GeoffP
@thesleepyadmins.com
A sleepy admin with an interest in Azure / VMware / ConfigMgr / PowerShell and other bits. Opinions my own.
https://thesleepyadmins.com/
https://thesleepyadmins.com/
Reposted by GeoffP
PLEASE RP: WINDOWS SERVER 2025 ACTIVE DIRECTORY IMPROVEMENTS!
Windows Server 2025 AD has major improvements across the board with hardened defaults, new security features, new crypto, new forest, and domain functional levels, and much more... Today let's discuss the 32k DB page size feature...
Windows Server 2025 AD has major improvements across the board with hardened defaults, new security features, new crypto, new forest, and domain functional levels, and much more... Today let's discuss the 32k DB page size feature...
July 15, 2025 at 4:26 PM
PLEASE RP: WINDOWS SERVER 2025 ACTIVE DIRECTORY IMPROVEMENTS!
Windows Server 2025 AD has major improvements across the board with hardened defaults, new security features, new crypto, new forest, and domain functional levels, and much more... Today let's discuss the 32k DB page size feature...
Windows Server 2025 AD has major improvements across the board with hardened defaults, new security features, new crypto, new forest, and domain functional levels, and much more... Today let's discuss the 32k DB page size feature...
Reposted by GeoffP
FREE Student Security Operations Center (SOC) Program Foundations training from Microsoft
Course available at: microsoft.github.io/SOC/source/c...
Course available at: microsoft.github.io/SOC/source/c...
June 1, 2025 at 12:51 PM
FREE Student Security Operations Center (SOC) Program Foundations training from Microsoft
Course available at: microsoft.github.io/SOC/source/c...
Course available at: microsoft.github.io/SOC/source/c...
Reposted by GeoffP
PLEASE RP: free Windows Server 2025 Security Advice Book...
techcommunity.microsoft.com/blog/itopsta...
techcommunity.microsoft.com/blog/itopsta...
Free Windows Server 2025 Security Advice Book | Microsoft Community Hub
Windows Server 2025 introduces a suite of new and enhanced security features tailored to tackle modern threats across on-premises, hybrid, and cloud...
techcommunity.microsoft.com
April 15, 2025 at 4:08 PM
PLEASE RP: free Windows Server 2025 Security Advice Book...
techcommunity.microsoft.com/blog/itopsta...
techcommunity.microsoft.com/blog/itopsta...
Reposted by GeoffP
PLEASE RP: WINDOWS SERVER 2025 SECURITY LINKS...
Based on your queries, this thread is chock full of Windows Server links for you with a focus on security.
learn.microsoft.com/en-us/window...
Based on your queries, this thread is chock full of Windows Server links for you with a focus on security.
learn.microsoft.com/en-us/window...
What's new in Windows Server 2025
Learn about the features and enhancements in Windows Server 2025 that help to improve security, performance, and flexibility.
learn.microsoft.com
April 15, 2025 at 4:14 PM
PLEASE RP: WINDOWS SERVER 2025 SECURITY LINKS...
Based on your queries, this thread is chock full of Windows Server links for you with a focus on security.
learn.microsoft.com/en-us/window...
Based on your queries, this thread is chock full of Windows Server links for you with a focus on security.
learn.microsoft.com/en-us/window...
Reposted by GeoffP
Threat hunters rejoice! This is HUUUGE news 👏
Microsoft just introduced linkable identifiers in Microsoft Entra ID logs.
The bad guys 🥷 are going to hate this so much 😂
Learn more at learn.microsoft.com/...
Share the good news 👍
Microsoft just introduced linkable identifiers in Microsoft Entra ID logs.
The bad guys 🥷 are going to hate this so much 😂
Learn more at learn.microsoft.com/...
Share the good news 👍
April 1, 2025 at 3:55 AM
Threat hunters rejoice! This is HUUUGE news 👏
Microsoft just introduced linkable identifiers in Microsoft Entra ID logs.
The bad guys 🥷 are going to hate this so much 😂
Learn more at learn.microsoft.com/...
Share the good news 👍
Microsoft just introduced linkable identifiers in Microsoft Entra ID logs.
The bad guys 🥷 are going to hate this so much 😂
Learn more at learn.microsoft.com/...
Share the good news 👍
Reposted by GeoffP
Exciting news: Subnet peering is now available in all Azure regions!
This feature is accessible through the latest versions of:
- Azure CLI
- Bicep
- ARM Templates
- Terraform
- PowerShell
Portal support should be added soon
More details at techcommunity.microsoft.com/blog/azurene...
This feature is accessible through the latest versions of:
- Azure CLI
- Bicep
- ARM Templates
- Terraform
- PowerShell
Portal support should be added soon
More details at techcommunity.microsoft.com/blog/azurene...
