šŸ› ļø Former Sysadmin, now Pentester | Microsoft MVP | Helping IT teams make their environment harder to attack | @SecurIT360 & @CyberThreatPOV

šŸ°AD Security Resource Kit ā¬‡ļø
Pinned Tweet
Come hang out today and talk about application control! 🤘
Replying to @magicswordio
Tomorrow we're live at 2PM EST talking AppLocker migration with special guest @techspence . See you there. šŸŽ™ļø šŸ”— Register here: magicsword.io/prevention-lab…
2
20
1,826
Never underestimate a properly motivated ā€œadversaryā€ šŸ’ŖšŸ˜†
75
524
16,805
871,209
Never underestimate a properly caffeinated user and a little PowerShell knowledge ā˜•šŸ”‘šŸ˜†
91
240
8,387
299,784
Best Wi-Fi names, I’ll go first… WuTangLan šŸ˜†šŸ˜†šŸ˜†
656
113
1,805
417,537
The new year is almost here, don’t forget to add the following to your password cracking/spraying lists: Spring2024 Spring2024! Summer2024 Summer2024! Winter2024 Winter2024! Fall2024 Fall2024! Password2024 Password2024! Companyname2024 Companyname2024!
38
249
1,591
253,005
Regular reminder… this hardening series by Jerry Devore is super awesome. There’s no way you won’t learn things by reading these. Part 1 - Disabling NTLMv1 Part 2 - Removing SMBv1 Part 3 - Enforcing LDAP Signing Part 4 - Enforcing AES for Kerberos Part 5 - Enforcing LDAP Channel Binding Part 6 - Enforcing SMB Signing Part 7 - Implementing Least Privilege Link to all articles šŸ‘‡ techcommunity.microsoft.com/…
9
331
1,577
91,466
Documentation is probably one of THE MOST underestimated SKILLS in all of IT/Security...
62
198
1,392
97,017
Everyone wants to spend $100k for EDR but no one wants to take away local admin rights from Suzie in accounting…
79
147
1,385
92,173
Active Directory hardening blog post series, like a boss, by Jerry Devore. Posting this so I can reference it later! Disabling NTLMv1 techcommunity.microsoft.com/…​ ​ Removing SMBv1 techcommunity.microsoft.com/…​ ​ Enforcing LDAP Signing -techcommunity.microsoft.com/…​ Enforcing AES for Kerberos techcommunity.microsoft.com/…
12
303
1,221
110,062
How to learn Active Directory… Step 1. Setup your own lab. Setup laps, applocker, logon scripts, CA server, sccm, exchange, file shares etc the whole nine Step 2. intentionally misconfigure it with tools like BadBlood and BadShares (I wrote this one) or just manually screw it up Step 3. Find all the messed up stuff (PingCastle, scriptsentry (mine), locksmith, ADeleginator (me again), AppLocker Inspector (also me), PurpleKnight, etc etc). Included in this step is documenting the stuff you find and the root cause (makes good blogging/video content) Step 3a. Try to exploit the bad stuff. This is optional but it’s super fun and I believe it’s helpful to know how threat actors may attack the stuff you find (also good content) Step 4. Fix all the messed up stuff. Included in this step is documenting your process and the fix (again good content) Step 5. Repeat until you can talk about XYZ without looking it up Bonus - document your process and stuff you’re doing on social media. Write blogs, make videos, whatever. Post daily. Do this consistently for 1 year without looking up and I bet you’ll be surprised how far you go in just 12 months. PS - This isn’t the only way. This is just what I’d recommend based on what’s worked for me and seeing others learn this way šŸ™
23
179
1,222
67,935
How to make pentesters cry... Run PingCastle/PurpleKnight, Locksmith, and ScriptSentry in your environment and fix all the critical issues before your next pentest. I promise you...they will be weep
23
137
1,162
76,869
My oldest kid is 12. Active Directory is 25. One of them still wakes me up in the middle of the night screaming.
34
89
1,163
36,681
Scare a sysadmin in six words or less I’ll go first… Did you take a backup first?
