Another day, another bad set of CIS recommendations
Here are the items you do not want to do in this list:
5.1.5.6 - Ensure maximum certificate lifetime for applications does not exceed 180 days
⚠️ This will silently break cert renewal for all of your SAML based SSO apps...
Sign-In Frequency (SIF) is a commonly misunderstood control, one many orgs use to inflict unnecessary suffering on their employees 😩
It probably doesn't work the way you think it does and is often used in less than ideal ways...
So let's look at how it works and when to use it
35 ways to harden your Active Directory environment
1. MFA everywhere, without exceptions
2. Create a patch cadence you can stick with, and stick to it
3. You don’t need more domain admins, limit it like anyone who has it is cursed
4. You can’t protect what you don’t know exists, inventory is essential
5. Segment your network like your career depends on it
6. If it absolutely doesn’t need to be on the internet, it shouldn’t be
7. EDR alone will not save you, diversify your threat detection strategy
8. Application control can be one of the hardest controls to defeat, use it
9. Deception technology is essential for today’s modern threats, learn it and use it well
10. Email security tools are great, but don’t forget out of band processes are key especially for money transfers
11. Teach users the basics of social engineering red flags, don’t phish them yourself
12. If you don’t test your backups, you don’t have backups
13. If you don’t test your DR plan you don’t have a plan
14. If you don’t follow the 3-2-1 rule for backups you don’t have backups
15. Backups in Steve’s basement don’t count
16. Rotating passwords regularly for no good reason is counter productive and then less secure option
17. 99% of vulnerabilities don’t matter, spend your time identifying the ones that could hurt you and address those first
18. Vulnerability scanning doesn’t show the whole picture, pentesting is a must
19. Hunting for misconfigurations yourself is a necessary part of good systems engineering
20. The cloud is not more or less secure than on-prem, it’s your strategy that matters most
21. Service accounts should be treated like radioactive material, tightly scoped and constantly monitored
22. Under no circumstances should the built in admin account be a service account
23. Domain admins should not be service accounts either
24. Active Directory permissions drift over time, assume yours already has
25. If you can’t explain why something needs admin rights, it shouldn’t
26. If you can’t explain why someone needs admin rights, they shouldn’t
27. Separate admin work from daily work, identity debt is real
28. Don’t reuse local admin passwords, LAPS is easy, use it
29. Security tools don’t replace good engineering, they amplify it
30. If fixing it later is the plan, it’s not a plan
31. Boring but consistent security beats clever hacks every time
32. If you don’t know if you have misconfigured ADCS, you probably do
33. After every change in ADCS, run invoke-locksmith
34. After every delegation change in AD run Invoke-ADeleginator
35. Use AppLocker Inspector to audit your applocker policies.
🏷️Bookmark this so you can come back to it later.
Aber die NATO!
Oft wird behauptet, die NATO und der Westen tragen durch die Erweiterung der NATO eine Mitschuld an diesem Krieg. Diese Behauptung ist falsch.
Richtig ist: Die Schuld an diesem Krieg trägt Wladimir Putin. Es gab nie eine Zusage des Westens, die NATO nicht nach Osten zu erweitern. Die NATO ist ein reines Verteidigungsbündnis und Russland hat anerkannt, kein Veto-Recht gegen die NATO-Mitgliedschaft anderer Länder zu haben.
Eine der am häufigsten wiederholten Behauptungen im Zusammenhang mit Russlands Krieg gegen die Ukraine ist, der Westen habe Russland versprochen, die NATO nicht nach Osten zu erweitern. Russland versucht, sich mit dieser Erzählung in die Rolle eines Opfers der NATO-Politik zu bringen. In Wahrheit gab es derartige Zusicherungen nie.
Der Inhalt des Zwei-plus-Vier-Vertrags von 1990 über die abschließende Regelung in Bezug auf die deutsche Wiedervereinigung zeigt, dass es bei den Verhandlungen ausschließlich um die Zukunft des wiedervereinigten Deutschlands ging. Die NATO-Mitgliedschaft Ostdeutschlands wurde im Vertrag geregelt. Andere osteuropäische Länder wurden in dem Vertrag mit keinem Wort erwähnt. Das von der Sowjetunion geführte Militärbündnis Warschauer Pakt, in dem viele osteuropäische Staaten Mitglieder waren, bestand noch bis 1991.