Subnet Peering | Microsoft Community Hub
The Basics: VNET Peering
Virtual Networks in Azure can be connected through VNET Peering. Peered VNETs become one routing domain, meaning that the entire IP...
techcommunity.microsoft.com
March 28, 2025 at 7:49 PM
Exciting news: Subnet peering is now available in all Azure regions!
This feature is accessible through the latest versions of:
- Azure CLI
- Bicep
- ARM Templates
- Terraform
- PowerShell
Portal support should be added soon
More details at techcommunity.microsoft.com/blog/azurene...
This feature is accessible through the latest versions of:
- Azure CLI
- Bicep
- ARM Templates
- Terraform
- PowerShell
Portal support should be added soon
More details at techcommunity.microsoft.com/blog/azurene...
Reposted by GeoffP
Folks, I created these mindmaps to highlight the AMAZING ID Governance deployment guide that was just published by Microsoft.
You are going to want to bookmark this.
🧵👇
You are going to want to bookmark this.
🧵👇
March 28, 2025 at 4:50 AM
Folks, I created these mindmaps to highlight the AMAZING ID Governance deployment guide that was just published by Microsoft.
You are going to want to bookmark this.
🧵👇
You are going to want to bookmark this.
🧵👇
Reposted by GeoffP
Export as Bicep is fully available today! 💪
Test it out yourself in the portal, instructions can be found here: learn.microsoft.com/en-us/azure/...
Test it out yourself in the portal, instructions can be found here: learn.microsoft.com/en-us/azure/...
March 19, 2025 at 6:50 PM
Export as Bicep is fully available today! 💪
Test it out yourself in the portal, instructions can be found here: learn.microsoft.com/en-us/azure/...
Test it out yourself in the portal, instructions can be found here: learn.microsoft.com/en-us/azure/...
Reposted by GeoffP
This is huge!!! We can now see the impact a policy would have had historically without ingesting sign in logs to Azure Monitor 🤯
There's a new Preview on CA policies that provides insights on a per-policy basis, and the way they implemented this is so elegant and fast. I love it! :)
There's a new Preview on CA policies that provides insights on a per-policy basis, and the way they implemented this is so elegant and fast. I love it! :)
March 13, 2025 at 4:02 PM
This is huge!!! We can now see the impact a policy would have had historically without ingesting sign in logs to Azure Monitor 🤯
There's a new Preview on CA policies that provides insights on a per-policy basis, and the way they implemented this is so elegant and fast. I love it! :)
There's a new Preview on CA policies that provides insights on a per-policy basis, and the way they implemented this is so elegant and fast. I love it! :)
Reposted by GeoffP
All the #KQL queries from the book @rodtrent.bsky.social , Matthew Zorich & I wrote are available for free on the GitHub repo. github.com/KQLMSPress/d.... Please run these and fix what you find! If the book was helpful let us know & leave a review. We are burried behind all those "For Dummies" books
February 28, 2025 at 7:43 PM
All the #KQL queries from the book @rodtrent.bsky.social , Matthew Zorich & I wrote are available for free on the GitHub repo. github.com/KQLMSPress/d.... Please run these and fix what you find! If the book was helpful let us know & leave a review. We are burried behind all those "For Dummies" books
Reposted by GeoffP
PLEASE RP: free Windows Server 2025 Security Advice Book...
techcommunity.microsoft.com/blog/itopsta...
techcommunity.microsoft.com/blog/itopsta...
Free Windows Server 2025 Security Advice Book | Microsoft Community Hub
Windows Server 2025 introduces a suite of new and enhanced security features tailored to tackle modern threats across on-premises, hybrid, and cloud...
techcommunity.microsoft.com
February 18, 2025 at 6:38 PM
PLEASE RP: free Windows Server 2025 Security Advice Book...
techcommunity.microsoft.com/blog/itopsta...
techcommunity.microsoft.com/blog/itopsta...
Reposted by GeoffP
February 16, 2025 at 11:15 AM
Reposted by GeoffP
Had this saved in the WIP folder forever
KQL for anti-forensics activities
github.com/AttacktheSOC...
So much can be added to this. Think 3rd party tools to aid anti-forensics, browser forensics... too much to name
OMG, look at this😶updates to come! github.com/MikeHorn-git...
KQL for anti-forensics activities
github.com/AttacktheSOC...
So much can be added to this. Think 3rd party tools to aid anti-forensics, browser forensics... too much to name
OMG, look at this😶updates to come! github.com/MikeHorn-git...
github.com
February 14, 2025 at 10:29 PM
Had this saved in the WIP folder forever
KQL for anti-forensics activities
github.com/AttacktheSOC...
So much can be added to this. Think 3rd party tools to aid anti-forensics, browser forensics... too much to name
OMG, look at this😶updates to come! github.com/MikeHorn-git...