399
46
995
125,216
How to *never need an internal pentest ever again: run pingcastle, scriptsentry, locksmith, adeleginator in your environment and fix the issues that are found *almost
18
80
1,037
159,975
CISOs when they get their pentest report and it’s just Nessus output
25
92
1,027
45,163
I will use this responsibly… I will use this responsibly… I will use this responsibly…
33
35
960
68,780
Open source community after the xz backdoor incident
12
121
964
97,637
Active Directory hardening is free…outside of your time. Overall - PingCastle Passwords - FGPP, LAPS, Lithnet Permissions - ADeleg/ADeleginator Applocker - Applocker Inspector/Applocker gen ADCS - Locksmith Logon scripts - ScriptSentry GPO - GPOZaurr Baselines - CIS/Microsoft Attack surface - ASRGen What am I missing?
26
174
1,050
69,671
How do you meaningfully improve the security of your AD environment? Run these free tools quarterly: - PingCastle - ScriptSentry - Locksmith - ADeleginator If you just ran these tools and fixed everything identified by them, your AD environment will not only be more secure, but you’ll sleep better at night.
23
158
1,037
74,008
I'm gonna start calling this THE FABULOUS FOUR! šŸ˜‚
10
129
1,005
125,226
Replying to @MikeTalonNYC
not wrong in many cases
1
900
66,947
Investing in Cybersecurity without a solid IT foundation is like putting a vault door on a tent…
30
107
933
53,879
Explain this photo in cybersecurity terms
267
31
916
157,567
Pentesting internal networks is 90% finding things admins already knew were a problem but ignored šŸ˜”
36
73
882
45,989
From Microsoft’s digital defense report, ransomware section. Unmanaged devices is literally crippling organizations
Securing windows endpoints is a full-time job...
27
115
837
107,348
Oh you’re a sysadmin? Name every system in your environment.
137
38
788
73,184
Open Reddit. See this. Close Reddit. šŸ˜‚šŸ¤£šŸ¤Ŗ teddit.net/r/sysadmin/s/0xya…
18
16
841
27,587
I did a pentest recently where the client had a hardened endpoints, app control, edr & mdr, custom alerts they created themselves, good hygiene, tiered admin accounts, etc. I wish I could talk about all the awesome stuff they were doing. I think part of why offensive security has become so popular is because the super cool awesome blue team stuff isn’t shared as much, for obvious reasons. Defenders don’t want to give up their hands. Blue team stuff can be cool and fun and awesome. We just don’t get to see it as often. I wish we did.
33
60
816
157,567
There’s two types of sysadmins: 1) those with more complex home networks than they have at work 2) 10 year old linksys sitting in the corner covered in dust and cobwebs
77
47
805
24,041
Active Directory is hard. Managing permissions is hard. It's even more difficult when you factor in: - numerous sysadmins - dozens of GPOs - tens of dozens of security groups - thousands of user and computer objects - certificates - shares permissions and ntfs permissions There's so much that can go wrong with permissions and delegations. I'm doing a webinar in September that is focused on helping sysadmins find insecure and misconfigured permissions. I'll share some tools and techniques I use, which are all free. If that sounds interesting, I hope you'll join me! Register here šŸ‘‡ and pass this on to a colleague securit360.com/webinar-truth…
31
73
745
111,683
The fabulous four!
What’s your favorite security tool?
4
109
755
147,845
Things you shouldn’t use Domain Controllers as: - File Server - Print Server - Web Server - Database Server - Certificate Authority - Meme stockpile (well maybe…) - Personal bootlegged movie backup But seriously…
96
64
768
60,416
Let’s make Active Directory security education available to all! List your favorite Active Directory security resources. Plz share for reach!
34
95
765
78,465
6
77
683
56,604
You're hired as a Senior Sysadmin at an organization. The team is small, 10 people total. You also are responsible for "security" because, well, because. What's the first 3-5 things you're doing to get comfortable with the team, the environment and infrastructure?
165
41
703
123,365
Before a breach: ā€œDo more with less.ā€ After a breach: ā€œHere’s a blank check.ā€
34
89
721
68,469
Too soon? šŸ˜…
15
59
727
40,963
How to harden your environment better than 90% of organizations [Part 1] 1. Run PingCastle 2. Run Locksmith 3. Run ADeleginator Bonus: Run PurpleKnight, AppLocker Inspector (if you use AppLocker), and ScriptSentry (if you have logon scripts) Then fix all the findings. What else?
