Jesus follower, family man, security solutions architect, love to learn and teach | Board @OpsecEdu | @TribeOfHackers | AD, Azure, M365 + Defender, MEM, etc

Portland, OR
Joined June 2009
Did you know that you can get a free M365 E5 subscription with 25 user licenses to learn, create automation, and develop applications? I know most folks never get the chance to admin this stuff, so sign up now, and let's walk through this together :) developer.microsoft.com/en-u…
42
550
49
1,897
Show this thread
Nathan McNulty retweeted
Would be great if Microsoft would had a "Community Library" for approved scripts to be used in Proactive Remediation #MSIntune @IntuneSuppTeam
5
5
1
32
This is neat Also, secure cookies 😁
We're teaming up w/@girlscouts, @cyber_dot_org & @CISAgov on an event to encourage girls to protect themselves & their communities online & consider careers in cyber. Join @SecMayorkas & top women in cyber at our Cyber Awareness event, Thursday at 8PM EST. eventbrite.com/e/decoding-cy…
0
0
0
1
Nathan McNulty retweeted
I hate MFA app approval mechanisms that just require clicking Accept. I have a suspicion (admittedly, without hard real-world evidence) that in practice they're at least as likely to be circumvented as SMS. Selecting a number or code is better, but code entry is better still.
You know what's better than switching the Accept / Deny button on MFA? Moving to something far more secure than conditioned users clicking Accept :) Say hello to the new Azure MFA's new Code Match option microsoft.com/en-us/microsof…
Show this thread
3
4
0
3
Nathan McNulty retweeted
Replying to @NathanMcNulty
I swear to god if I have to start picking the squares that contain crosswalks or select pictures of taxi cabs just to log in to RDP, I'm out. Going to be a carpenter.
1
1
0
4
Wah wuh 🤔
1
0
0
0
Nathan McNulty retweeted
You know what's better than switching the Accept / Deny button on MFA? Moving to something far more secure than conditioned users clicking Accept :) Say hello to the new Azure MFA's new Code Match option microsoft.com/en-us/microsof…
5
9
2
36
Show this thread
Nathan McNulty retweeted
🚨 #Sysmon v13.30 is out! New "User" fields on several events and a new option to set the size of a field 😱 #MSTIC 1⃣ Event manifest/schema: github.com/microsoft/MSTIC-S… 2⃣ Schema version: 4.81 3⃣ Enrich those detection/hunting rules with "user" context 😉🏹
3
131
1
266
Show this thread
I'd take this a step further Access Reviews should be a core component of Azure AD, available at all license levels, and enabled on all roles with active assignments by default I'm getting tired of orgs getting owned because of auditing learning curves and licensing limitations
Hiding a highly useful audit capability behind an artificial paywall instead of making it discoverable and encouraging its use is a choice
2
7
0
31
This would help with Bob's Global Admin account 4 years after he left the company leading to a compromise There should be better alerts on role adds and API permission grants Also, the sign-in/audit logs integrated with LA for the workbooks should just be part of the platform..
1
0
0
4
I'd like to believe that if all of these things were configured by default, we'd see less compromises and faster, less costly recovery Azure AD will end up being the same quality as Active Directory if we keep going down this road Stop making this so complicated to secure
2
0
0
6
Sadly, this is still a common attack vector, and the recommendations here are good One additional item I'd add - Access Reviews Service Principals are now supported in Access Reviews, so you should definitely set them up: techcommunity.microsoft.com/…
1\ #AzureAD ATTACK Technique: Backdoor an Azure application and abuse service principals Attackers actively abuse service principals because: > MFA not enforced > Privilege escalate to Global Admin > Conditional access controls don't apply inversecos.com/2021/10/how-t…
Show this thread
1
2
0
13
In order to use Access Reviews, you only need an Azure AD Premium P2 license assigned to the person who will be performing the review. No guarantees, but this feature may be an added cost when it goes GA. Things that make we want to light bean counters on fire... 😡
0
0
1
3
Sometimes I get curious about what changed in documentation, so I check the commit history This is one of the best I've seen in a while, lol
1
0
0
2
I never said any of the other commits were any good either ;) I don't know why, but that "It's disabled by default" just hanging there at the end made me chuckle.
0
0
0
1
Nathan McNulty retweeted
WTF HAHAHAHA HOW IS THIS SHIPPABLE? WHAT IS THIS?!
1,088
7,468
2,963
37,173
874,533
Show this thread
I've seen this one before, and Millennium Edition won't make it any better
Microsoft is working on Windows 11 SE that will reportedly debut on a new low-cost Surface Laptop SE. This is the latest attempt to take on Chromebooks with a less expensive Surface laptop. Details: theverge.com/2021/10/26/2274…
1
0
0
1
Now copy the response, change "numberMatchingRequiredState": "default" to "enabled", then use that as the body: PATCH https‍://graph.microsoft.com/beta/policies/authenticationMethodsPolicy Next time you get an MFA prompt, it gives you a code on screen that you type on mobile
3
0
0
1
BTW, this should be obvious, but it needs to be said.. You probably shouldn't be doing this in a prod environment, lol If you don't have a dev/test environment, go get one :)
Did you know that you can get a free M365 E5 subscription with 25 user licenses to learn, create automation, and develop applications? I know most folks never get the chance to admin this stuff, so sign up now, and let's walk through this together :) developer.microsoft.com/en-u…
Show this thread
0
0
0
2
Show this thread