tweets
زياد
• 17375 Tweets
Ernando
• 14499 Tweets
Canna
• 14176 Tweets
ALGS
• 12294 Tweets
Guinea
• 12169 Tweets
Hubner
• 12081 Tweets
Pinned Tweet
.
I'm very familiar with both these places. Trying every day to maximize time spent in the second one. If you're in the first today, hang in there ❤
484
562
9K
4
1
43
First, I want to compliment
@Microsoft
for being forthright with details. Some of the problems I see in this report, I SEE EVERYWHERE due to VULNERABLE DEFAULTS.
Let's start with creating malicious OAuth applications. By default, ANY USER can create app registrations and…
35
232
951
Dear infosec people - Don't forget to be n00b friendly. We're all n00bs at some point and most real 'experts' realize they too are still n00b.
23
267
930
What are your top 3 Windows and Active Directory tools? I'll go first.
1. Bloodhound
2. Impacket
3. Responder
You can only pick three!
56
117
640
To all the HTB and CTF players trying to break into the industry: you will be dissappointed with how easy the real world is after all that work.
22
52
514
🧵Some of my favorite LDAP queries. I let you all infer which tools to use them with. Most of these are from places around the web, nothing new. Just a list.
1. Find all DCs:
(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))
12
119
487
🧵My 4th interview at Tanium was with the area VP. He asked me if I was going through some type of midlife crisis because I have a passion for hacking. It's on video. /1
29
60
440
Good morning friends, Hope you have a great start to your week!
9
77
433
Here's something I see on a lot of security assessments for M365:
When you create an M365 group (not a security group), all the members have access to a shared mailbox, shared files, SharePoint site, OneDrive, Archives, Teams, and whatever resources the owner applied. You can
9
86
429
Microsoft: Thousands of engineers building MS Cloud
Most Organizations: 1 person to try to learn and understand all that.
18
54
409
Q: How do these teenagers keep breaching these big orgs? Didn't it come up on a pentest?
A: Scope
19
75
405
FYI: I know a LOT of people working in cybersecurity with 8+ years experience that don't have these skills:
- command line
- Windows internals
- vuln analysis/ threat sim
- pentest complex infra
- exploit dev
- reporting
- *executing* TTPs
- IT Risk
- scripting/coding
- tool dev
23
54
381
What's missing?
KERBEROS ABUSE
•ASREP Roast
•ASREQ (kerbrute – enum users)
•ASREQ Roast
•Kerberoast
•Golden Ticket
•Silver Ticket
•Diamond Ticket
•Sapphire Ticket
•Bronze Ticket
•Unconstrained Delegation
•Constrained Delegation
1/2
23
83
374
I'm looking for a new role. I will be remaining at my current employer for at least 30 days.
- Pentesting specializing in internal active directory
- Threat hunting in incident response using EDR admin consoles: CrowdStrike and Carbon Black
- Purple team: develop emulations and
38
144
365
I'm excited to announce I've accepted a new role. To all the people who reached out in response to my tweet, I'm humble and honored to have many tenured people and reputable companies consider my candidacy.
I won't be telling you hackers where I'm going so don't ask :P
89
1
331
On a Red Team Op and slightly stuck due to good hardening practices with AD?
Look at ntuser.pol in the hidden c:\ProgramData folder.
If they have Defender for Endpoint with ASR, you can read the exceptions.
8
62
315
Here's the biggest solutions to all my shenanigans:
Require signing - for SMB and LDAP
Don't have unsupported OS's
Run Certipy in your environment and consult the SpecterOps ADCS whitepaper for solutions
Disable the NAA accounts and use Enhanced HTTPS
Go through all the…
13
42
311
What are the MOST BASIC things you look for on a pentest FIRST?
I'll go first:
unprotected credentials on shares
SMB signing
LDAP signing
default credentials
no explicit credentials to access shares
CVEs
LLMNR/Netbios enabled
37
61
275
As promised, here is my blog post on Beginner's Guide to Learning Entra ID and M365~
Don't learn it. It changes too fast. Learn to convince stakeholders why you should shift back to on-prem where servers basically stay the same for 3 years so you have decent shot at learning
17
31
275
Black Box Case Study:
An adversary has obtained credentials (username+password) of IT/Security individual via a browser dump but MFA is enabled in a Microsoft Cloud tenant employing SSO with on-premises Active Directory. When the adversary attempts to login the tenant, they are…
You're not doing anything useful with your life right now, go through your Microsoft account and customize the privacy and security and marketing settings here:
14
46
233
6
51
264
Let's talk about AAD/M365/Azure security.