Michail Gorbatschow, 1985–1991 Generalsekretär des Zentralkomitees der Kommunistischen Partei der Sowjetunion (KPdSU) und von März 1990 bis Dezember 1991 letzter Staatspräsident der Sowjetunion, erklärte selbst im Jahr 2014 in einem Interview: „Das Thema NATO-Erweiterung wurde überhaupt nicht diskutiert, und es wurde in jenen Jahren auch nicht angesprochen. Ich sage das mit voller Verantwortung. Kein einziges osteuropäisches Land hat das Thema angesprochen, nicht einmal nach dem Ende des Warschauer Pakts 1991. Auch die westlichen Staats- und Regierungschefs brachten es nicht zur Sprache.“
Erweiterungen der NATO gehen nicht von der NATO aus, sondern von den Staaten, die Mitglieder werden wollen. Eine NATO-Mitgliedschaft ist eine souveräne und demokratische Entscheidung der Länder, die der Allianz beitreten wollen, und der Bündnispartner.
Im Mai 1997 unterzeichneten die Mitglieder der NATO und Russland die NATO-Russland-Grundakte. Beide Seiten verpflichten sich darin, die Souveränität aller Staaten zu achten. Russland erkennt in der NATO-Russland-Grundakte an, dass es kein Vetorecht gegen die NATO-Mitgliedschaft anderer Länder hat.
Der russische Präsident Wladimir Putin versucht, den russischen Angriffskrieg gegen die Ukraine damit zu rechtfertigen, einer NATO-Mitgliedschaft der Ukraine zuvorkommen zu müssen. Tatsächlich war die euro-atlantische Integration der Ukraine bereits ab 2002 ein offizielles Ziel der ukrainischen Politik. Auf dem NATO-Gipfel in Bukarest 2008 beschloss die NATO jedoch, der Ukraine keinen Aktionsplan für die NATO-Mitgliedschaft (MAP) anzubieten, da „noch Fragen bezüglich des MAP-Antrags [der Ukraine] offen sind“.
Die NATO versuchte also nicht, die Ukraine zu einer Mitgliedschaft zu drängen, sondern die Ukraine ging auf die NATO zu. Noch bei einem Besuch in der Ukraine im Februar 2011 betonte der damalige NATO-Generalsekretär Anders Fogh Rasmussen (Amtszeit 2009–2014), dass die NATO die Ukraine nicht drängt und den Status des Landes als Nicht-Bündnispartner respektiert.
Die NATO ist ein Verteidigungsbündnis. Sie stellt für Russland keine Bedrohung dar. Russland ist geografisch das größte Land der Welt. Mit dem Beitritt Finnlands zur NATO im April 2023 hat sich die Landgrenze der NATO zu Russland mehr als verdoppelt. Doch selbst nach dem Beitritt Finnlands beträgt der Anteil der russischen Landgrenze mit NATO-Staaten nur elf Prozent. Es kann nicht die Rede davon sein, dass Russland von der NATO umzingelt oder in die Enge getrieben worden sei.
There’s a less known edge case for Fortinet devices where, rather than act merely as a remote code execution platform, they can serve as firewalls.
https://t.co/Cn4DiVxSof
RMM hunting is one of those areas where defenders get stuck because the answer is rarely “just block it.”
On a day-to-day basis, from the intrusions we see, 𝗦𝗰𝗿𝗲𝗲𝗻𝗖𝗼𝗻𝗻𝗲𝗰𝘁, 𝗦𝗽𝗹𝗮𝘀𝗵𝘁𝗼𝗽, 𝗔𝗻𝘆𝗗𝗲𝘀𝗸, and 𝗥𝘂𝘀𝘁𝗗𝗲𝘀𝗸 are some of the most abused RMMs.
