Dr. Nestori Syynimaa @DrAzureAD Twitter profile | Pikagi

Pikagi

Dr. Nestori Syynimaa

@DrAzureAD

18,801

Followers

1,798

Following

1,403

Media

5,080

Statuses

Principal Identity Security Researcher at Microsoft. Ex-Secureworks. (MSc, MEng, PhD, CITP, CCSK). And yes, opinions are my own ;)

Tampere, Finland

https://t.co/5PxoU2hK7G

Joined April 2013

Don't wanna be here? Send us removal request.

Pinned Tweet

@DrAzureAD

Dr. Nestori Syynimaa

4 years

#AADInternals Azure AD & Microsoft 365 kill chain shows how different attacker roles can get access to #AzureAD and #Microsoft365 . Pro tips: 1. Use MFA! 2. Avoid inviting unnecessary guests 3. Minimize # of Global Admins 4. Protect your on-prem servers

Tweet media one

7

180

516

Last Seen Profiles

@higuerima_fish

@JorgenShek38456

@Don64326782

@maxhosa

@PuccalovesSS

@bwdy45976

@jomark_magbanua

@platAEarea

@bokeplokalmalam

@CouleyRae73303

@GajumaruOripa

@hillu6201271220

@cukienaknikmati

@yu895114373

@jandakembangstw

@ExclusiveFunnel

@Groupepsprb

@kfrazie2

@excell305

@fbertrand_

@TheAlexSylvian

@jandakembangstw

@PuccalovesSS

@thappithak10121

@StelAlvin

@BinorRaja

@Spielworks

@James_Tringham

@ElianaBuschH

@GalxeDAO

@GinKnee75

@sglowsm

@ParallelColony

@iamyarenhanim

@iamyarenhanim

@FredVel

@DrAzureAD

Dr. Nestori Syynimaa

11 months

I have questions..

Tweet media one

81

208

2K

@DrAzureAD

Dr. Nestori Syynimaa

2 years

Okay, I just read JDs "scientific" paper. TL;DR "CitizenLab has not shared all evidence publicly, so their research is fake." According to JD, one needs to be at least a PhD student to be able to "asses" his research. So here we go.

18

136

889

@DrAzureAD

Dr. Nestori Syynimaa

3 years

This @Secureworks report reveals various APIs that allowed unauthorized access to internal information of any Azure AD tenant. 1/4

Tweet media one

10

338

911

@DrAzureAD

Dr. Nestori Syynimaa

2 years

I've been studying @MITREattack Defender (MAD) skills for the last two weeks. I've learned so much about the ATT&CK and passed all three available exams. I recommend this to all working on #cybersecurity / #informationsecurity .

Tweet media one

13

137

668

@DrAzureAD

Dr. Nestori Syynimaa

2 years

🚨As of today, I'll be retiring my good old blog at All new #AADInternals related content will be published at (the old content is already there)

Tweet media one

8

141

645

@DrAzureAD

Dr. Nestori Syynimaa

11 months

Big news on the work front! Today is my last day at @Secureworks , and I’d like to thank you for the opportunity to work with such fantastic people to make the world safer! My journey continues in January with #Microsoft as a Principal Identity Security Researcher. I’ll be working

87

27

594

@DrAzureAD

Dr. Nestori Syynimaa

4 years

Got my first #bugbounty ever from a thing I recently found and reported to @msftsecresponse !

Tweet media one

45

20

572

@DrAzureAD

Dr. Nestori Syynimaa

2 years

To celebrate my new #AADInternals blog, I also published an online OSINT tool at It allows to get tenant information using: * Tenant ID * Domain name * Email/UPN The domain list includes links to ease the gathering of further information. Enjoy!

Tweet media one

13

170

514

@DrAzureAD

Dr. Nestori Syynimaa

8 months

This hurts in so many levels..

Tweet media one

11

15

493

@DrAzureAD

Dr. Nestori Syynimaa

9 months

First day at Microsoft!!

