One compromised Microsoft Entra account - full tenant takeover. And you’re left with what Microsoft gives you as logs. That’s your entire investigation surface. It used to be different. Attackers had to break into a DMZ service, move laterally into the internal network, or pull off a rare browser exploit. Domain admins often didn’t have internet access, and even if they did, they didn’t use their admin accounts for browsing. You had to escalate privileges. Now all they need is an access token. When a compromise happened, you had everything: files, logs, memory, disks, network captures - the full picture. Now it’s just cloud logs. Things have changed, but not for the better. That said, the article shared by Mandiant here is excellent. It gives practical guidance on how to secure high-privilege accounts in Entra envs.

Told the former intern today to brush up on networking and build this skill as it is vital. The DNA lab, I used to work for and I found this out today, laid off 60% of the workforce. They weren't a big company. If you have a job make sure you hold on to it and don't be a cowboy/girl because these are not the times to be playing around even if you hate it you learn to love it until things improve.

Ed, nicely done to you and the team on this year's Holiday Hack. 👍♥️ Thank you for doing this, year after year, for us. I know how hard you all work at your day jobs and the amount of effort you put into these challenges, takes away precious time from your family and friends. We do not deserve you. cc @edskoudis

Holiday Hack 2025 is on! May the best hacker win. sans.org/cyber-ranges/holida…

If you haven't seen it, go check out the SecOps guide for Entra. It covers the operationalization of security across users, devices, applications and more. If securing Entra is part of your job description, this should be bookmarked. learn.microsoft.com/en-us/en…

Ever want to get better at writing FOIA requests or join a cool team that's trying to make a difference? Check out foia.hahahackin.com (redirect) for a recent example of a FOIA that my team just submitted and send me a msg with your email if you want to join up. Free for now.

Remember, remember, the fifth of November. The gunpowder, treason and plot.

Payatu comes out with about 10 banger posts a year. These two are from 10/22/25 and 10/27/25, respectively. payatu.com/blog/the-purdue-m… payatu.com/blog/glitching-on…

Hackers Podcast #350 is now available. neverrain.org hackers.xxx

From Simon Willison's newsletter, two new prompt injection papers: "The Agents Rule of Two" from Meta and "The Attacker Moves Second" on Arxiv. simonwillison.net/2025/Nov/2…

New to CTI? The "deepdarkCTI” GitHub repo is your starter pack: buff.ly/9O7LCGl It's a goldmine of links to the tools and sites you need to know about, saving you hundreds of hours of searching. Find the best resources for CTI all in one place.

😂😂😂😂

Orgs should focus on training their employees properly on what happens AFTER a phishing link is clicked with a full scale demonstration of account takeovers, lateral movement to inevitable conclusion and catastrophic event. You don't need a big security team to use the free MITRE Attack Framework to figure out how hackers are going to get into your environment. You do not need a big security team or expensive hardware and software to read adversary threat emulation reports and then try to emulate the same attack in your own environment. I have done this the last 5 years, live hacking for my org, to great effect. Why? Because the training prior didn't actually train anyone, didn't work and people were still clicking on links they shouldn't have. I basically stopped doing the same thing over and over again and expecting different results. Once I showed them what happens after they click, everybody stopped doing it because they knew the consequences and were more informed. Everyone was paying attention when, as in one example I demonstrated, after breaking into one account, I was able to obtain the passwords to various other accounts because there was no password management in place and everything was in files that could be seen in the cloud. I talked them through what was going on in my mind as I was moving throughout the environment and gaining access to various things and obtaining more information I shouldn't have. I opened these files and showed them that most of the passwords were the same and explained why that was bad because an actual hacker, that being me, uses that information to further compromise them. I showed the employees how using the same password on their VPN as an example could enable me to get into their work computers. I explained that due to misconfigurations or deliberate disabling of security features could allow me to be successful. I also demonstrated with fake accounts I created how using the same password at work and at home could enable me to further compromise them in a personal sense and how a motivated attacker would absolutely find all of this information about them because they're leaking all sorts of things on their socials. And I actually did gain access to a work computer this way on a big screen in the conference room and then all the upper management which had previously been fighting me on technical upgrades were all ears and were finally ready to give me the money I needed to secure us. Prior to this all I heard was that management didn't care and would only care when they got hacked so a light clicked in my head and I said okay I'm going to actually hack them then. Turns out the person that said it to me was right they did suddenly care! 😂 Training is only effective when you can convince your audience that it could happen to them too and show them the actual consequences of their actions. Not in theoretical terms but in actual practice. Also stop having them click a report phishing button! You are confusing your audience when you tell them not to click the phishing link but if they get one to click another button, to report it. With modern technology stacks there is ZERO reason why your admins need to get an additional alert that a phishing email was received because they've already received that alert in their SIEM. And in most cases if more than one person has received the same phishing email you can select all of them and remove them from everybody's mailbox all in one click. The user should not be involved in this process at all unless they actually clicked it and they need to reset their password and blow out multi-factor. Phishing accounts for over 70% of compromises. Why are we relying on people who are not technical, who don't know what happens when they click a bad link, to not click that link, in order for us not to get hacked? This seems crazy to me.

Imagine making love to your partner and your robot, operated by some random dude with a VR headset, walks into the room. Lmao, no thanks

Justice isn’t blind, but you better know the system. I learned that the hard way, standing alone in court, cross-examining the system that built me. Fighting City Hall: DFIR Lessons from a Pro Se Plaintiff 📅 Nov 12 • 11:30 AM MT • Free live webinar + 48-hour replay suspectbehindthekeyboard.com… #DFIR #digitalforensics

Neo bot. Thoughts? Something feels off with this.

