@Lee_Holmes Great picture!

With thanks and acknowledgement to:

Chris Thompson - https://x.com/_Mayyhem
Dirk-jan Mollema - https://bsky.app/profile/dirkjanm.io
Adam Chester - https://bsky.app/profile/xpnsec.com
Brett Hawkins - https://bsky.app/profile/h4wkst3r.bsky.social
Thibault Van Geluwe de Berlaere - https://www.linkedin.com/in/thibault-van-geluwe-de-berlaere-534b8713b
Karl M. - https://www.linkedin.com/in/karl-m-937b8b11/
Corné de Jong - https://www.linkedin.com/in/corn%C3%A9-de-jong-44000313
Dr. Nestori Syynimaa - x.com/DrAzureAD
Rudy Ooms - x.com/Mister_MDM

In Part 1 of my Intune Attack Paths series, I discuss the fundamental components and mechanics of Intune that lead to the emergence of attack paths: https://posts.specterops.io/intune-attack-paths-part-1-4ad1882c1811

Console user and have an Azure subscription? Give this a go. Having ai.exe in the console rather than locked behind a web app opens up incredible opportunities.

https://github.com/LeeHolmes/ai

A quick tour of new functions in BARK that support Azure Key Vault tradecraft research, including a walk-through of how an adversary may chain these functions together as part of an attack path: https://posts.specterops.io/azure-key-vault-tradecraft-with-bark-24163abc8de3

I couldn't find any PowerShell examples of encrypting/decrypting data w/ Azure Key Vault keys, so I made some:

Protect-StringWithAzureKeyVaultKey
Unprotect-StringWithAzureKeyVaultKey

https://github.com/BloodHoundAD/BARK/commit/e1c82a1fed4678a5392113307f96338ca36ba64a

Explanatory blog post coming soon.

BlueHat talks are up! https://www.youtube.com/playlist?list=PLXkmvDo4MfuttJeOeu9UGJQJOaN_eb0aO

How's it going, y'all?

Fediverse, due to my wife's thyroid cancer returning we are relocating to Seattle (from Illinois) -- where we can receive familial support and she can get treatment.

To that end, I'm looking for #infosec jobs in the area, but I'm looking to step back from what I've been doing so I have a bit more flexibility to help her and our son. So, hybrid or even full remote, but probably not a senior level position.

I've been consulting and that's been good, but it's too unsteady and too much work on unknown schedules to continue while she is undergoing treatment. I'll also be applying through standard channels, but I hope someone here can lend a hand.

#getfedihired

@noodlemancer Hi Dan. We are a DC/Seattle-based infosec consulting/training/product firm. We are not "full remote" but we are much closer to "full remote" than we are hybrid. We have excellent benefits including extremely good health insurance. We have several positions open right now: https://job-boards.greenhouse.io/specterops

@oscarsclaws @riskybusiness Thank you

We are releasing BloodHound CE on Tuesday August 8.

This 30 second video shows you the *dramatic* performance improvements over Legacy BloodHound: https://www.youtube.com/watch?v=bqMmYi7jaMI

Today: join me and Rohan Vazarkar in the BloodHound Slack from 11AM to Noon Pacific for an AMA regarding the upcoming BloodHound CE release.

Not in the BloodHound Slack yet? Get your invite here: https://ghst.ly/BHSlack

08.08.23

Went on a little hike yesterday in the Middle Fork Snoqualmie River valley. This is from the Oxbow Loop Trail:

I love this write-up by Kevin Mwanjumwa (https://twitter.com/sofblocks) on using BloodHound for Azure attack path analysis: https://sofblocks.github.io/azure-attack-paths/

South Korea's browser extension problem (@WPalant), Prox-Ez, Sam Curry's car hacks, Azure privesc via Certificate-Based Authentication (@wald0), tons of direct syscall techniques, and more!

https://blog.badsectorlabs.com/last-week-in-security-lwis-2023-01-09.html

@Lee_Holmes We used to use this trick to get internal IPs, internal hostnames, and those hostnames would often include internal Active Directory domain names as well. Great recon method for getting internal network/AD info with literally just e-mail.

My favorite items of 2022:

Favorite overall resource: The Hacker Recipes by Charlie Bromberg - https://www.thehacker.recipes/. Amazingly in-depth guides full of explanations, examples, and references.

Favorite blogger: Lina Lau (@inversecos). Lina's blogs are among the best in the industry, full of extremely valuable information for defenders and attackers alike. Lina's blog here: https://www.inversecos.com/

Favorite defense-centric blog post: The Defender’s Guide to the Windows Registry by Luke Paine and Jonathan Johnson: https://medium.com/p/febe241abc75

Favorite offense-centric blog post: Stealing and faking Azure AD device identities by Dr. Nestori Syynimaa (@DrAzureAD): https://aadinternals.com/post/deviceidentity/

@Neuromancer The blog post is correct, I made an error in the slide deck.