37

2

438

@DrAzureAD

Dr. Nestori Syynimaa

3 years

Just got my first block ever! From a known #infosec fraud I blocked months ago. If you see any Azure related bs from him, just ping me.

Tweet media one

31

28

427

@DrAzureAD

Dr. Nestori Syynimaa

2 years

Yet another reason to block #AzureAD directory sync soft match. And while you're doing that, block the takeover through hard match too. You DO NOT need those features for anything!

Tweet media one

Tweet media two

@SemperisTech

Semperis

2 years

#AzureAD admins, beware: #Cyberattackers can use SMTP matching to obtain privileged access via eligible role assignments. In this post by @SemperisTech Security Researchers Sapir Federovsky and Tomer Nahum, learn how- and how to stop them.

0

80

171

8

129

404

@DrAzureAD

Dr. Nestori Syynimaa

3 years

New #AADInternals version and related blog post (with multicolor arrows) out now! "Stealing and faking Azure AD device identities": Credits to @gentilkiwi / #Mimikatz ! #infosec #redteam #blueteam

Tweet media one

Tweet media two

13

185

402

@DrAzureAD

Dr. Nestori Syynimaa

1 year

Finally, Microsoft Graph Activity log in public preview!!

Tweet card media

Microsoft Graph Activity Log is now available in public preview

Gain visibility into Microsoft Graph requests in your tenant for security investigations, analytics, and more!

techcommunity.microsoft.com

3

79

396

@DrAzureAD

Dr. Nestori Syynimaa

2 years

Apparently Microsoft has improved their documentation massively.

Tweet media one

11

33

388

@DrAzureAD

Dr. Nestori Syynimaa

3 years

Time to switch off Twitter for Christmas and two-week vacation! In Jan, if I have 5000 followers, I’ll publish a new version of #AADInternals : * Export certs of #AzureAD joined PCs 😈 * Join PCs to AAD with fake certs generated with AADInternals 🔥 #blueteam #redteam #infosec

Tweet media one

3

75

373

@DrAzureAD

Dr. Nestori Syynimaa

2 years

Slidedeck of my @WEareTROOPERS / #TROOPERS22 presentation, "Eight ways to compromise AD FS certificates", now available at Credits to @CyberArk @BakedSec @doughsec @detectdotdev @nullg0re & @0xZDH

Tweet media one

9

150

359

@DrAzureAD

Dr. Nestori Syynimaa

2 months

Note to that d*ckhead who have been using to monitor peoples Teams availability: 1️⃣ I'm paying for all the computing resources by myself - making over 200k requests in two months is not what the service is made for 🤦‍♂️ 2️⃣ Username requests are now throttled

Entra ID Open Source Intelligence tool

aadinternals.com

14

37

352

@DrAzureAD

Dr. Nestori Syynimaa

2 years

Just learned that Microsoft decided to add a new log source last month while I was suffering flu: 🔥 #MicrosoftGraphActivityLogs 🔥 This is easily the most important security feature for years!! Hoping to get this in Preview/Production soon so we can catch those baddies faster

Tweet media one

15

102

346

@DrAzureAD

Dr. Nestori Syynimaa

1 year

Holy s**t. My @NorthSec_io workshop on #AzureAD tokens has been viewed almost nine HUNDRED times in a week 😳 Thank you so much for all the viewers 🙏For those who haven't seen that yet, the slide deck and link to the stream are available at

Tweet media one

8

51

338

@DrAzureAD

Dr. Nestori Syynimaa

4 years

CISO: "We have #Azure #Sentinel so we can detect #Microsoft365 attacks almost real-time" Attacker, half second after breaching the tenant:

Tweet media one

8

74

336

@DrAzureAD

Dr. Nestori Syynimaa

1 year

Recording of my and @SravanAkkaram 's @BlackHatEvents #BHASIA talk "Abusing Azure Active Directory" is out now! Slide deck and link to YouTube at

Tweet media one

4

97

332

@DrAzureAD

Dr. Nestori Syynimaa

1 year

Yet another step closer to full vacation mode: ✅ Update If you give an existing user name, it will now show user's AAD ObjectId and Teams status (if available) 🔥 Nice way to check whether your favourite MS employee is online 😁 Have fun!

