ShionFox

how to troubleshoot any network issue your packet's journey from curl to some server in oregon goes through like 12 places it can die, and most ppl only check 2 of them. the trick: walk the layers in order. each one you rule out narrows the blast radius. "ip route get 8.8.8.8" is the single most underrated command in linux - it tells you exactly which interface and gateway will be used. one line. done. "getent hosts" over dig, btw - dig lies to you because it doesn't use NSS like your actual app does. wild how many DNS issues are just "/etc/nsswitch.conf" being weird. mtr instead of traceroute, always. and if hops show as "* * *" past your ISP, run it with "-T -P 443" - turns out half the internet rate-limits ICMP but happily forwards TCP. stuck in syn-sent? that's a firewall ghosting you. "100.64.x.x" as your public IP? congrats, you're behind CGNAT and inbound is cooked. works on small pings but breaks on big ones? MTU. it's always MTU. (it's never DNS until it is) cheat sheet: https://t.co/voddV8PAlb #linux #devops #sre #networking #sysadmin #homelab #tcpip

🔑 KQL Detection for MDI Password Protection Insight Microsoft Defender for Identity (MDI) introduced the Password Protection Portal in March, giving defenders deep visibility into the password hygiene of their Entra ID/Active Directory environments. This new capability is a powerful way to shrink your identity attack surface by highlighting weak, compromised, or high‑risk passwords across your tenant. To complement the portal, I’m sharing a custom KQL detection that provides your SOC with near‑real‑time visibility into leaked credentials. With this detection in place, defenders can rapidly respond to exposed accounts, revoke access, and further harden identity security. KQL Code: https://t.co/rZLjOINsJF #Cybersecurity #DefenderXDR #PasswordProtection

🔒 Secure Bits 💡 𝗗𝗼 𝗬𝗼𝘂 𝗨𝘀𝗲 𝗞𝗲𝗿𝗯𝗲𝗿𝗼𝘀 𝗔𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗣𝗼𝗹𝗶𝗰𝗶𝗲𝘀? Honestly… I won’t blame you if you don’t. They’re powerful—but 𝗿𝗮𝗿𝗲𝗹𝘆 𝘂𝘀𝗲𝗱. 🧠 With Authentication Policies, you can apply granular protection to Kerberos authentication. Think of it as 𝗮𝗱𝘃𝗮𝗻𝗰𝗲𝗱 𝗰𝗼𝗻𝘁𝗿𝗼𝗹 for how TGTs and TGS tickets are issued. 𝗛𝗲𝗿𝗲’𝘀 𝘄𝗵𝗮𝘁 𝘆𝗼𝘂 𝗰𝗮𝗻 𝗱𝗼 𝘄𝗶𝘁𝗵 𝘁𝗵𝗲𝗺: ✔️ Set ticket lifetimes per-entity (not just globally) ✔️ Restrict where an account can request a TGT ✔️ Restrict who can request a TGS for a service ⚠️ But let me be clear—this 𝗶𝘀𝗻’𝘁 𝗮 𝗹𝗲𝘃𝗲𝗹 𝟭 control. To implement it properly, you should already have a 𝗧𝗶𝗲𝗿𝗶𝗻𝗴 𝗠𝗼𝗱𝗲𝗹 𝗮𝗻𝗱 𝗮𝗰𝗰𝗲𝘀𝘀 𝗿𝗲𝘀𝘁𝗿𝗶��𝘁𝗶𝗼𝗻𝘀 between tiers. 𝗘𝘅𝗮𝗺𝗽𝗹𝗲: 🧑‍💼 T0-Dave (a Tier 0 admin) is only allowed 𝘁𝗼 𝗿𝗲𝗾𝘂𝗲𝘀𝘁 a TGT from T0-Assets—thanks to the policy. Try it from anywhere else? Error. ✅ This controls TGT issuance. 𝗔𝗻𝗼𝘁𝗵𝗲𝗿 𝗰𝗮𝘀𝗲: You restrict access to a file server (share) with TGS to only specific users. If a Tier 0 admin tries to get a TGS for it? ❌ Access denied. The configuration is done through the 𝗔𝗰𝘁𝗶𝘃𝗲 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘆 𝗔𝗱𝗺𝗶𝗻𝗶𝘀𝘁𝗿𝗮𝘁𝗶𝘃𝗲 𝗖𝗲𝗻𝘁𝗲𝗿. 𝗬𝗼𝘂 𝗺𝗶𝗴𝗵𝘁 𝗮𝘀𝗸: “But don’t I get similar results from just using access restrictions in a Tiering Model?” Kind of. But here’s the difference: 📌 Tiering restrictions stop you 𝗳𝗿𝗼𝗺 𝘂𝘀𝗶𝗻𝗴 𝘁𝗵𝗲 𝘁𝗶𝗰𝗸𝗲𝘁. 📌 Authentication Policies stop you 𝗳𝗿𝗼𝗺 𝗲𝘃���𝗻 𝗴𝗲𝘁𝘁𝗶𝗻𝗴 𝘁𝗵𝗲 𝘁𝗶𝗰𝗸𝗲𝘁. See the distinction? Make sure to use the 𝗮𝘂𝗱𝗶𝘁 𝗳𝗲𝗮𝘁𝘂𝗿𝗲, you can easily lock yourself out. 🔐 I go through this in my 𝗳𝘂𝗹𝗹 𝗳𝗹𝗮𝗴𝘀𝗵𝗶𝗽 𝗰𝗼𝘂𝗿𝘀𝗲: Windows Infrastructure Security (WIS). There are also Authentication Policy Silos, but we will discover them another day. 𝗕𝘂𝘁 𝗜’𝗺 𝗰𝘂𝗿𝗶𝗼𝘂𝘀… Have you ever used Authentication Policies in production? How did it go? #Kerberos #ActiveDirectory #WindowsSecurity #SecureBits #CyberSecurity #AccessControl

Haven't assessed your Entra ID PIM state yet? Free tool - connect your Log Analytics Workspace, get your report in minutes. https://t.co/Lk82MAv87x #EntraID #Microsoft #IdentityAccessMagement

Why does this happen? Lots of reasons but a few of the likely culprits: - The vendor says that’s how it should be setup - IT admin sets it up this way out of convenience How do you correct this? 1. Figure out where the service account is being used 2. Determine what permissions the account needs 3. Create a new account with least privilege in mind (even better if you can use an MSA) Unfortunately, the same vendor that says to setup the service account with DA rights is also the same vendor you need to talk to in order to identify the actual permissions this account needs. Anyone who’s gone through this process knows…it’s usually a nightmare. TLDR; least privilege is hard. I empathize. I was there. There’s no easy button for this https://t.co/X1IFtRXfeO