Config Review:
Checks CIS Benchmarks
Checks SCuBA
Checks MS Security Recommendations
Checks CAP gaps (if above 3 are already implemented)
Outcome: Tenant Hardening
Most "Pentests":
Checks against CIS Benchmarks, SCuBA guidelines, MS…
6
51
262
Wrote a short blog post about how I started learning Windows and Active Directory.
2
79
258
A malicious Microsoft tenant is attempting to attack my malicious Microsoft tenant. Can't make this stuff up.
21
24
247
Round 2: What's missing?
NTLM ATTACKS
•Pass the hash
•Overpass the hash
•Unpack the hash
•Relay the hash
•Coerce the hash
oSpool sample
oSCCM
oDFSCoerce
oPetitpotam
oStored procedures in MSSQL
oTransact SQL Statements from MSSQL
oWeb-apps
oScf attack
1/2
7
58
247
Vulnerabilities are not just CVEs.
Configurations can be vulnerabilities too.
In fact, I exploit vulnerable configurations, and RARELY CVEs.
It bothers me a bit that some people from Microsoft don't understand this very important concept, yet are "Security SME".
20
41
245
Dear Tenants that only have a P1 license, Just a reminder ...
13
31
236
It is still a nightmare
4
68
238
I'm telling you all, MS Cloud attacks are going to get a lot worse. A lot more people are paying attention now and learning how to attack it.
14
30
216
If you take control of all the SCCM servers, you control the domain. You don't need the NTDS.dit file.
16
15
199
MS Cloud MFA/2FA bypasses:
AiTM
Illicet Consent
PRT theft
Browser Cookies Theft
PRT/Cookie Proxy
Device Code
Conditional Access Gaps
Which ones did I miss?
11
39
191
Anyone want a cloud attack VM like Kali? We can call it Cloudy. Yes, I made one 😊
- AiTM phishing MFA Bypass
- Illicet consent phishing MFA Bypass
- CAP gap analysis for MFA avoidant activities
- Device code phishing MFA bypass
- Token abuse tools for MFA bypass
- Teams…
@EricaZelic
Which should you create?
A) A user
B) A group
C) A device
D) An application
Erica:
E) Malicious tenant 😈
2
2
25
25
28
185
More incredible work from people at SpecterOps
3
43
183
I smoked the crack
it worked
dumping dit now
netntlmv1 --> nt thanks to
@Evil_Mog
and modern computing
Took ~ 20 hours with 12 RTX 4090s. Cost: 130$
16
21
184
Reposting the ldap queries blog post because I forgot the Tweet delete service ate it:
1
50
180
Some notable highlights from the past year:
compromised 36 servers as local admin in one night once
over 400 seperate configuration related privilege escalations found on 17 servers once
Lots of domain compromises due to these things:
ADCS
NTLMv1
SCCM
smb signing not…
11
32
189
I've been reading Microsoft documentation almost every day since 2018. That's 5 years of documentation reading, estimated ~2 hours daily on average (some days a few minutes, other days >8 hours). It's akin to having a bachelors degree in Microsoft documentation related to…
31
11
178
I don't look bad for my age. No botox, plastic surgeries, or anything. I barely even moisturize lol. I guess working out all those years had some benefit.
29
0
179
For those people who are fascinated Windows and like to RFTM like me, here is a lifetime's worth of free education/reading:
Happy learning! 😘
9
39
175
Hey hacker family,
I'm looking for a
@hackthebox_eu
'er who wants a pentesting role (to start), who likes exploiting Active Directory configurations, and wants to learn MS Cloud. This is to backfill my current role at Polito and provide coverage for my skills specialties.
If…
17
67
170
🧵When I worked at Tanium, I realized a lot of hard truths.
Coming from on offensive background was really difficult. I learned really fast that most people in IT (both vendors and customers) don't understand basic attacks. Moreover, when I would try to explain things /1
3
12
167
Phishing in Teams was fun. Nothing got detected or blocked.
Even my malicious links got through Proofpoint and MDO.