Tweet media one

8

83

331

@DrAzureAD

Dr. Nestori Syynimaa

4 years

Introducing a new #phishing technique for compromising #Microsoft #Office365 accounts using the device code authentication flow 🔥. For details and proof-of-concept see my blog post! 👉 #redteam #blueteam #infosec #AADInternals

Introducing a new phishing technique for compromising Office 365 accounts

The ongoing global phishing campaings againts Microsoft 365 have used various phishing techniques. Currently attackers are utilising forged login sites and OAuth app consents. In this blog, I’ll...

aadinternals.com

3

188

331

@DrAzureAD

Dr. Nestori Syynimaa

2 years

A good reminder that if you allow users to access #Microsoft365 / #AzureAD from un-managed devices, there is nothing under your control that can protect their identities. This includes MFA and FIDO2.

@mrd0x

mr.d0x

2 years

Stealing Access Tokens From Office Desktop Applications

9

277

818

7

81

300

@DrAzureAD

Dr. Nestori Syynimaa

1 year

I've now completed my Master's studies at @JAMK_fi and will soon graduate as MEng in Cyber Security😎 My thesis "Defending Azure Active Directory: Pass-Through Authentication Attacks and Countermeasures" is published today and is available for download:

19

58

292

@DrAzureAD

Dr. Nestori Syynimaa

3 years

New version of #AADInternals out now, including remote dumping of #ADFS configuration database🔥 Read the blog at: Credits to @vesat , @doughsec , @BakedSec , @_dirkjan , @gentilkiwi , @MGrafnetter , and @Cyb3rWard0g for your help and previous work!

Tweet media one

6

136

276

@DrAzureAD

Dr. Nestori Syynimaa

1 year

Slide deck of my @WEareTROOPERS talk "Dumping NTHashes from Azure AD" available at TL;DR: 🔹Deploying Azure AD Domain Services (AADDS) makes Azure AD connect to sync legacy credentials (NTHashes) to Azure AD 🔹Credentials are stored in Azure AD in

Tweet media one

8

127

275

@DrAzureAD

Dr. Nestori Syynimaa

2 years

Finally, a new version of #AADInternals is almost ready to be published! I demoed this already at @WEareTROOPERS / #TROOPERS22 on June, but it took some time to solve a couple of wicked problems. Stay tuned!

Tweet media one

3

70

266

@DrAzureAD

Dr. Nestori Syynimaa

1 year

👀 @defcon #DEFCON31

Tweet media one

20

14

263

@DrAzureAD

Dr. Nestori Syynimaa

1 year

For no reason at all, I recently bought a new domain name:

14

9

258

@DrAzureAD

Dr. Nestori Syynimaa

1 year

A gentle reminder of two free online tools I'm providing for the community: 🔹 - Openly available information about the given Azure AD (Entra ID) tenant or user 🔹 - One free custom domain for your Azure AD (Entra ID) tenant

Entra ID Open Source Intelligence tool

aadinternals.com

3

81

253

@DrAzureAD

Dr. Nestori Syynimaa

1 year

Me spending time with normal people during Juhannus

Tweet media one

6

19

242

@DrAzureAD

Dr. Nestori Syynimaa

1 year

Had some fun last weekend with dumping NTHashes from #AzureAD / #EntraID ◾ I can now force AADConnect to use my certificate to encrypt Windows legacy credentials 😈 ◾ Forcing full password hash sync on AzureAD Connect syncs all NTHashes encrypted with my certificate 😱 Not a

4

67

242

@DrAzureAD

Dr. Nestori Syynimaa

3 years

As requested by the #infosec community, all my talks from the 2021 are available at I've included slide decks for all presentations and recordings when available. Enjoy! #AADInternals #redteam #blueteam

My talks in different conferences.

