@Cyb3rMonk@caliskanfurkan_ I used the ldap part of this to detect sharphound/domain enumeration and it worked quite well.
Most provides were too noisy to consider using
@theluemmel@DrAzureAD@kfosaaen I think azure ad sso must be configured (normally done via GPOs / single setting) to get this working from a compromised domain joined machine. You need silver tickets for 2 endpoints and 8/10 it won’t work on first attempt - eventually does though
@rucam365 Depends on size/complexity of environment. WDAC is better, AppLocker tends to beeasier to implement (policy is easy to bypass in case of business interruption).
^This for workstations, definitely wdac on servers.
@mubix@rucam365 WDAC is basically Applocker but blocks the system user/admins too (clearly not the same technology) . Also, wdac bypass is considered a security issue so microsoft keeps a list of known bypasses and advices to block them.
Put in simple, wdac policy cannot be bypassed
@cappercap1@SecurePeacock Internet exposed [email protected] with TooColdInDenmark2022 is 1 step faster to compromise than capcap\administrator in Vanilla AD (after all, there is a Cisco firewall to protect the network for a compromise!)
@AndrewOliveau This is only possible if GA is domain synced user, correct? Or does it also work on cloud-only accounts? Not sure if Microsoft fixed what @DrAzureAD reported to them
@DrAzureAD Oh, so the 'bypassing CA' is more of a future thing that you can register a device now and if they ever implement CA requiring device compliance, you'll still have a way in?
Hey @DrAzureAD .. Great 'new phishing technique' blog! I wonder, if we change the values to be for O365, will you get tokens that will allow login with a browser (by changing cookies) or is it all bound to device auth via an API - non GUI interactive?
@DrAzureAD Follow up .. do you know if any CA changes requireing Device Compliance breaks the method you described to make a device compliant? I am trying with AAD but not able to get tokens even - getting error when trying to sign in