The only thing that got blocked and quarantined were attachments with malicious links. But, if the attachment was in a cloud link? No problem. Didn't even…
10
20
171
Wrote a short blog post about my journey in learning Windows and Active Directory, Part II
3
59
165
Tell me you don't know Active Directory without saying you don't know Active Directory 😋
177
15
162
Time to go hack some stuff! This one is hard:
- shares locked down - only one writable share to disk
- no readable shares other than normal DC stuff
- kerberoasted passwords won't crack
- ADCS fully remediated
- no SCCM
- NTLMv1 downgrade relay not working
- spray spray spray -
45
24
158
@mubix
Returning to the office is about micromanagement and control. It's doesn't increase productivity.
12
5
155
Do you know what I love most of my current role at my company?
I DEFINE IT and work in a multidisciplinary team.
My only limitation is myself.
I do:
- purple team
- pentest specializing in internal Active Directory
- MS cloud assessments specializing in Entra ID
- incident
17
4
156
For those of you learning MS Cloud along with me, check out ALL of
@_wald0
blog posts - they are SO good. I learn so much from him and he credits a lot of other important researchers in his posts
4
23
152
I need an Active Directory expert ... oh wait, that's me. Can someone please explain this to me who knows why this is funny and confusing?
27
10
152
If you ever need to find the Certificate Authorities and you don't have access to certutil, you can use an ldap query with memberOf: CN=Cert Publishers
... because I spent 20 minutes of my life on this, maybe someone else won't have to.
8
23
149
Dear Infosec,
It's not you it's me. :P
6 years ago we met and had an incredible 5 years. You were the bad boy I craved with mischief, excitement, and individuality: all the things my career wasn't.
My career and I decided to work on our marriage.
Be well.
8
6
144
On a more serious note, my goto AD toolbelt:
Most of the ones listed in these tweets +
dsquery
sccmwtf
powershell (PS-Sessions, CLM bypasses)
windows command line (certutil -v -dstemplate and logman, ADSI/ADSIsearcher FTW)
sharpDPAPI
Rubeus
PSExec (won't alert with admins most…
My goto AD toolbelt:
PowerView (custom)
PrivescCheck (custom)
PingCastle
ScriptSentry
Spray-Passwords (custom)
SpoolSample
secretsdump[.]py
AMSI Bypass (custom)
bypass-clm (custom)
ADExplorer
ADeleg
Rubeus
Certify
BloodHound/SharpHound
Locksmith
SharpSCCM
Inveigh
PowerUpSQL
Nmap
11
118
704
6
18
147
So, I have some stats. I ran this script on 17 servers and found 136 different configuration related privilege escalations.
This is the most privilege escalations I've ever seen on one assessment.
For those who don't know -
@itm4n
's PrivescCheck powershell script is amazing.
2
10
115
3
26
147
This tweet is not about Midnight Blizzard. I have no idea what happened at Microsoft. However, I want to take another moment to discuss Graph Delegated Permissions not requiring admin consent in app registrations. The reason this is important is because adversaries have been…
4
21
145
Today is International Women's Day so I leave you a sample of the challenges women still face every single day in the workplace. Most will not discuss it publicly for fear of retaliation. /14
3
6
139
Do you know who I want on my team?
- People who are not afraid to disagree. I don't consider these people difficult to work with. I consider it enriching
- People from multiple disciplines: IR, helpdesk, SOC, compliance, risk, ops, admins, devs, non-technicals
- People who
17
17
144
This website helped me learn my way around M365 and Azure like nothing else.
It's hard to believe that a year has gone by since I launched 🍾
Here are some awesome stats 👇. Many thanks to everyone that has contributed to make this is a success and to all you keyboard ninjas 🥷!
Are you a cmd'er? Hit like and repost!
9
70
333
3
30
141
Don't ever let anyone diminish your accomplishments and self worth. Their opinion of you is based on their world, not your reality. If they cannot see your worth, move on. /13
1
6
138
The vulnerability scan has 400+ findings.
I exploit the domain with nothing on it.
When is this madness going to change? LOL
14
12
139
Micro$oft: Let us introduce you to Defender for Identity! It only costs 4million dollars more per year that you won't be budgeted for!
OR, just read the SpecterOps whitepaper, it's free!
/s
ADCS strikes again (sounds a lot like ESC1). Just as a reminder, despite our recommendation of alerting IT administrators of this very common dangerous misconfiguration (AT A MINIMUM via an event log). Microsoft chose not to include any additional logging in ADCS.
5
61
218
7
19
135
😂🔥 womp womp for certs
4
20
131
I've lost 9lb in one month and here's how I did it:
- Stopped eating out every day. I cook at home now.