aadinternals.com

3

56

234

@DrAzureAD

Dr. Nestori Syynimaa

2 years

In my recent blog, I'll show how to exploit PTA vulnerabilities @Secureworks reported last week: I created scripts that will automatically configure attacker's PTA server to use certificate of compromised PTA agent. Credits to @_xpn_ & @Cyb3rWard0g

Tweet media one

4

104

232

@DrAzureAD

Dr. Nestori Syynimaa

4 years

Fixed #AADInternals : dumping the #Azure #AD Connect credentials works again! Read my blog at to learn about my journey to #DPAPI ! Credits to @harmj0y @gentilkiwi @MGrafnetter and @_dirkjan

Tweet media one

1

109

227

@DrAzureAD

Dr. Nestori Syynimaa

1 year

Microsoft just announced a new Azure AD preview feature: "multi-tenant organization" Looking forward to more content to my "Consequences of Trust in Azure AD" talk 😁

Tweet media one

7

68

228

@DrAzureAD

Dr. Nestori Syynimaa

2 years

Then to the famous APA formatting. It is indeed hard to follow them, because APA formatting was not used properly. Also, you shouldn't mix APA and footnotes. To learn how to use APA format, JD could start by reading this quick guide:

Tweet media one

3

9

214

@DrAzureAD

Dr. Nestori Syynimaa

2 years

The next versions of #AADInternals will include functionality to exploit some of the latest issues I've reported to @msftsecresponse and ruled as "by-design".

Tweet media one

10

49

219

@DrAzureAD

Dr. Nestori Syynimaa

2 years

Recording & slides of my today's talk "Deep-dive to Azure AD join" at #GlobalAzure 2022 available at * What happens under-the-hood during AAD Join 🤓 * How to steal device identity 😬 * How to fake device identity 😉

Tweet media one

3

73

218

@DrAzureAD

Dr. Nestori Syynimaa

1 year

The recording of my @defcon @ReconVillage talk "Azure AD OSINT" (applies also to Entra ID) is out now: Slides 👉

Tweet media one

2

82

215

@DrAzureAD

Dr. Nestori Syynimaa

1 year

#AADInternals @WEareTROOPERS edition OUT NOW at #PowerShell Gallery and GitHub!! Thanks to @_dirkjan for WHfB research & inspiration, @cnotin for PR, and @nevadaromsdahl & @nullg0re & @SantasaloJoosua for helping with AADDS research! Lots of new stuff: 🔹Export NTHashes from

Tweet media one

5

69

218

@DrAzureAD

Dr. Nestori Syynimaa

2 years

Finally, the conclusions should be based on (scientific) evidence, not opinions.

Tweet media one

9

5

210

@DrAzureAD

Dr. Nestori Syynimaa

2 years

@Secureworks just released a threat analysis regarding flaws our team found in #AzureAD Pass-through Authentication (PTA). The flaws allow threat actors to: * Gather credentials * Login with invalid credentials * Conduct DoS attacks 1/3

Tweet media one

4

87

211

@DrAzureAD

Dr. Nestori Syynimaa

2 years

My new blog post on getting plaintext gMSA secrets available at Credits to @PyroTek3 , @MGrafnetter , @_nwodtuhs , and Andrew Mayo!

Tweet media one

0

67

209

@DrAzureAD

Dr. Nestori Syynimaa

10 months

Yay, just two more weeks before joining Microsoft Security Research!

14

4

210

@DrAzureAD

Dr. Nestori Syynimaa

4 years

OMG, I received @MVPAward for Enterprise Mobility (Identity and Access)🤯🎉 A BIG thanks @samilaiho for the nomination! The BIGGEST thanks goes to the #infosec community for attending my conference sessions and downloading & using #AADInternals ! #MVPBuzz

Tweet media one

32

2

196

@DrAzureAD

Dr. Nestori Syynimaa

2 years

The paper contains a lot of claims without any backing evidence. For instance, in "Author Overview":

Tweet media one

4

11

190

@DrAzureAD

Dr. Nestori Syynimaa

1 year

My @WEareTROOPERS talk on dumping NTHashes from #AzureAD / #EntraID is out now!