24
98
737
46,032
99% of vulnerabilities won’t hurt you
Unpopular cybersecurity opinions that would get you in this position?
38
27
716
67,007
Just finished a pentest for a client who actually does security the right way: layers, hygiene, app control, and meaningful alerts. It’s wild how rarely defenders get to show their best work. Offensive stuff gets the spotlight, but blue team/defensive security deserves the applause too.
25
34
708
47,517
My goto AD toolbelt: PowerView (custom) PrivescCheck (custom) PingCastle ScriptSentry Spray-Passwords (custom) SpoolSample secretsdump[.]py AMSI Bypass (custom) bypass-clm (custom) ADExplorer ADeleg Rubeus Certify BloodHound/SharpHound Locksmith SharpSCCM Inveigh PowerUpSQL Nmap
My latest AD toolbelt: ldapdomaindump NetExec impacket adidnsdump certi Certipy BloodHound.py ldeep pre2k certsync hekatomb MANSPIDER Coercer DonPAPI go-windapsearch kerbrute enum4linux-ng.py silenthound.py targetedKerberoast.py FindUncommonShares.py
9
112
680
245,634
🧵Pentesting from windows is sometimes like.. Step 1. Login Step 2. Open Explorer Step 3. Open file share Step 4. Search file share for ā€œvmdkā€ Step 5. Download the sam system and security hive using volumiser (cc @_EthicalChaos_) Step 6. Extract hashes with secretsdump 1/3
7
83
660
172,339
Modern day vulnerability management is great at finding a whole bunch of stuff that doesn’t matter that makes IT teams deprioritize stuff that actually matters in order to drive down a number to show artificial risk reduction
I think in many ways vulnerability scanners have done more harm than good
45
99
633
165,625
Prevention > Detection. Let’s make attackers hate their life. No doubt EDR is essential, but it’s not a silver bullet.
25
78
673
46,283
If you know you know
15
108
630
47,532
Replying to @syndrowm
"security"
5
1
609
42,845
Pentesting internal networks is 75% finding things admins already knew were a problem but don’t have the time, money or team to fix šŸ˜”
40
48
650
19,740
Tabletop scenario: Your EDR vendor pushes an update and BSOD all of your computers. Every single one. Across the globe. Go...
73
65
605
56,377
When it’s not DNS, what is it?
551
18
604
121,515
Weekends are for memes..šŸ˜‚šŸ˜…
4
49
595
21,508
If you want to be an Active Directory pentester….learn how to manage and secure an Active Directory environment. That’s 90% of what you need to know
14
40
592
73,642
Hey hackers.... What's your favorite local privilege escalations in windows/AD environments? šŸ˜ˆšŸ˜Ž
75
63
565
152,490
šŸ‘€šŸ˜‚šŸ˜…
9
62
586
29,685
Internal pentest findings that shouldn't exist in 2025... - credentials on file shares/sharepoint/dms - local admin password reuse - kerberoastable domain admins - ADCS Misconfigs - spooler running on DCs - lack of powershell restrictions - EDR missing on hosts
38
72
602
105,064
My two goto sites for analyzing phishing/suspicious sites: URLScan and Browserling What’s your?
34
64
567
46,001
shamelessly stolen from someone in my discord
5
50
502
12,444
when you find and alert everyone about the xz backdoor šŸ˜†šŸ˜‚šŸ™Œ
8
50
520
38,706
Being a Sysadmin is one of THE HARDEST jobs in tech. Not only do you need to keep the lights on but at most orgs you're wearing so many hats that you also have to upgrade servers, deploy networking equipment. Of and you have to patch and make sure you don't get hacked.
38
47
505
57,216
The IT admin turned security admin is a really great career trajectory. It sets you up nice well to expand into just about any other security role, from pentesting to DFIR. 1 experienced, thoughtful, resourceful IT admin is worth their weight in gold
44
50
530
30,503
Accurate šŸ˜‚
14
65
487
36,467
If you're a red teamer or pentester, where do you go to learn more about evasion? These immediately come to mind. Are there others you'd recommend? 1. Maldev academy 2. Sektor7 3. RTO 1 & 2 by zero-point security 4. S3cur3th3sh1ts content 5. Mr. Un1k0d3r's content
24
83
508
67,550
Attackers don’t need 0-days…they need users with too much access.