KQL for anti-forensics activities
github.com/AttacktheSOC...
So much can be added to this. Think 3rd party tools to aid anti-forensics, browser forensics... too much to name
OMG, look at this😶updates to come! github.com/MikeHorn-git...
Reposted by GeoffP
🚨 Time to check your detection queries for MDE:
DLL load events are recorded in DeviceImageLoadEvents table, NOT DeviceEvents table. I keep seeing people sharing queries with the wrong table and even with the wrong ActionType filters.
DLL load events are recorded in DeviceImageLoadEvents table, NOT DeviceEvents table. I keep seeing people sharing queries with the wrong table and even with the wrong ActionType filters.
February 8, 2025 at 11:51 AM
🚨 Time to check your detection queries for MDE:
DLL load events are recorded in DeviceImageLoadEvents table, NOT DeviceEvents table. I keep seeing people sharing queries with the wrong table and even with the wrong ActionType filters.
DLL load events are recorded in DeviceImageLoadEvents table, NOT DeviceEvents table. I keep seeing people sharing queries with the wrong table and even with the wrong ActionType filters.
Reposted by GeoffP
✳️ Quick heads up.
Microsoft just dropped a bunch of new least privilege Graph permissions.
Avoid granting super privileges like Directory.ReadWrite.All and User.ReadWrite.All to apps. Instead use these new least privilege permissions where possible.
Microsoft just dropped a bunch of new least privilege Graph permissions.
Avoid granting super privileges like Directory.ReadWrite.All and User.ReadWrite.All to apps. Instead use these new least privilege permissions where possible.
February 5, 2025 at 10:41 AM
✳️ Quick heads up.
Microsoft just dropped a bunch of new least privilege Graph permissions.
Avoid granting super privileges like Directory.ReadWrite.All and User.ReadWrite.All to apps. Instead use these new least privilege permissions where possible.
Microsoft just dropped a bunch of new least privilege Graph permissions.
Avoid granting super privileges like Directory.ReadWrite.All and User.ReadWrite.All to apps. Instead use these new least privilege permissions where possible.
Reposted by GeoffP
#pwsh tip of the day! You can throw your own custom exceptions in PowerShell by creating a class that inherits from System.Exception.
If you don't do much with classes, this is a pretty friendly way to ease into them. Check the gist linked for a quick sample.
Happy Scripting!
If you don't do much with classes, this is a pretty friendly way to ease into them. Check the gist linked for a quick sample.
Happy Scripting!
Create a PowerShell Custom Exception class
Create a PowerShell Custom Exception class. GitHub Gist: instantly share code, notes, and snippets.
gist.github.com
February 4, 2025 at 5:25 PM
#pwsh tip of the day! You can throw your own custom exceptions in PowerShell by creating a class that inherits from System.Exception.
If you don't do much with classes, this is a pretty friendly way to ease into them. Check the gist linked for a quick sample.
Happy Scripting!
If you don't do much with classes, this is a pretty friendly way to ease into them. Check the gist linked for a quick sample.
Happy Scripting!
Reposted by GeoffP
PLEASE RP: free Windows Server 2025 Security Advice Book...
techcommunity.microsoft.com/blog/itopsta...
techcommunity.microsoft.com/blog/itopsta...
Free Windows Server 2025 Security Advice Book | Microsoft Community Hub
Windows Server 2025 introduces a suite of new and enhanced security features tailored to tackle modern threats across on-premises, hybrid, and cloud...
techcommunity.microsoft.com
February 4, 2025 at 6:28 PM
PLEASE RP: free Windows Server 2025 Security Advice Book...
techcommunity.microsoft.com/blog/itopsta...
techcommunity.microsoft.com/blog/itopsta...
Reposted by GeoffP
I think the most common misunderstanding of Conditional Access is its relationship to authentication, and this results in not understanding how the rest of the controls actually work
Conditional Access performs authorization by evaluating tokens from the authentication service
Conditional Access performs authorization by evaluating tokens from the authentication service
January 24, 2025 at 11:12 PM
I think the most common misunderstanding of Conditional Access is its relationship to authentication, and this results in not understanding how the rest of the controls actually work
Conditional Access performs authorization by evaluating tokens from the authentication service
Conditional Access performs authorization by evaluating tokens from the authentication service
Reposted by GeoffP
The power of combining two PowerShell modules, PSBluesky and PoshTaskbarItem:
github.com/jdhitsolutio...
The icon shows the number of unread notifications as a badge. If you click the icon the notifications page will be opened by your browser.
Please Like ♥️ this post to test if it really works😁!
github.com/jdhitsolutio...
The icon shows the number of unread notifications as a badge. If you click the icon the notifications page will be opened by your browser.
Please Like ♥️ this post to test if it really works😁!