Tweet card media

TROOPERS23: Dumping NTHashes from Azure AD

Talk by Nestori Syynimaa - June 28th, 2023 at TROOPERS23 IT security conference in Heidelberg, Germany hosted by @ERNW_ITSec#TROOPERS23 #ITsecurityhttps://tr...

www.youtube.com

1

78

195

@DrAzureAD

Dr. Nestori Syynimaa

2 years

Finally, the new #AADInternals version is available at @ThePSGallery and #GitHub 🔥 Highlights: * Decrypt ESTSAUTHPERSISTENT cookie (thanks @SantasaloJoosua !) * New Teams functions * Modify directory synchronisation features * Get tenant information (resolve tenantid to name)

Tweet media one

5

49

186

@DrAzureAD

Dr. Nestori Syynimaa

2 years

The analysis and conclusions of the "False Positives" experiment shows a lack of basic statistical skills. For instance, what is a likelihood that a phone of a Catalan politician is similar to the one of a random person from Nigeria? According JD, 100%.

Tweet media one

Tweet media two

6

8

178

@DrAzureAD

Dr. Nestori Syynimaa

10 months

Thanks to all for the congratulations last week for my new position at Microsoft. I haven't got time to answer all the questions individually, so here are the top three! 1️⃣ No, I can't change the name back to #AzureAD 2⃣ I don't know what happens to #AADInternals development 3⃣

33

13

184

@DrAzureAD

Dr. Nestori Syynimaa

1 year

New azure-blue family member has arrived! Should I claim the price of new vanity plates from Microsoft due to #AzureAD re-branding 🤔

Tweet media one

19

6

181

@DrAzureAD

Dr. Nestori Syynimaa

1 year

@mikko @Windows Yeah, that is crazy. Had to try my CableGUi! from 2000, and it worked like a charm on Windows Server 2019!

Tweet media one

4

3

175

@DrAzureAD

Dr. Nestori Syynimaa

2 years

A "good" example of gaining initial access to cloud by using #AADInternals to export Azure AD Connect credentials. To prevent: ▪️ Treat all hybrid components as Tier-0! ▪️ If you have used DirSync for synchronisation, make sure the sync account doesn't have "Global

5

51

177

@DrAzureAD

Dr. Nestori Syynimaa

2 years

Finalising slide deck for my @WEareTROOPERS / #TROOPERS22 presentation "Eight ways to compromise AD FS certificates". Can't wait to share the #ADFS attack graph details next week!! #GoldenSAML #redteam #blueteam #cybersec #infosec

Tweet media one

3

37

178

@DrAzureAD

Dr. Nestori Syynimaa

4 years

Found out that #Microsoft #Teams policies are ONLY applied on the client🤦‍♂️and can be bypassed: 1. Use #AADInternals Teams functions 🔥 (edit and delete messages) 2. Lie to the Teams client😂(bypass messaging, meetings, and cloud storage policies) 👉

Tweet media one

3

65

170

@DrAzureAD

Dr. Nestori Syynimaa

2 years

Finally, the official #AADInternals logo is here! Stickers ordered, and the first chance to get one for yourself is at #TROOPERS conference 👉

Tweet media one

14

21

171

@DrAzureAD

Dr. Nestori Syynimaa

2 years

Hey @samilaiho , look what DHL just dropped! Now I'm fully geared for @BlackHatEvents #BHASIA 😁

Tweet media one

9

10

165

@DrAzureAD

Dr. Nestori Syynimaa

2 years

🚨 Do NOT blindly copy-paste KQL from the internet: Malicious Kusto query allows attacker to collect access tokens and use them to query information as victims.. And yes, this is by-design 🤦‍♂️

@SantasaloJoosua

Joosua Santasalo-Cloud Security MVP - MSRC MVR

@SantasaloJoosua

2 years

Introducing new attack vector in Azure environments - Injecting malicious Kusto queries -💡Thanks to @DrAzureAD for brainstorming with me for ingenious attack paths this new vector enables. ✅ thx to @msftsecresponse for verifying my blog post