- Reduced process foods.
- 1 hour of cardio in fat burn mode (rolling hills) keeping heart rate within a specified range 3 days a week.
- 800 calorie per day deficit (not
18
0
132
@sunnyc7
@NathanMcNulty
So in Entra ID, there are default settings that allow all users to register applications and allow access to company data. THIS IS DEFAULT. So, they do an MFA bypass then register the application. They become the owner of the application which allows them to impersonate the
3
17
132
On-Prem: manage yourself, probably will fuck it up.
Cloud: Managed by Microsoft, you have to do what they tell you (which both you and them will probably fuck up), and you need a team of people to keep up with all the changes.
12
12
132
I have some unsolicited advice:
If you are in your 30s and you are thinking about having a family, do it now. Don't wait. You will wake up one day and be old and it will be too late. Make it happen. If you don't, I promise you, you will have regrets.
Get out there, find
19
6
130
Sometimes I wonder if some infosec people know how arrogant they sound.
22
8
126
I'm excited to get started in my new role in a couple weeks:
Security Architect, Hand to the Security Emporer who combined are Protectors of the Realm, Annoyers to the Infrastructure King
15
1
129
If you've never had an opportunity to serve as an admin in large enterprises and your primary interest is in offensive, the best ways you can remedy this are:
1. RTFM - most people don't
2. Read and replicate blogs
3. Build an AD lab with all server roles + Unix/Linux
/1
6
20
127
When I used to be just a hackthebox player, I heard so often it referred to as doing CTF machines and how the real world is so different. It came across condescending.
Now? I laugh at how easy "the real world" is and have probably downgraded my skills being a "pro". 😄
11
10
121
Some basic CIS Benchmarks may work here:
Go to --> select Teams
Change these:
Anyone know of an actually effective tool/defense against Teams phishing?
7
3
6
6
19
121
Quick, everyone do this for python in Excel to be prepared:
reg add HKCU\software\policies\microsoft\office\16.0\excel\security /v PythonFunctionWarnings /t REG_DWORD /d 0 /f
😈
4
12
118
If leadership at a company says something like this during an interview, it's a great sign of what's to come. /11
1
1
116
I can't state enough how cool the techniques and research are in this repo for AppLocker and WDAC bypasses:
I suggest testing them with AaronLocker on Microsoft's github
PS: You will have to turn off Defender (kudos to Microsoft!)
0
33
115
It boggles my mind that it's hard to convince people that compromise of an sccm primary site server is a critical vulnerability. They still want the dit file. Unbelievable.
Sccm primary site server compromise let's you control every machine on the network, stealthily. Since…
15
8
116
Beginners Guide to Learning Entra ID and M365 post coming soon ...
4
7
115
This is the most privilege escalations I've ever seen on one assessment.
For those who don't know -
@itm4n
's PrivescCheck powershell script is amazing.
2
10
115
Gonna RT this again because it's important:
0
31
112
Thoughts about this pentesters? I know it comes up this way on vuln scans a lot.
3
35
113
"It's nothing new. It was in a BlackHat talk 6 years ago that nobody understood at the time."
I wonder how often this happens.
12
8
114
@SwiftOnSecurity
Pharmacist shortage. There is no pharmacist shortage. There are pharmacists who refuse to work in awful, unsafe conditions anymore and that number grows every day.
3
4
110
Making plans for a phishing trip!
3
22
109
Who can tell me reason why Server 2003 shouldn't be in your networks, and if they are, where they need to be? 😂
PS. If you're network is flat and you have Server 2003, you are in a world of trouble.
41
9
102
and are my go-tos
If you are often lost in the labyrinth that are the Microsoft cloud admin portals, is the answer!
#AzureAD
#EntraID
#MicrosoftCloud
3
48
187
4
31
106
Do you know how many domains I've been able to coerce netntlmv1-ssp hashes from DCs this year? Almost all of them. Think about that.
Y'all are living dangerously.
7
10
105
It's how I learn baselines. I set up infra and apply benchmarks in my labs.
Shameless plug
The CIS Benchmarks are seriously such a great learning tool. For defenders and offensive people. Wealth of knowledge there...
7
9
148
2
10
105
My nightly Microsoft documentation reading is never boring. On the latest episode,
1
10
102
Mistakes also help you think slower.
Yes, thinking slower is a good thing.
5
13
103