24
70
510
40,435
Domain Admin shouldn’t logon to workstations. Here’s one way to restrict DA logins to workstations: Create a GPO… Computer Config → Windows Settings → Security Settings → Local Policies → User Rights Assignment → ā€˜Deny log on locally’ & ā€˜Deny log on through RDP’ → add Domain Admins Apply to workstations Done. Did I miss anything?
33
64
530
39,026
You actually DONT need to patch EVERY vulnerability
90
26
494
81,975
If you work in Cybersecurity, you most likely sit at a desk for hours and hours on end...Honestly it's easy to lose track of time... But don't forget to stand up. Get some steps in. "Touch some grass" as they say. A little fresh air and a short walk can really be great physically but also mentally. Especially if you get so engrossed in your work like some of us do šŸ™ƒ Sitting at a desk all day every day, hunched over, bad posture... that will catch up to ya Take care of your body, its the only one you've got.
31
39
482
31,236
You’re an IT/Security leader. You have a team of 10 and a $100K annual security budget (not including salaries). How do you spend it?
198
30
497
118,397
Pro tip for getting a reaction out of IT/security leadership when discussing cybersecurity investment... "Who takes responsibility if we suffer a data breach?"
18
27
488
26,124
🚨 Incase you were not able to make it to the Harden Active Directory webinar I did recently, here's a link to all the resources for you! Webinar recording: offsec.blog/HardenADWebinar Slides: offsec.blog/HardenADSlides Thanks so much for everyone's support. āœŒšŸ™
9
117
482
148,467
Q4 is here, don’t forget to add the following to your password spraying lists: Fall2025 Fall2025! Autumn2025 Autumn2025! Autum25! Password2025 Password2025! Companyname2025! Companyname2025!
28
40
481
19,159
Happy Tuesday 🤪
10
37
445
34,309
Sysadmins who have security chops have a serious competitive advantage in the industry. Add some people skills on top of that and you’re unstoppable
34
32
475
33,093
You’ve got an Active Directory lab, now what? If you want to practice security scenarios, run a free tool called BadBlood, to intentionally misconfigure AD, then… Step 1, try to FIND all the mistakes and misconfigs and security issues Step 2, try to FIX the issues you identified I promise you, in doing this, and researching, you will learn a TON about Active Directory. 🧠Inspired by: teddit.net/r/activedirectory…
8
58
479
28,803
😈 What did I miss?
31
71
470
41,598
You don’t need more cybersecurity certifications, you need more experience…
47
42
467
32,282
A quick and easy way to find services with unquoted service paths is to open up PowerShell and run the following: Get-WmiObject win32_service | select Name,PathName,StartMode,StartName | where {$_.StartMode -ne "Disabled" -and $_.StartName -eq "LocalSystem" -and $_.PathName -notmatch "`"" -and $_.PathName -notmatch "C:\\Windows"} | Format-List
14
78
479
40,646
What’s the best way to get someone up to speed with securing Active Directory that has only an introductory level of knowledge about AD?
71
27
461
127,911
An attacker's favorite target once they are inside a network: IT management servers So many times I've seen them: - Not have EDR, or if they do it's disabled - Have scheduled tasks running as Domain Admins - Have loads of unsecured creds on c:\, d:\ and e:\ drives - etc, etc. Secure those IT management servers!
26
69
435
82,712
Things I wish I knew about cybersecurity/pentesting/red teaming/etc when I started… I’ll go first:
50
42
425
137,633
I'm fascinated by the number of engagements I do where I tell an IT admin about PingCastle and it's the first they have ever heard of it. Such a phenomenal, free tool, that can find VERY serious vulnerabilities with the click of the mouse. šŸ™šŸ™
24
39
437
77,905
Does anyone ever work in absolute and complete silence? Sometimes when I am pentesting, I have no music nothing on. Just the silence of me and my keboard
151
6
411
63,077
Social Engineering
15
44
435
34,878
IT admins, do you have RDP locked down? Great! Awesome! Now what about psremoting? I've seen a number of times where RDP was well protected with MFA and alerting, but psremoting was allowed by default and I was able to skirt by detections for lateral movement as a result.