6

141

368

3

49

167

@DrAzureAD

Dr. Nestori Syynimaa

2 years

New version of #AADInternals out now! * Export Teams and Azure CLI cookies * Get tenant domain name with tenant id * Get AD FS relaying trust parties during recon * Add members to SPO site Credits to @HarriJaakkonen , @NoUselessTech , and @sapirxfed

Tweet media one

3

42

164

@DrAzureAD

Dr. Nestori Syynimaa

2 years

Slides from my "Attacking Azure Active Directory Under-The-Radar" talk at @BsidesORL from this morning are available at

Tweet media one

4

50

162

@DrAzureAD

Dr. Nestori Syynimaa

1 year

Guys with a mission: "Admin rights are not human rights" - @samilaiho

Tweet media one

6

13

163

@DrAzureAD

Dr. Nestori Syynimaa

1 year

Slide deck of our briefing now available at

My talks in different conferences.

aadinternals.com

@DrAzureAD

Dr. Nestori Syynimaa

1 year

Me and @SravanAkkaram will share tomorrow his findings on abusing #AzureAD & lessons learned on working with @msftsecresponse ! Join us at 1:30PM on the mainstage @BlackHatEvents #BHAsia

Tweet media one

3

7

57

3

54

159

@DrAzureAD

Dr. Nestori Syynimaa

3 years

Did you know that local admin can export AD FS Hybrid Health Agent secret and create fake Azure AD sign-in events? 😈 Read my blog "Spoofing Azure AD sign-ins logs by imitating AD FS Hybrid Health Agent" to learn more & how to do it with #AADInternals 🔥

Tweet media one

3

53

158

@DrAzureAD

Dr. Nestori Syynimaa

2 years

New #AADInternals version out now! * Updated Teams token export to support the new SQLite db schema * Added functionality to export Token Broker tokens (credits to @_xpn_ ) * Made AADInternals token cache less restrictive to ease using exported tokens

Tweet media one

2

50

155

@DrAzureAD

Dr. Nestori Syynimaa

27 days

Working on splitting #AADInternals into two modules: 1⃣ AADInternals for the cloud-only functionality 2⃣ AADInternals-Endpoints for all the shady on-prem stuff Stay tuned!

Tweet media one

@DrAzureAD

Dr. Nestori Syynimaa

3 months

During the past couple of months I've received a lot of comments that various #AADInternals files has been flagged malicious: ▪️ PTASpy.ps1 & PTASpy.dll (Trojan) ▪️ Win32Ntv.dll (Backdoor) ▪️ AADInternals.png (Trojan) All of these files are used to do/access things on local

1

0

8

3

25

158

@DrAzureAD

Dr. Nestori Syynimaa

7 months

Easily one of the best articles I've read this year! @cnotin :

Tweet card media

Entra Roles Allowing To Abuse Entra ID Federation for Persistence and Privilege Escalation

Which Entra ID (ex-Azure AD) roles allow configuring federated authentication, thus allowing persistence and privilege escalation 💥

3

55

155

@DrAzureAD

Dr. Nestori Syynimaa

2 years

Slides from my @identitysummit workshop "Azure AD Security Testing with #AADInternals " available at Thanks to @melanieeibl @Thomas_Live @GregorReimling and @renedelamotte for organising the summit 🔥

Tweet media one

2

48

153

@DrAzureAD

Dr. Nestori Syynimaa

2 months

Good reminder to check whether Seamless SSO is enabled for your tenant (as you probably don't need it anymore)! Easiest way is to type your domain name to tool

Tweet media one

@DeanOfCyber

Tarek

2 months

New tool added to the arsenal to use with @DrAzureAD 's AADInternals or @_dirkjan 's ROADtools

0

1

10

3

20

155

@DrAzureAD

Dr. Nestori Syynimaa

1 year

Woot woot, this week #AADInternals passed the 50k downloads mark at PowerShell Gallery🎉 🙏Thanks to the community for using the tool I've put so much effort into ❤

9

18

152

@DrAzureAD

Dr. Nestori Syynimaa

9 months

The latest (and the last for now) #AADInternals version is now available at PowerShell Gallery and GitHub! Change log:

Tweet media one

4

24

150

@DrAzureAD

Dr. Nestori Syynimaa

1 year

Third "by design" of the season! TL;DR: I found a way to perform Nmap style port scans using Microsoft infrastructure 😁 Stay tuned for the details!