All of these can be legitimate. All of these are also regularly abused.
That makes them annoying to detect, especially if you work in an MSSP or an environment where remote admin tooling is everywhere.
But there is a useful hunting angle here.
ScreenConnect is still one of the most common by far. A pattern I’ve noticed recently is threat actors installing multiple ScreenConnect clients on the same host with different profile configurations, each connecting to different domains.
That looks a lot like access staging or access resale.
The interesting part is that this creates artifacts defenders can hunt for.
𝘐𝘯 𝘵𝘩𝘦 𝘧𝘪𝘳𝘴𝘵 𝘴𝘤𝘳𝘦𝘦𝘯𝘴𝘩𝘰𝘵, 𝘺𝘰𝘶 𝘤𝘢𝘯 𝘴𝘦𝘦 𝘩𝘰𝘸 𝘥𝘪𝘧𝘧𝘦𝘳𝘦𝘯𝘵 𝘚𝘤𝘳𝘦𝘦𝘯𝘊𝘰𝘯𝘯𝘦𝘤𝘵 𝘪𝘯𝘴𝘵𝘢𝘭𝘭𝘢𝘵𝘪𝘰𝘯 𝘱𝘳𝘰𝘧𝘪𝘭𝘦𝘴 𝘸𝘰𝘶𝘭𝘥 𝘭𝘰𝘰𝘬. 𝘐𝘯 𝘵𝘩𝘪𝘴 𝘤𝘢𝘴𝘦, 𝘵𝘩𝘦 𝘱𝘢𝘵𝘵𝘦𝘳𝘯 𝘪𝘴 𝘣𝘢𝘴𝘪𝘤𝘢𝘭𝘭𝘺 𝙎𝙘𝙧𝙚𝙚𝙣𝘾𝙤𝙣𝙣𝙚𝙘𝙩 𝘾𝙡𝙞𝙚𝙣𝙩 𝘧𝘰𝘭𝘭𝘰𝘸𝘦𝘥 𝘣𝘺 𝘢 𝘳𝘢𝘯𝘥𝘰𝘮 𝘶𝘯𝘪𝘲𝘶𝘦 16-𝘤𝘩𝘢𝘳𝘢𝘤𝘵𝘦𝘳 𝘢𝘭𝘱𝘩𝘢𝘯𝘶𝘮𝘦𝘳𝘪𝘤 𝘷𝘢𝘭𝘶𝘦.
That is a very useful hunting signal.
Red flags:
- Multiple ScreenConnect profiles on one host
- Multiple ScreenConnect installations
- Installs under both 𝗖:\𝗣𝗿𝗼𝗴𝗿𝗮𝗺 𝗙𝗶𝗹𝗲𝘀*\ and 𝗔𝗽𝗽𝗗𝗮𝘁𝗮
- Different configured remote domains
- Suspicious or unexpected 𝘀𝘆𝘀𝘁𝗲𝗺.𝗰𝗼𝗻𝗳𝗶𝗴 files
The 𝘀𝘆𝘀𝘁𝗲𝗺.𝗰𝗼𝗻𝗳𝗶𝗴 file is especially useful. It exists inside the ScreenConnect installation directory and can expose the domain and certificate information used by the client to connect back to the remote server.
This is the main point:
Don’t hunt only for the presence of RMM, hunt for RMM drift.
Unexpected profiles -> Unexpected paths -> Unexpected domains. Unexpected configs.
That is where RMM abuse starts becoming visible.
Huh.
Am I the only one who didn't know that Microsoft makes a tool called EventLogExpert that is supposed to be an improved version of event viewer for IT/helpdesk people?
https://t.co/HzSzG1zSO0
. @mubix shared this on LinkedIn and thought some of you might find it useful: “A Practical Reprioritization Guide for CISOs Entering the AI Vulnerability Era”
https://t.co/UaJUb82ecG
We asked Claude to find a bug in Vim. It found an RCE. Just open a file, and you’re owned. We joked: fine, we’ll switch to Emacs. Then Claude found an RCE there too.
