你可能會喜歡
📢 BlueHat 2023: Applications to Attend are NOW OPEN! 📢 If you are interested in attending @MSFTBlueHat in Redmond, WA, USA, Feb 8-9, 2023, please submit your application here: forms.office.com/Pages/Response… (Applications close Jan 6, 2023)
forms.office.com
Microsoft Forms
Microsoft Forms
Noticed that the number of visits to these notes started growing even while they were WIP (yeah, I work in prod 😅), so here they are: ired.team/offensive-secu… Thank you for sharing @harmj0y @tifkin_ @topotam77 @ExAndroidDev , it's all beautiful!
It's been a while since our last thread and I need to kill time while a ginormous time travel trace file finishes copying, so let's talk a bit about LSA, the Windows Local Security Authority.
Automatic on-premises Exchange Server mitigation is now in Microsoft Defender Antivirus. We have taken this additional step to further support our customers who have not yet implemented the complete security update. Learn more: msft.it/6017VMA3d
The nmap script that tests for CVE-2021-26855 had false negatives with 301 and 302 redirects (typically federated auth). This was fixed yesterday. Latest version: github.com/microsoft/CSS-…
Run Exchange but are on an out-of-support Cumulative Update level and can't get updates for the March vulnerabilities? The Exchange team has delivered: techcommunity.microsoft.com/t5/exchange-te…
Also, there is a script to compare against files on the Exchange server it's run on: github.com/microsoft/CSS-…
Looking for hashes of known good Exchange files? Here are hashes from the Exchange team: github.com/microsoft/CSS-…
Providing alternative mitigation techniques to help Microsoft Exchange customers needing more time to patch deployments & are willing to make risk & service function trade-offs. These mitigations are not remediation & aren't full protection against attack. msrc-blog.microsoft.com/2021/03/05/mic…
Great team with broad scope! Come find bugs in one of the biggest suite of cloud services.
I'm forming 2 dev teams in our Microsoft Vancouver B.C. office! Team 1: privacy failure discovery in M365. Team 2: Application Security, find the worst bugs, dev to find them at scale. Hiring all levels and experience, including 2 managers. Apply here: aka.ms/MSVancouverSec…
The most expensive game of Tetris ever played 😆 I'm pretty sure this is why MSFT stock is down today...
I'm forming 2 dev teams in our Microsoft Vancouver B.C. office! Team 1: privacy failure discovery in M365. Team 2: Application Security, find the worst bugs, dev to find them at scale. Hiring all levels and experience, including 2 managers. Apply here: aka.ms/MSVancouverSec…
Critical new defenses for OAuth consent phishing: • ✅ Publisher verification [pic 1] • 📋 Customizable app consent policies [pic 2] • 🚷 Globally disallowing user consent to new multi-tenant apps from unverified publishers (on Nov 8) 👉🏼📰 Details: techcommunity.microsoft.com/t5/azure-activ…
![ItsReallyNick's tweet image. Critical new defenses for OAuth consent phishing:
• ✅ Publisher verification [pic 1]
• 📋 Customizable app consent policies [pic 2]
• 🚷 Globally disallowing user consent to new multi-tenant apps from unverified publishers (on Nov 8)
👉🏼📰 Details: techcommunity.microsoft.com/t5/azure-activ…](https://pbs.twimg.com/media/Ek3Ln5NXgAYfckU.png)
![ItsReallyNick's tweet image. Critical new defenses for OAuth consent phishing:
• ✅ Publisher verification [pic 1]
• 📋 Customizable app consent policies [pic 2]
• 🚷 Globally disallowing user consent to new multi-tenant apps from unverified publishers (on Nov 8)
👉🏼📰 Details: techcommunity.microsoft.com/t5/azure-activ…](https://pbs.twimg.com/media/Ek3O2UvWAAED2Of.png)
Found #Telerik vulnerable to CVE-2019-18935 on a customer's network and can't seem to get the file upload to work? Host the payload yourself using @secureauth impacket. @noperator @mwulftange @bao7uo @straight_blast @pwntester @olekmirosh #bugbountytips #pentest #exploit #redteam
Ever wanted to do reverse DNS lookups on an entire /16 range for free? Now you can! 😉 sonar.omnisint.io/reverse/95.138…
A post on generating SSO cookies on Azure AD machines (without having to know the password) posts.specterops.io/requesting-azu…
specterops.io
Requesting Azure AD Request Tokens | SpecterOps
Explore how RequestAADRefreshToken reveals OAuth 2.0 refresh tokens for Azure-AD-authenticated Windows users, enabling SSO authentication in browsers.
Yes, go patch Skype and Sharepoint server. Better yet, migrate to Microsoft 365 and Microsoft will patch for you!
SfB Server 2015/2019 and Lync Server 2013 all have Cumulative Updates out today for OAUTH Elevation of Privilege Vulnerability: portal.msrc.microsoft.com/en-US/security…
We discovered a 17-year-old vulnerability in all of Windows DNS Servers. SIGRed (CVE-2020-1350) is a wormable, critical vulnerability that can be used to achieve full Domain Administrator privileges. research.checkpoint.com/2020/resolving…
An older vulnerability write up about an XSS on the #AWS console which I responsibly disclosed to Amazon Hope its interesting for some who are getting started with #pentesting embracethered.com/blog/posts/202… Also AMZN now awards #bugbounties via Hackerone. Check it out! No aws though
Hardcoded secrets, unverified tokens, and other common JWT mistakes: @ermil0v shares what he learned from bug-hunting 2,000 npm modules: r2c.dev/blog/2020/hard…
United States 趨勢
- 1. Dolphins 32.8K posts
- 2. Ryan Rollins 9,397 posts
- 3. Ravens 47.7K posts
- 4. Lamar 44.2K posts
- 5. Mike McDaniel 3,612 posts
- 6. Derrick Henry 5,086 posts
- 7. Happy Halloween 131K posts
- 8. Achane 4,390 posts
- 9. #TNFonPrime 2,455 posts
- 10. Jackson 5 3,804 posts
- 11. Bucks 45.7K posts
- 12. Starks 2,785 posts
- 13. Mark Andrews 3,139 posts
- 14. Tulane 8,965 posts
- 15. #PhinsUp 4,276 posts
- 16. UTSA 3,068 posts
- 17. Giannis 23.2K posts
- 18. Ollie Gordon 2,509 posts
- 19. Kyle Hamilton 1,780 posts
- 20. Ware 5,730 posts
你可能會喜歡
-
Ale (pikacodes)
@pikacodes -
Joe Grand
@joegrand -
Daniel Cranney 🇬🇧
@danielcranney -
Objective-See Foundation
@objective_see -
David Weston (DWIZZZLE)
@dwizzzleMSFT -
Eduard Kovacs
@EduardKovacs -
Black Hills Information Security
@BHinfoSecurity -
GIAC Certifications
@CertifyGIAC -
Kanika Tolver
@KanikaTolver -
Snort 🐷
@snort -
Mike @ HTML All The Things 🇨🇦
@htmleverything -
Malware Patrol
@MalwarePatrol -
ς๏гєɭคภς0๔3г ([email protected])
@corelanc0d3r -
@[email protected]
@christruncer -
Lou Creemers
@lovelacecoding
Something went wrong.
Something went wrong.