Tweet media one

5

14

149

@DrAzureAD

Dr. Nestori Syynimaa

2 years

Last hacks before operation, a correct hip market, so all good for some💉&🪚! See you on the otherside peeps!

Tweet media one

Tweet media two

30

0

145

@DrAzureAD

Dr. Nestori Syynimaa

2 years

In "False Positives" experiment, it was claimed to include people from 9 different countries, but in the table there were only 8 (two from Nigeria).

Tweet media one

2

4

140

@DrAzureAD

Dr. Nestori Syynimaa

4 years

New version of #AADInternals out now: •Play with PRT's 🔥 •Join imaginary devices to Azure AD 🧙‍♂️ Read the blog to learn more: 👉 #Microsoft #AzureAD #infosec #security #identity #MFA #redteam Credits to @_dirkjan @tifkin_ @rubin_mor @gentilkiwi

Tweet media one

3

72

145

@DrAzureAD

Dr. Nestori Syynimaa

9 months

Brushing using hotel Wi-Fi. Am I doing this right @UK_Daniel_Card ?

Tweet media one

19

5

140

@DrAzureAD

Dr. Nestori Syynimaa

2 years

Wrote a blog with @SravanAkkaram on "Bypassing #AzureAD home tenant #MFA & CA". TL;DR: ▪ Home tenant admins CAN'T enforce home tenant CA if users login directly to resource tenant ▪ User's tenant information can be viewed by logging in to resource tenant

Tweet media one

9

57

141

@DrAzureAD

Dr. Nestori Syynimaa

2 years

Hip joint 2.0 succesfully installed in production, now some rest before final acceptance testing. Thank you all for the support ❤️

Tweet media one

17

1

137

@DrAzureAD

Dr. Nestori Syynimaa

1 year

Slides of my Recon Village talk available at

My talks in different conferences.

aadinternals.com

@DrAzureAD

Dr. Nestori Syynimaa

1 year

#AzureAD / #EntraID #OSINT in @ReconVillage at 2:25pm!

Tweet media one

1

4

25

2

58

137

@DrAzureAD

Dr. Nestori Syynimaa

10 months

Abusing #AzureAD / #EntraID Domain Services part 2 from @Secureworks is out now: Dumping NTHashes from Microsoft Entra ID

@Secureworks

Secureworks

10 months

Secureworks has discovered that stored Microsoft Entra ID NTHashes can be recovered and decrypted & then used in pass-the-hash attacks. Read our latest Threat Analysis to discover how this happens & how to detect it. #azure #cybersecurity

Tweet media one

0

30

74

3

56

134

@DrAzureAD

Dr. Nestori Syynimaa

6 months

Tweet media one

@SamErde

Sam Erde

6 months

I was all about renaming Azure AD to Entra ID, but this...I kinda hope "on-premises Microsoft Entra ID" is either a mistake or a joke! 😂🔥 @brdpoker

Tweet media one

20

12

144

11

19

136

@DrAzureAD

Dr. Nestori Syynimaa

1 year

Slides of my #DEFCON31 talk available at

My talks in different conferences.

aadinternals.com

@DrAzureAD

Dr. Nestori Syynimaa

1 year

Confidentiality, availability, and integrity are the three principles of information security. Join my @defcon session today (at 12, Track 4) to learn how to break the integrity of #Microsoft #Teams and #SharePoint using built-in migration feature. I'll demonstrate how a

Tweet media one

2

13

53

2

45

132

@DrAzureAD

Dr. Nestori Syynimaa

2 years

Woot woot, MVP renewed 🎉🎉

Tweet media one

18

2

134

@DrAzureAD

Dr. Nestori Syynimaa

1 year

Me tonight having fun in the hotel bar in 🇪🇸 #MVPBuzz

Tweet media one

11

0

131

@DrAzureAD

Dr. Nestori Syynimaa

7 months

Thought of the day: I hate ADFS.