11
43
432
41,502
Delegated permissions in Active Directory: silent but deadly šŸ’©šŸ’ØšŸ¤¢ For example: Some random user with ā€œFullControlā€ of the Domain Controllers OU Nessus didn’t find it… The IT team didn’t know it was there… It wasn’t discovered on past pentests… 🧵I found it almost immediately...
19
55
441
46,221
My goto AD pentesting resources (not in any order): PowerView (custom) PrivescCheck (custom) PingCastle (custom) Locksmith (custom) AppLocker Inspector ScriptSentry Spray-Passwords (custom) AMSI Bypasses (custom) CLM Bypasses (custom) ADeleg/ADeleginator NetTools Rubeus (custom) Certify (custom) PsMapExec Netexec Nmap Tailscale BloodHound/SharpHound
10
63
445
24,953
What security control do you think is the most underrated… and why?
121
25
425
94,139
šŸ‹ļøā€ā™‚ļøThe cybersecurity equivalent of doing half reps at the gym is implementing security controls just enough to say they exist but not enough for them to be effective. Examples: - MFA on some accounts, but not all - EDR installed, but not monitored - Weak passwords allowed, relying on MFA as a crutch - Firewalls with any-any rules - Patch management, but only for Windows - SIEM without proper logging - Backups that aren’t tested - User training that’s just a checkbox exercise What else am I missing? šŸ’Ŗ
43
59
413
43,341
Hard truths about Active Directory… - it’s older than most of the pentesters testing it - attackers know how to attack it as much as sysadmins know how to protect it - misconfigurations age like milk, not wine - once the domain is compromised, you’re basically looking at a rebuild - it was never built with today’s threats in mind
13
29
417
34,913
How to learn Active Directory security, the non-boring way… Step 1: Build a lab Step 2: Break the lab Step 3: Try to fix what you broke Step 4: Realize that’s exactly how attackers learn too Don’t let their lab be your environment. šŸ’Ŗ
8
37
413
17,059
If you’re a windows server admin, IT admin, AD admin, help desk tech, or anything similar, you’re my people šŸ™
27
13
409
14,529
You can do a lot to defend with the builtin windows firewall. Some things that come to mind are: - Block SMB between workstations - Block WMI/WinRM where not needed - Only allow inbound RDP from management VLANs or jump boxes to servers - Only allow remote management from specific approved hosts or networks The only cost here is time…
16
47
405
27,676
🧵 MEGA THREAD : Active Directory resources… Everything from wikis, to Microsoft training to 3rd party training, documentation, books, best practices and much more. All for free on Reddit…teddit.net/r/activedirectory…
3
86
401
26,029
Duct tape and zip ties… a staple in any sysadmin’s tool belt
to answer your question, yes, I did mount a $2000 access point with duct tape and zip ties
13
16
387
17,663
How can you gain a deeper understanding of Active Directory security? Study permissions, privileges, rights. - Privileged Accounts and Groups in Active Directory learn.microsoft.com/en-us/wi… - Active Directory Security Groups learn.microsoft.com/en-us/wi… - Access Control Overview learn.microsoft.com/en-us/wi…
7
71
400
17,060
98% of pentesters do not get Domain Admin on day 1. And they don’t know why. 🧵 Implement these tips if you want to dominate any domain you enter
6
25
382
144,465
In the last 3 years or so of internal pentesting I’ve never exploited a vuln that was found by Nessus
99% of vulnerabilities don’t matter
34
32
370
146,530
Don’t sleep on Protected Users group.... 1) it’s free 2) it disables NTLM and WDigest 3) it blocks delegation and can mitigate pass the ticket 4) four-hour max TGTs lifetime p.s. I know a guy that made a super cool tool to help with this... github.com/jakehildreth/Powe…
2
83
394
21,901
3
40
371
49,357
āŒ Security theatre: - Buying tools no one configures - Policies no one enforces - Dashboards no one reads āœ… Real security: - Hardening endpoints - Restricting access based on least privilege - Testing assumptions through security assessments - Closing the gaps attackers use to hurt your org
13
48
386
23,787