Denver Ang

🥷Microsoft Incident Response Ninja Hub (Updated 28 Dec 2025) 🛡️ Dive into: - Expert-led guides & best practices - Threat hunting & cloud forensics tips - Ransomware & APT case studies - One-page investigation playbooks - KQL techniques & recovery strategies https://t.co/SRHnDr3tDX #Cybersecurity #MicrosoftIRHub

Today I learned: Using diskshadow to fetch the NTDS.dit. As mentioned several times, I love reading the HTB writeups from 0xdf because I always learn something new. Like here [1]: "To dump the domain hashes, I’ll want to get the C:\Windows\NTDS.dit file. Unfortunately, this file can’t just be copied as it is locked and in use. I can access it via a shadow copy, which I’ll generate with diskshadow and this script: set verbose on set context persistent nowriters set metadata C:\Windows\Temp\0xdf[.]cab add volume c: alias 0xdf create expose %0xdf% e: and pass it [the script from above] to diskshadow: C:\programdata> diskshadow /s C:\programdata\backup" Attackers love vssadmin, and so do the EDR vendors. How about diskshadow? We tested the attack flow in our lab with various EDRs, and the results were .. interesting. Would the command above trigger an alert in your environment? And here, for reference, is the corresponding lolbas article [3] [1] https://t.co/coiRYMKEmP [2] https://t.co/eTvvrlMbrD [3] https://t.co/cCAh5iWOmX

When “Block All” in Conditional Access blocks too much… 🔒 Until recently, guest users couldn’t change their MFA methods when you blocked all cloud apps. The My Sign-ins app is now selectable in Conditional Access 🎉 Finally possible: ✅ Limit guests to M365 resources ✅ Keep self-service (MFA, profile) working 🧩 Read how to configure it: https://t.co/gmA2IJRWBY #EntraID #ConditionalAccess #Microsoft365 #Intune

Check out this new browser extension > https://t.co/vMHKqvd37u. Conveniently 𝐂𝐨𝐩𝐲 or 𝐃𝐨𝐰𝐧𝐥𝐨𝐚𝐝 any Conditional Access policy to JSON! ⭐ If you have ever needed to backup, recreate or document a Conditional Access policy, the first step is usually to programmatically obtain the configuration in JSON format... Now you don't have to do this programmatically, as I have baked this functionality directly into the admin portal with my 𝐂𝐀 𝐏𝐨𝐥𝐢𝐜𝐲 𝐂𝐨𝐩𝐢𝐞𝐫 extension! Use the link above to learn how to install it! #Entra #ConditionalAccess #Microsoft

I really like getting alerts before something goes wrong in Intune. When a certificate is about to expire, when devices start going out of compliance, or when apps fail to install across many devices. It saves time and it means I can enjoy my coffee instead of clicking through logs all morning 😄 I’ve just updated and added 4 scripts that help with this: • Apple Token Expiration • Device Compliance Drift • Stale Device Cleanup • App Deployment Failure They checks the tenant for problems and let you know before users start calling. No more guessing or manual checks. You can find these and more on the website. Hope they help someone out there save a few hours too.