14

6

128

@DrAzureAD

Dr. Nestori Syynimaa

2 years

So proud I made it to @msftsecresponse MSRC 2022 top 100 Most Valuable Researchers list for the second year in a row! Congratz to all researchers for your great work during the last year!!

Tweet media one

14

7

125

@DrAzureAD

Dr. Nestori Syynimaa

2 years

My colleague @0xZDH from @Secureworks created a post-exploitation tool to play around with #AzureAD #FOCI tokens 🔥 Available at: Shout out to @detectdotdev for the original research!

Tweet media one

1

46

125

@DrAzureAD

Dr. Nestori Syynimaa

3 years

#Python library for dumping #ADFS database remotely + two amazing #GoldenSAML POCs out now 🔥 Brought to you by @nullg0re & @0xZDH from @Secureworks ! #redteam #blueteam #infosec

Tweet card media

GitHub - secureworks/whiskeysamlandfriends: GoldenSAML Attack Libraries and Framework

GoldenSAML Attack Libraries and Framework. Contribute to secureworks/whiskeysamlandfriends development by creating an account on GitHub.

0

46

120

@DrAzureAD

Dr. Nestori Syynimaa

11 months

The end of the year is getting closer 👀

Tweet media one

9

9

121

@DrAzureAD

Dr. Nestori Syynimaa

2 years

New hunting tool that dumps Azure AD user activity!

@sapirxfed

sapir federovsky

2 years

Hi 🙂 Wanted to share my new tool which creates a report for Azure user activity . this is an initial version, feedback would be appreciated!

9

48

244

1

27

118

@DrAzureAD

Dr. Nestori Syynimaa

3 years

Gently reminder for all #Office365 , #Microsoft365 , #AzureAD trainers, students, admins, red&blue teamers, hackers, and alike: You can have a free custom domain for your tenant at Have fun!

2

30

120

@DrAzureAD

Dr. Nestori Syynimaa

1 year

While fixing issues some mother f***er caused by DoS:ing #AADInternals OSINT service, I added new features: ◾ Is tenant using Azure AD Connect cloud sync instead/alongside Azure AD Connect sync ◾ Added tenant brand (used to be tenant name) ◾ Tenant name is now

Tweet media one

3

19

118

@DrAzureAD

Dr. Nestori Syynimaa

2 years

TIL that my #MVP category is finally changed from "Enterprise Mobility" to "Security" 😎 #MVPBuzz

Tweet media one

10

2

117

@DrAzureAD

Dr. Nestori Syynimaa

2 years

To celebrate my 12000 Twitter followers 🎉, I decided to published a blog about an EoP technique I use in #AADInternals 😊 TL;DR: Local admin can run any service as gMSA just by adding gMSA account name to ObjectName property of the service in registry😈

Tweet media one

1

43

115

@DrAzureAD

Dr. Nestori Syynimaa

3 years

My second #bugbounty ever, again from @msftsecurity . Don't agree with the severity and impact, but glad that this time it was taken seriously after the first submission. Write-up will follow as soon as the fix is made.

Tweet media one

13

2

113

@DrAzureAD

Dr. Nestori Syynimaa

3 months

I just pushed a new version of #AADInternals (0.9.4) to github & #PowerShellGallery Added support for: ▪️ Subregions (commercial, DOD, GCC High) ▪️ Federated sign-in (AD FS only) ▪️ Saving MSGraph tokens directly to "Microsoft Graph PowerShell SDK" cache Removed: ▪️ PTASpy.ps1 &

7

28

112

@DrAzureAD

Dr. Nestori Syynimaa

3 years

#AADInternals is best known of its offensive/red team tools 😈 However, there are also a lot of goodies for day-to-day administration tasks too 🛠️! Read the blog to learn more 👇 Credits to @12Knocksinna for his self-service purchase article!

Tweet media one

1

40

112