January 23, 2025 at 12:55 PM
The power of combining two PowerShell modules, PSBluesky and PoshTaskbarItem:
github.com/jdhitsolutio...
The icon shows the number of unread notifications as a badge. If you click the icon the notifications page will be opened by your browser.
Please Like ♥️ this post to test if it really works😁!
github.com/jdhitsolutio...
The icon shows the number of unread notifications as a badge. If you click the icon the notifications page will be opened by your browser.
Please Like ♥️ this post to test if it really works😁!
Reposted by GeoffP
#100DaysOfKQL
Day 6 - Files Potentially Holding Sensitive Information (MDE)
Query in the same spirit as the one shared on Day 4, but based on file events! Fast tracked it following @nathanmcnulty.com comment on Twitter yesterday! 😂
SharePoint/OneDrive next?👀
github.com/SecurityAura...
Day 6 - Files Potentially Holding Sensitive Information (MDE)
Query in the same spirit as the one shared on Day 4, but based on file events! Fast tracked it following @nathanmcnulty.com comment on Twitter yesterday! 😂
SharePoint/OneDrive next?👀
github.com/SecurityAura...
github.com
January 7, 2025 at 2:25 AM
#100DaysOfKQL
Day 6 - Files Potentially Holding Sensitive Information (MDE)
Query in the same spirit as the one shared on Day 4, but based on file events! Fast tracked it following @nathanmcnulty.com comment on Twitter yesterday! 😂
SharePoint/OneDrive next?👀
github.com/SecurityAura...
Day 6 - Files Potentially Holding Sensitive Information (MDE)
Query in the same spirit as the one shared on Day 4, but based on file events! Fast tracked it following @nathanmcnulty.com comment on Twitter yesterday! 😂
SharePoint/OneDrive next?👀
github.com/SecurityAura...
Reposted by GeoffP
Unfortunately, that was only a matter of time!
This video combines two of the most dangerous tools at the moment associated with phishing - and it's surprisingly simple!
www.youtube.com/watch?v=Dp1z...
Do we have defense options? Read on 👇
This video combines two of the most dangerous tools at the moment associated with phishing - and it's surprisingly simple!
www.youtube.com/watch?v=Dp1z...
Do we have defense options? Read on 👇
TokenSmith Meets Evilginx: Token Theft Combined with Entra Conditional Access Bypass
YouTube video by SYNACK Time
www.youtube.com
January 17, 2025 at 7:21 AM
Unfortunately, that was only a matter of time!
This video combines two of the most dangerous tools at the moment associated with phishing - and it's surprisingly simple!
www.youtube.com/watch?v=Dp1z...
Do we have defense options? Read on 👇
This video combines two of the most dangerous tools at the moment associated with phishing - and it's surprisingly simple!
www.youtube.com/watch?v=Dp1z...
Do we have defense options? Read on 👇
Reposted by GeoffP
The next in my #Kubernetes #Security fundamentals video series is up now.
This time I'm looking at how service account authentication works in Kubernetes, with some hopefully interesting details on how bound service account tokens work.
youtu.be/jTswj4CS4IA?...
This time I'm looking at how service account authentication works in Kubernetes, with some hopefully interesting details on how bound service account tokens work.
youtu.be/jTswj4CS4IA?...
Kubernetes Security Fundamentals: Authentication - Part 3
YouTube video by Datadog
youtu.be
January 14, 2025 at 5:38 PM
The next in my #Kubernetes #Security fundamentals video series is up now.
This time I'm looking at how service account authentication works in Kubernetes, with some hopefully interesting details on how bound service account tokens work.
youtu.be/jTswj4CS4IA?...
This time I'm looking at how service account authentication works in Kubernetes, with some hopefully interesting details on how bound service account tokens work.
youtu.be/jTswj4CS4IA?...
Reposted by GeoffP
👀 MSOnline PowerShell will retire (and stop working) between early April 2025 and late May 2025.
AzureAD PowerShell will no longer be supported after March 30, 2025, but its retirement will happen after July 1, 2025.
AzureAD PowerShell will no longer be supported after March 30, 2025, but its retirement will happen after July 1, 2025.
Action required: MSOnline and AzureAD PowerShell retirement - 2025 info and resources | Microsoft Community Hub
As announced in Microsoft Entra change announcements and prior blog updates, the MSOnline and Microsoft AzureAD PowerShell modules...
techcommunity.microsoft.com
January 13, 2025 at 9:31 PM
👀 MSOnline PowerShell will retire (and stop working) between early April 2025 and late May 2025.
AzureAD PowerShell will no longer be supported after March 30, 2025, but its retirement will happen after July 1, 2025.
AzureAD PowerShell will no longer be supported after March 30, 2025, but its retirement will happen after July 1, 2025.