24/7 Active Directory Incident Response Contact: Tel. 49 (0) 6221 7569637 E-mail: incident-response@ernw.de

Insights into Entra ID’s (Un)Conditional Access, by @insinuator insinuator.net/2026/05/insig…

Active Directory Hardening Series Part 1 Disabling NTLMv1 techcommunity.microsoft.com/… Part 2 Removing SMBv1 techcommunity.microsoft.com/… Part 3 Enforcing LDAP Signing techcommunity.microsoft.com/… Part 4 Enforcing AES for Kerberos techcommunity.microsoft.com/…

Entra Agent ID from a Security Perspective blog.compass-security.com/20…

Hardening Intune, by @Carlos_Perez Part 1: The Privileged Roles Nobody Talks About trustedsec.com/blog/the-priv… Part 2: The Implementation Guide trustedsec.com/blog/hardenin…

Imagine yourself on the beach in Thailand getting the email you got accepted to @WEareTROOPERS !!!! It was one of my happiest moments 🥰 I can't wait to #Troopers26

More talks for the @WEareTROOPERS #TROOPERS26 AD & Entra ID Security Track accepted, featuring @kidtronnix, @LeGuideDuSecOps, @_dirkjan, @DrAzureAD, @al3x_n3ff & others linkedin.com/feed/update/urn…

Enumerate Domain Data (EDD): Powerview’s .NET Cousin redsiege.com/blog/2026/06/to…

At the last @DerbyCon, @PyroTek3 asked me up on stage just for fun. I was so terrified I cowered in the back! Now I’m speaking at @WEareTROOPERS! The biggest AD security conference in the world. 🔥🔥🔥 “Pursue excellence. Never give up!” 👊 See you in Heidelberg 🍻

Finally had time to add EtwInspector to the PSGallery! Check it out. PSGallery: powershellgallery.com/packag… GitHub: github.com/jonny-jhnson/ETWI…

What Anthropic’s Mythos Means for the Future of Cybersecurity. The new reality rewards systems that can be tested and patched continuously. spectrum.ieee.org/ai-cyberse…

"The Art of Evasion" talk at #x33fcon by @ShitSecure - x33fcon.com/#!s/FabianMosch.…

"#Fingerprinting Modern #C2 #Implants Through Runtime Telemetry" talk at #x33fcon 2026 by @thefLinkk and @dphillips__ - x33fcon.com/#!/s/SebastianFe… #blue, #POC

Releasing Tunnel Vision Toolkit, part of my @x33fcon talk on Microsoft Global Secure Access. Includes BOFs to assist in engagements where you face GSA, plus a rogue client that lets you connect to internal resources from unmanaged devices. github.com/ar0x4/tunnel-visi…

To figure out if a user account is stale will require a lot of log sources and will depend on the environment. There are a lot of different signals to consider and will be different if you are hybrid with SSSO, hybrid with PRT SSO, Hybrid with ADFS and a tertiary IdP, not hybrid with Entra SSO, not hybrid with Entra as a resource provider to the primary IdP, not hybrid with IdP chaining, not hybrid and an External Identity, using config manager in hybrid setups, not using config manager in hybrid setups, etc. Some log sources to consider integrating with: 1. AD 2. AAD: non-interactive 3. AAD: interactive 4. Intune: device metrics 5. Intune: account metrics for their associated devices 6. All IdPs. All of them. Most larger organizations have at least 3. 7. HR systems (i.e. Workday) 8. Does the account own any applications in Entra, on-prem, or any IdP where they are the single owner? 9. How are devices onboarded in Intune? Autopilot? Other ways? If the account is not active in all these logs, I would then create an automation with the HR system to validate and approve the disablement, only after doing it manually a number of times. There's a lot of missing details here but the Intune logs are a great source of information that are often overlooked and not widely understood. I wouldn't consider them a source of truth, but I would still want a dashboard of this info in Intune. I would be careful about how to interpret the information because it's going to depend on a lot of factors. The problem with dashboards is the interpretation of them requires a depth of knowledge that most people don't have. Moreover, dashboards don't do anything.

My talk; Mapping the Adversary: Enriched Incident Graphs with BloodHound Data in Kusto from SO-CON 26 is now live on YouTube. youtube.com/watch?v=v4fG9XNh… big thanks to @SpecterOps for having me and keeping BloodHound open source!

azsqlshell. interactive Azure SQL shell that authenticates with a raw AAD access token (no SQL login/password) and, on connect, runs a read-only privilege audit github.com/clou42/azsqlshell

Investigating suspicious AI workflows in Microsoft Entra Agent ID: Autonomous agents, by @mattifestation Part 1: redcanary.com/blog/threat-de… Part 2: redcanary.com/blog/threat-de…

Releasing SILVERPICK, a Windows shellcode development framework using C/C . github.com/winterknife/SILVE…

''Debugging Windows Isolated User Mode (IUM) Processes - Quarkslabs blog'' #infosec #pentest #redteam #blueteam blog.quarkslab.com/debugging…

MS AD Kerberos update active since April: If there is no explicit msds-SupportedEncryptionTypes Active Directory attribute defined the DefaultDomainSupportedEncTypes will be AES-SHA1 (0x18). This is significantly slower to crack as RC4.