How to have fun in 2025:

❌ LLM reversing with boring standard language.✅ LLM reversing with an occasional pirate reference

Mercedes will let you onboard your car in Intune? This is the stupidest thing I've heard this week.

About 5 years too late….

I had a small injury in my wrist, so I got an "ergonomic" mouse which forced me to position my hand in a specific way. Result: My keyboard shortkey usage tripled and I barely touch the mouse anymore.

ancient hardware ain't stopping me

Need USB - TTL, found a cable on the bottom of my "cable box", cable didn't work, looks at device manager:

PopOS! is underrated.

Using an iPhone in 2025 feels like being stuck in 2015.

Nice milestone yesterday: got my first paid bounty for a responsible disclosure find. Had hall of fame mentions before, but never received a financial reward. Funfact, it was for a report from over 2 years ago. I’m not in the game for money, but it still feels like an achievement.

I do actually see the value in read only stuff, but please,,, keep that stuff local. .

It's a great idea to submit your whole AD forest to Claude!! (/s). I feel sorry for the peeps testing this in production (with write rights) and see their AD being demolished in seconds.

With this KQL query, quickly check if apps with Mail.Send permission actually are sending mails or if they're overprivileged. Is there a repo combining permissions with graph endpoints? Could be interesting.

Friday morning shenanigans, from "why is this feature so slow" to a responsible disclosure email in 60 minutes. Hopefully I'll be able to blog about this one, stay tuned. .

"When eM Client is first granted permissions within a tenant, a service principal is created in Entra ID.". It's good practice to monitor for all service principal creations, here is a simple KQL query to do so:.(exclude automated/non user stuff).

Do you work with ASR? This is a great little blog post that explains a bit about the inner workings of ASR.

Today is a good day to check who and what as access to your data. Google: Microsoft:

We need to stop calling everything a critical vulnerability. You're only vulnerable if you have VerifyHostKeyDNS enabled (it's disabled by default and only enabled in specific situations).

This is a heavily overlooked topic in the field. Protect your tokens.

@BertJanCyber BTW: the neat trick used by attackers is that Microsoft AD Graph activity is not logged, when the Microsoft Graph API is used, you should be able to detect the actual activity (beyond authentication) via MicrosoftGraphActivityLogs table.