Joined July 2022
- Tweets 86
- Following 112
- Followers 233
- Likes 389
Photos and videos
ryan mc retweeted
25 Jul 2023
Long-awaited parallel (threaded) queries arrive in MSTICPy! 🏃♀️🏃♀️🏃♀️
Split big queries into separately executing chunks or across multiple workspaces and clusters.
MSTICPy 2.6.0 released
- Parallel queries for multiple instances of MS Sentinel workspaces and Kusto clusters
- Parallel split queries (large time-range queries divided by smaller time periods)
- Velociraptor data provider for querying exported data sets
github.com/microsoft/msticpy…
4
12
1,615
ryan mc retweeted
21 Jul 2023
🚨Small update for TokenTacticsV2
▫️Two new device platforms
▫️Linux, since it's now supported by Conditional Access
▫️OS/2, because it's not 😁
github.com/f-bader/TokenTact…
3
23
62
10,085
ryan mc retweeted
12 Jun 2023
Official confirmation from Microsoft that there is no supported way to rotate nor change DPAPI backup keys!
Compromised keys? ➡️ Burn the domain and rebuild a new one 💥
7
86
259
70,066
ryan mc retweeted
9 Jun 2023
I know a lot of excellent people are looking for jobs right now. We have several openings at @redcanary, including my peer, Senior Director of Detection Engineering, and a Threat Hunter on a team I lead. I hope you'll consider applying or sharing. redcanary.com/job-openings/
7
140
306
66,092
New blog is out!
OneDrive to Enum Them All
trustedsec.com/blog/onedrive…
Major updates:
• database storage
• logging of previous runs
• easily append digits or strings to usernames
• stale job detection
• skip tried usernames
Special thanks to @DrAzureAD and @thetechr0mancer!
3
125
259
42,244
ryan mc retweeted
23 May 2023
@DrAzureAD brings some valid points. MemberLevel user can read CA Policies. This has not always been understood, since the GUI and MS Graph requires roles for this, but not Azure AD Graph API. Also means, that if you have gaps in CA, those can be read by normal user
23 May 2023
@Secureworks' latest Threat Analysis report "Tampering with Conditional Access Policies Using Azure AD Graph API" out now!
1️⃣ Regular users can read Conditional Access Policies (CAPs) 🤔
2️⃣ Administrators can modify CAPs without proper logging 😲
secureworks.com/research/tam…
#IWorkForSecureworks
1
4
10
1,505
ryan mc retweeted
23 May 2023
@Secureworks' latest Threat Analysis report "Tampering with Conditional Access Policies Using Azure AD Graph API" out now!
1️⃣ Regular users can read Conditional Access Policies (CAPs) 🤔
2️⃣ Administrators can modify CAPs without proper logging 😲
secureworks.com/research/tam…
#IWorkForSecureworks
1
28
76
7,981
ryan mc retweeted
16 May 2023
This Friday I'll be running an #AzureAD token workshop in @NorthSec_io conference, Montreal, Canada. Here are some teasers 😋
nsec.io/schedule-workshop/
1
8
49
6,938
ryan mc retweeted
26 Apr 2023
Next version of #AADInternals will be published during the @BlackHatEvents #BHAsia on May 11th at #BHArsenal!
Some teasers:
◾ Exploitation tooling for findings covered in our Briefings talk with @SravanAkkaram 😈
◾ Totally re-written token handling 🤞
◾ Automatic FOCI client handling (thx to @detectdotdev) 🔥
1
9
75
15,834
ryan mc retweeted
21 Apr 2023
Into Windows security / forensics? I just released a post I started writing 3 years ago: blog.christophetd.fr/dll-unl…
2
38
89
9,026
ryan mc retweeted
19 Apr 2023
I've long been interested in how EDRs work under the hood and how we can apply a more evidence-based approach to evasion. I'm happy to announce that I've written a book covering these topics with @nostarch which is now available for preorder 🎉
nostarch.com/book-edr
45
329
1,113
154,244
ryan mc retweeted
14 Apr 2023
This quarter @Secureworks had two researchers in the @msftsecresponse researcher leaderboard🔥 Congratulations to all other researchers who made it, great job everyone!
My colleague @SantasaloJoosua have had a fantastic streak this year keeping us all safe - so proud of working with him ❤
msrc.microsoft.com/leaderboa…
#WeWorkForSecureworks
2
9
43
10,494
ryan mc retweeted
4 Apr 2023
New chapter of #AzureAD Attack & Defense Playbook: Are you looking for a way to track and verify your identity security posture? @samilamppu, @PitkarantaM and I have worked on a solution which includes also comparison to recommendations and #MITRE mapping.
github.com/Cloud-Architekt/A…
49
133
18,829
ryan mc retweeted
30 Mar 2023
I'll deliver a workshop, "Tokens, everywhere!" at @NorthSec_io, Montreal 🇨🇦 in May! In this hands-on deep-dive, I'll cover #AzureAD #OAuth implementation, different token types, #FOCI, and various attack scenarios.
Check out details and get tickets at nsec.io
1
4
20
3,680
ryan mc retweeted
23 Feb 2023
Check out this new doc that lists all the 🍪 cookies involved in an Azure AD authentication.
😀
learn.microsoft.com/azure/ac…
ALT Screenshot of Azure AD cookies.
5
115
381
37,844
ryan mc retweeted
21 Feb 2023
Our latest full-length episode is available! @olafhartong was kind enough to join us again after a few years and catch up - catch the episode wherever you consume podcasts, or at the YouTube link below! youtu.be/47pwrsMucSg
6
19
12,291
ryan mc retweeted
11 Feb 2023
If you are a user of Microsoft Defender for Endpoint or are considering it you might find this series useful. A 🧵
The first edition covers the differences between #MDE and #Sysmon and telemetry acquisition
1 - Sysmon vs Microsoft Defender for Endpoint
medium.com/falconforce/sysmo…
9
173
681
86,919
ryan mc retweeted
8 Feb 2023
⚡️MSTICpy is a powerful python library for threat intelligence and threat investigation! I created a new security artwork for a brief overview.
Learn more with @ianhellen & @PeteABryan at BlueHat for an in-depth look. 🤓@msticpy #ThreatIntel #infosec #python @MsftSecIntel
86
225
28,097
ryan mc retweeted
31 Jan 2023
📣 Speaker Announcement 📣
We’re thrilled to announce our first #BlueHat speaker, Nate Warfield @n0x08, Director of Threat Intelligence at Eclypsium. Nate's #BlueHat talk will discuss firmware vulnerabilities and mitigation. 👏
ALT BlueHat 2023: Meet Our Speakers 0-Day firmWarez Nate Warfield Direct of Threat Intelligence | Eclypsium Microsoft BlueHat: February 8-9, 2023 | Redmond, WA
1
14
33
9,819