Loves Jesus, loves others | Dad x4, security solutions architect, love to learn and teach | @TribeOfHackers | 🐘infosec.exchange@nathanmcnulty
Alaska
Joined June 2009
- Tweets 22,598
- Following 769
- Followers 8,417
- Likes 46,943
Pinned Tweet
Did you know that you can get a free M365 E5 subscription with 25 user licenses to learn, create automation, and develop applications?
I know most folks never get the chance to admin this stuff, so sign up now, and let's walk through this together :)
developer.microsoft.com/en-u…
45
583
54
2,071
Nathan McNulty retweeted
One side note on this topic: Role-assignable group members are not protected from AAD Connect softmatch/account takeover (even with eligible GA assignment). A permanent role assignment is required. This was the result of research tests by @samilamppu & me: github.com/Cloud-Architekt/A…
2
2
21
Nathan McNulty retweeted
If you have synced your on-prem admin accounts to Azure AD and followed best practice to NOT give them any cloud role here is a tip
💡Add them to a role-assignable group without any role assigned. They are now protected from takeover by helpdesk #AAD
learn.microsoft.com/en-us/az…
9
40
234
Nathan McNulty retweeted
RPCFirewall (@ZeroNetworks, @SagieSec) is something that should have been built into Windows a long time ago. Lets you restrict RPC calls by OpCode & Source IP (including named pipes, which doesn't work with stock filters). Super cool piece of tech! github.com/zeronetworks/rpcf…
1
3
13
Nathan McNulty retweeted
Day 1️⃣1️⃣ - Becoming a SOC analyst 💙
How to build your own SIEM for your HomeLab:
32
295
4
1,248
Nathan McNulty retweeted
💡 Intune reporting with PBI: list local admin accounts on your devices and who added them
#MEMPowered #MSIntune
systanddeploy.com/2021/06/us…
7
34
1
166
Akamai has some talented folks looking at RPC
RPC is frustrating because a lot of things are exposed by default, and it's not easy/common knowledge on how to configure RPC filters
Interestingly, my favorite article on them is also from Akamai 😄
akamai.com/blog/security/gui…
Akamai researchers have identified 3 vulnerabilities in MS-RPC runtime, all with a base score of 8.1.
In our latest blogpost, see how an integer overflow in a dynamic array can lead to RCE in the RPC runtime.
Write-up:
akamai.com/blog/security-res…
Show this thread
3
22
1
100
Here's a great example use case to mitigate PetitPotam
Unfortunately, it's hard to be proactive and identify only what you need
But at the very least, wherever we see RPC abuse, it's a good idea to ask if RPC filters can help :)
Want to block [MS-EFSR] / #PetitPotam calls?🤔
Use RPC filters ! 🥳
put previous Tweet in a file: `block_efsr.txt` then:
> netsh -f block_efsr.txt
Just tested: it blocks remote connections & not local EFS usage
Thank you to @CraigKirby to remind us this RPC technology filter!
Show this thread
2
1
9
Windows is full of obscure security controls, and in the case of PetitPotam, even Microsoft missed recommending RPC filters
Another obscure security control is Exploit Protection
You don't need to know exactly how these work, but know when to use them!
Any time you see DLL hijacking/sideloading, always consider if Exploit Protection could help, specifically "Validate image dependency integrity" or "Code Integrity Guard" mitigations
learn.microsoft.com/en-us/mi…
learn.microsoft.com/en-us/mi…
Show this thread
4
Nathan McNulty retweeted
If you have a Microsoft account, please read this thread
Also, consider creating an alias that you only use to sign into your MS account, then remove the ability for your real email to be used to sign in
Never use the new alias for anything but signing into your MS account
1-Go to account.live.com, security and view my activity
2-Freak out when you see how many times people try to login into your account from all over the world
3-Take the opportunity to ensure your 2FA is up to date, don't use phone/SMS (use an app), change your pwd, etc.
Show this thread
9
91
5
271
Nathan McNulty retweeted
M365 Apps for Enterprise Security Baseline is now available in #Intune Console
5
27
1
88
Nathan McNulty retweeted
This is a super high level starting point but it's what I would tell someone trying to get into the rapidly aging cadre of experts in on-prem security. Which is super unsexy to your peers. I'm gonna have a job somewhere forever. Fuck.
By @EricaZelic
ericazelic.medium.com/beginn…
9
99
3
523
I was, unfortunately, reminded today that not everyone is using Cost anomaly alerts for their Azure subscriptions
These alerts are completely free, but you have to enable them. Please set this up to avoid unexpected bills due to attackers or accidents :(
learn.microsoft.com/en-us/az…
7
85
3
374
Microsoft licensing in a nutshell
"Whoever designed this only thought about the part where you pay for it, not how you're using it"
HAADJ - and I'm signed in with my Azure AD account. I recall it was a PITA to get working initially, but I don't remember what I had to do to force it to check the licensing state. Whoever designed this only thought about the part where you pay for it, not how you're using it
2
1
20
ICYMI (because I did)
Microsoft added Alert tuning to the M365 Defender portal which unifies alert suppression for the various products into one place with way more granularity and control! :)
techcommunity.microsoft.com/…
learn.microsoft.com/en-us/mi…
3
15
95
Nathan McNulty retweeted
HOW: I solved a problem I couldn't figure out. But neither could anyone else.
We don't talk enough about the troubleshooting process, which includes failed theories and ventures! And oversights. The key is powering through, and learning from it. 🧵
For a prv thread, 👀below.
WINDOWS MVP MASTERCLASS:
Key to solving issues is RESETTING STATE. This is the secret to so much. It's why rebooting often works. But that's just beginning.
Knowing the nuances gives you omnipotent superpowers. I do it often.
I've talked before, but I'm going to re-state😉 it:
Show this thread
11
63
8
506
I've seen a lot of chatter about Living-Off-The-Land (LOL/LOTL) attacks and techniques on the socials this week. For background info, use cases, and offensive/defensive references, the LOLBAS project has you covered:
lolbas-project.github.io/
1
16
1
64
Any detection engineers want to tell me if this is going to set off alarms?
I'm using PowerShell to check a file version over the Internet using a website as a UNC path, lol
It's an extremely elegant solution for what I need, but worried about triggering alerts :-/
12
5
58
Nathan McNulty retweeted
Wrote a blog on how to deploy users to #AzureAD with pre-registered #MFA
Thanks to @chiragsavla94 for the idea!
aadinternals.com/post/demous…
3
26
3
98