Excited to host a hands-on investigation lab at #DEFCON33 in the #CloudVillage!. Built from the perspective of an opportunistic adversary, this E2E AWS breach simulation leaves footprints for hunters and detection engineers to track across cloud, identity, storage, endpoint &.

RT @cloudvillage_dc: 🔥 Cloud Village Labs schedule for @defcon is live!. The Cloud Village Labs lineup is organized by genre to help you di….

RT @cyb3rops: So apparently the --host option in sudo has been broken since 2013. You could just trick it into accepting remote rules on th….

RT @_sigil: ☁️ My fwd:cloudsec talk, "I SPy: Rethinking Entra ID research for new paths to Global Admin", is up! Learn what a service princ….

RT @MsftSecIntel: Since 2024, Microsoft Threat Intelligence has observed remote IT workers deployed by North Korea leveraging AI to improve….

RT @elasticseclabs: New research from our #ElasticSecurityLabs team: we dive into how infostealers are leveraging a stolen Shellter evasion….

If anything this week, I highly recommend giving this #EntraID research by @fabian_bader and @_dirkjan on CA bypasses a read.

cont'd. Looks like Entra ID's Identity Protection will assign some of the logins from spraying and exfil as suspicious too. Sign-in logs will have a `risk_state` field with `atRisk` which is good for these signals and others. Or if you ingest Identity

TeamFiltration tool abuse - I've been playing around with it today. So far. if at least 10 users are selected for enum with SFA ROPC logins or spraying --> Below is rule that catches some of the enum and spraying. AADSTS50126 is one of the main error codes likely seen.

RT @DrAzureAD: Slides from my @WEareTROOPERS talk are available at

RT @Antonlovesdnb: Coming up on my 1 year anniversary with @HuntressLabs ! . Taking this opportunity to go over some things myself and the….

RT @_dirkjan: Since several people already asked: the slides from @fabian_bader and myself for @WEareTROOPERS are available! "Finding Entra….

RT @BleepinComputer: Microsoft 365 'Direct Send' abused to send phishing as internal users - @LawrenceAbrams. https….

RT @ericonidentity: At @WEareTROOPERS I dropped new research on #nOAuth, an abuse of #EntraID that allows you to spoof users in vulnerable….

RT @fabian_bader: One of the results of the joined research with @_dirkjan is . Basically the yellow pages for Micr….

Did a write-up on OAuth phishing (offense and defense). It's based on phishing campaign's reported by @Volexity earlier this year. - What are OAuth phishing links; what is the workflows behind them.- How to emulate (examples) and use ROADtools for further compromise.-.

RT @SBousseaden: cool alternative to clickfix, thanks for sharing!. possible detection is to looks for process.parent.args :"--message-loop….

RT @mrgretzky: If you're battling phishing detections through CSS canary tokens, make sure to add these entries into your Evilginx MS365 ph….

RT @rad9800: People often ask why I pivoted away from malware. Sometimes I ask myself the same question. After all, everything I've publis….