Full story: https://t.co/nQo9MF1Npe
Releasing PrivHound — Bloodhound collector to model Windows local Privilege Escalation as a graph.
Still early — bugs and PRs welcome.
https://t.co/9MkcK3QdgE
Look.. it's a Conditional Access policy simulator built by an infra architect guy who got tired of squinting at What If results 🫠 Shiny graphs yay! 🔗https://t.co/hqKKVDnBFV No sign-in needed, click Sample Data and play around. Or connect to your own data - all's in browser.
🆕A Data-Driven Approach to Windows Advanced Audit Policy – What to Enable and Why.
Excited to share my latest @splunk blog!
Check it out 👉 https://t.co/ZDUTVkAZ3B
I spent time digging into multiple sources and analyzing data to cut through the noise around Windows Advanced Audit Policy. This post is for anyone who's ever wondered what to enable and why.
The goal? Help users make informed, purposeful audit decisions based on data and evidence, not just defaults or random guesswork.
The whole approach has also been streamlined via the Eventlog Compendium Policy Generator - https://t.co/6W4jhptRVR
In Kopenhagen gibt es die Vorschrift, dass alle wichtigen Radwege bei Schneefall bis spätestens 08:00 Uhr morgens geräumt sein müssen, damit die Menschen sicher mit dem Fahrrad zur Arbeit fahren können. So sieht dass dann aus❤️😀
Just built a demo “monitoring matrix” for a slide in my blind spots talk.
Many orgs I’ve worked with have the same idea: “we monitor our systems, visibility is pretty good, only a few systems are not integrated yet.”
Then you put it into a simple table and the pattern is always the same: the top-left looks great. Servers and workstations send OS logs, basic auditing is enabled, some alerting exists. It feels like control.
But when you go deeper, it gets thin fast. Application logs are missing, not collected centrally, not normalized - and often there isn’t even alerting defined for them. People also rarely agree on what a “critical” application-level alert should be. That needs application owners and security to sit down and define signals. OS-level monitoring is already hard; application-level monitoring is where many programs stop.
And when you expand the coverage, it gets harder too. The further you move away from the “standard” systems, the more limits you hit: legacy systems, appliances, OT/embedded, unusual platforms, proprietary log formats, limited access, sometimes legal or organizational limits. Even if you get logs, they are often not easy to ingest and use.
Main point: “we have monitoring” is not a checkbox. It’s a spectrum - and many environments are fairly wide, but shallow.
I'm Boris and I created Claude Code. I wanted to quickly share a few tips for using Claude Code, sourced directly from the Claude Code team. The way the team uses Claude is different than how I use it. Remember: there is no one right way to use Claude Code -- everyones' setup is different. You should experiment to see what works for you!
i've been in the cybersecurity scene for a long time, how long? 5 minutes and here's my single ingredient, no fat, no sugar, no carb, high protein recipe to stay secure:
❌ no ivanti products
❌ no forti products
❌ no sonicwall products
❌ no citrix products
Yesterday NATO StratCOM released their assessment on "Social Media Manipulation for Sale".
Since 2019 NATO StratCOM has been performing Red Team assessments on the largest social media networks. They're trying to assess how resistant they are to external influence.
In summary, NATO gives nerds money to go to sketchy websites and pay for people to artificially inflate their viewership. Once they begin receiving fake views, comments, likes, etc. They monitor the accounts over the time span of several weeks, months, or years.
NATO StratCOM monitors:
- What the accounts are boosting
- Who they're boosting
- When they're boosting
- When the fake accounts were created
- How long the accounts are active
- How long it takes for social media sites to take action
Additionally, because a lot of these boosting services accept Bitcoin, they track the money.
I'll link the paper in the subsequent post. It is incredibly interesting.
What is more interesting however is that on X they noticed right-leaning content is heavily amplified by botnet farms. Conversely, on BlueSky left-leaning content is heavily amplified by botnet farms.
Additionally, in 2025 a significant spike occurred whereas pro-Chinese content on X was manipulated and artificially boosted. The botnets specifically aimed to boost anything which paints China as having superior technology or military capability.