Kryptos 4 a.k.a. "K4", the fourth and final part of the CIA sculpture has been solved, however, there is a twist. The methodology used to create the ciphertext, which is typically what is used to decrypt it back into plaintext, has not actually been solved, only the words were decoded due to the creator's error (detailed in the pic) My point in mentioning this is even if you're up against it, staring at that screen, wondering how you're going to get through the engagement, the project, the CTF, the hack, whatever it is you're doing and you do NOT see a way forward, just know there is one, it may not be linear and ultimately, you just need to find it. Sometimes you don't find it and that sucks, but at least you know there is a solution even if you didn't come by it yourself. Every cryptologist, code cracker and amateur hobbyist has tried to crack K4 and has failed. Technically, the writers failed, too, but they found a way to decode it without having the method. That is the essence of hacking. Finding the unintended route. The inconvenient loophole. It's seeing what, for many, is hidden in plain sight but your hacker eyes can see straight from the jump or with closer inspection.

Get-AppxPackage | Out-GridView -PassThru | Remove-AppxPackage I'm reposting my reply in case one of you needs this. Redmond should have allowed this when Win 10 came out and everyone was complaining about all the bloat but here we are. You can use this command to get a GUI window, select all the packages you want to remove and then remove them instead of repeatedly typing commands. This command really helped during Sysprep.

Thank you for asking. Yes, I do. And please as you read this keep in mind this is not directed at you in any way but towards creators who create the exact opposite content of what I'm about to describe and basically waste everybody's time. Pick a topic and you will quickly see there are two types of content available for that topic. Beginner level and nightmare level. There's no in between. There is no steady progression. And now with the advent of artificial intelligence there's a lot to slog through that doesn't help the viewer in any way shape or form. It's just AI word salad. And it's terrible and I hate it. Create content like Professor Messer. From beginning to nightmare level and in a steady progression you learn everything you can possibly learn about networking with real examples and use cases and real questions that you will need to answer if you do this as a day job. No one is going to set up MCP servers on a weekend to control all the appliances in their kitchen. That's not realistic nor is it useful to the viewer in any way. Those who will set up an MCP server (i.e. me, you) to control all the appliances in their kitchen are going to be a very small number of people and not your target audience. Don't worry about the 10% of your viewers, focus on the 90% because they are your bread and butter. Once a month I spend two hours if not a little more on various help desk and Microsoft and Reddit forums reading what people are actually complaining about as far as their technology is concerned. I also look up the keywords that are trending in tech so that I understand what the current problem du jour is as far as the general normies population. Even though I know how to fix the problems these people are posting about I am reading the responses by other tech people to make sure that how I solve it is also how they solve it. I don't know everything so I could be missing quite a lot. Like how 4 years ago I learned I needed to also set an app password on a free personal Microsoft account to mitigate the exchange active sync hack. While that is mitigated on Microsoft servers by them today 4 years ago it was not and by not setting that app password I was leaving open a hole. I learned this by reading Microsoft forums until my eyes hurt. You take the topics people are talking about and you make content about that because it's relevant and it is useful to them. Just like when you go on a job interview you're trying to convince the employer to hire you so that you can solve all their problems, you should be creating content that actually solves problems for people. You can tell personal stories and be funny and make them laugh throughout but your overall goal should be to solve their problems so that they see you as a resource they can rely on. And if you do a good enough job they will come back again and again. Find successful content creators and pick a sampling of their videos that are the most popular and write down what you see as far as patterns are concerned. Write down your thoughts as you've watched them on how you feel about the content and make sure you use a lot of action words because that's what people think in an action sense. Those content creators are popular for those reasons, what you wrote down, so try to emulate that if you can with your own stuff but don't plagiarize. That's all I got. Good luck.

Purchase subscriptions to hack the box and try hack me so you can start to see the kinds of things you will be exposed to at work. Look up networking courses on YouTube for free and learn the troubleshooting process which includes a root cause analysis because you're going to be expected to provide one all the time. You cannot guess you must know for a fact. Do not make assumptions but back up your statements with evidence. Once again you are never going to make an assumption or tell a manager that you know something for a fact if you do not. Do that and you quickly become untrustworthy and they will not promote you. Get comfortable with saying you do not know something because often you will not know something until the moment you do. Get comfortable with those not familiar with your job not understanding that and getting very frustrated with you because you're not giving them what they want to hear. Practice saying to them that the answers they are looking for need to be correct and you need time and space to find those answers. Build your social skills with your coworkers in particular and look for ways to help them in their work so in return they show you things and teach you. For the first two years you are a sponge. What I mean by this is you are soaking up everything that you are learning. You are not an expert at this stage so do not act like one because you will be ignored and probably laughed at. Don't be cocky with those you work with. People in our industry have very big egos but you can only use that as leverage when you have the background and experience and knowledge to back it up. I can pull rank on others now because I have more experience than they do. I could not pull rank on them when I was 2 years in but I can tell you I tried and I was knocked down all the pegs by my colleagues for being a smart-ass. No one likes a smart-ass. At the end of the 2 to 5 years you should know everything possible to build and fix computers and build and fix networks. You should have a solid handle on how to write your own scripts in powershell and python. You should be comfortable with tools like process monitor and how to troubleshoot memory issues and CPU spiking issues on a computer. And much much more. I teach all my interns and underlings that you have to show up for work and be mentally present and engaged in order to be successful. If this is truly what you want to do in life then you need to act like it and convince everyone around you that this is what you want to do until the day you retire. If you act like this is just a pit stop then you're going to be treated like that by others and they're not going to take you seriously. You need others to help you on your journey so make sure they understand that you're in this for the long term and they will help you. And that's basically it. Get up make your bed take a shower get dressed look presentable smell nice and go to work everyday with the assumption that you are going to learn something new. That is the only assumption you're allowed to have. Good luck.