Dr Nestori Syynimaa :verified:

Senior Principal Security Researcher
@microsoft. Ex-Secureworks. (PhD, MSc, MEng, CITP, CCSK).
And yes, opinions are my own ;)
NOT ACTIVE HERE -> bsky.app/profile/drazuread.com

Dr Nestori Syynimaa :verified:DrAzureAD@infosec.exchange
2023-11-22

My talks from October at Microsoft BlueHat, Wild West Hackin' Fest, & Dell Technologies Forum Sweden available at aadinternals.com/talks/

Enjoy!

Dr Nestori Syynimaa :verified:DrAzureAD@infosec.exchange
2023-10-05

In this #Microsoft BlueHat talk I'll share some "by design" war stories from me and fellow researchers. The cases demonstrate a scale of different outcomes of "by design" rulings. The purpose is to foster dialogue between Microsoft Security Response Center (MSRC) and researchers to keep us all protected!
👉 microsoft.com/bluehat/

Dr Nestori Syynimaa :verified:DrAzureAD@infosec.exchange
2023-09-18

@cirriustech thanks!

Dr Nestori Syynimaa :verified:DrAzureAD@infosec.exchange
2023-09-09

#DEFCON31 recordings are out now!

Link to my talk & slides "From Feature to Weapon - Breaking Microsoft Teams and SharePoint Integrity" available at aadinternals.com/talks

Dr Nestori Syynimaa :verified:DrAzureAD@infosec.exchange
2023-08-19

The recording of my #DEFCON31 #ReconVillage talk "Azure AD OSINT" (applies also to Entra ID) is out now: youtube.com/watch?v=4NpT78zxZE

Slides 👉 aadinternals.com/talks/

Dr Nestori Syynimaa :verified:DrAzureAD@infosec.exchange
2023-08-18

My #TROOPERS talk on Dumping NTHashes from Azure AD (Entra ID) is out now!
youtube.com/watch?v=gT8t5A93qM

Dr Nestori Syynimaa :verified:DrAzureAD@infosec.exchange
2023-08-15

@jtig @defcon the second demo (replacing .aspx) works if custom scripts are allowed eirher tenant wide or per site.
learn.microsoft.com/en-us/shar

Dr Nestori Syynimaa :verified:DrAzureAD@infosec.exchange
2023-08-15

#AADInternals #DEFCON32 edition I demonstrated in my @defcon talk is now available on GitHub and #PowerShellGallery:
◾ Spoof SPO, Teams, and OneDrive files
◾ Tamper with existing files
◾ Nothing is logged

Change log available at: aadinternals.com/aadinternals/

Dr Nestori Syynimaa :verified:DrAzureAD@infosec.exchange
2023-08-13

Slides of my #DEFCON31 and #ReconVillage talks are available at aadinternals.com/talks/#2023

Dr Nestori Syynimaa :verified:DrAzureAD@infosec.exchange
2023-08-12

Confidentiality, availability, and integrity are the three principles of information security. Join my #DEFCON session today (at 12, Track 4) to learn how to break the integrity of #Microsoft #Teams and #SharePoint using built-in migration feature.
I'll demonstrate how a standard user can:
🔹Spoof documents and tamper with existing documents (without any log events)
🔹Perform XSS attacks to break confidentiality, EoP, etc.

Dr Nestori Syynimaa :verified:DrAzureAD@infosec.exchange
2023-08-08

Are you attending any of those great #AzureAD / #EntraID security related trainings today at #BHUS? Watch out, I might stop by to say hi! Also might bring some #AADInternals stickers 😉

Dr Nestori Syynimaa :verified:DrAzureAD@infosec.exchange
2023-08-08

@cybeej on Sat 2:25 pm

Dr Nestori Syynimaa :verified:DrAzureAD@infosec.exchange
2023-08-06

I'm in!

Dr Nestori Syynimaa :verified:DrAzureAD@infosec.exchange
2023-08-02

@jtig yes, ReconVillage will take care of that

Dr Nestori Syynimaa :verified:DrAzureAD@infosec.exchange
2023-08-02

Okay peeps, I'm talking next week at #DEFCON #ReconVillage about #AzureAD / #EntraID OSINT. Besides the most beautiful and informative slide deck, would you like to see recorded or live demos?

Dr Nestori Syynimaa :verified:DrAzureAD@infosec.exchange
2023-07-02

I recently spoke at T2 conference on Azure AD Denial-of-Service attacks. The talk was not recorded, so I decided to write a blog about it for those who couldn't attend.

Have fun!
aadinternals.com/post/dosingaa

Dr Nestori Syynimaa :verified:DrAzureAD@infosec.exchange
2023-06-29

#AADInternals
@WEareTROOPERS
edition OUT NOW at #PowerShell Gallery and GitHub!!

Thanks to
@_dirkjan
for WHfB research & inspiration,
@cnotin
for PR, and
Nevada Romsdahl
&
@nullg0re
&
@santasalojoosua
for helping with AADDS research!

Lots of new stuff:
🔹Export NTHashes from AzureAD 😱
🔹Command line based interactive login
🔹Automatic MFA with OTP
🔹TAP support
🔹Export PRT & Session key from CloudAP cache (with user credentials)
🔹Setting WHfB key
🔹Getting PRT & Session key with WHfB key
🔹PS 7 support 🤞

If/when you find any bugs, please let me know asap (Twitter, GitHub issue/PR, etc.)

Full changelog: aadinternals.com/aadinternals/

Dr Nestori Syynimaa :verified:DrAzureAD@infosec.exchange
2023-06-28

Slide deck of my
@WEareTROOPERS
talk "Dumping NTHashes from Azure AD" available at aadinternals.com/talks/#2023

TL;DR:
🔹Deploying Azure AD Domain Services (AADDS) makes Azure AD connect to sync legacy credentials (NTHashes) to Azure AD
🔹Credentials are stored in Azure AD in hidden user object attributes only accessible by "Azure AD Domain Services Sync" application
🔹Credentials are encrypted/decrypted using certificates stored in AADDS DC:s certificate store
🔹Dumping NTHashes requires compromising AADDS DC

Dr Nestori Syynimaa :verified: boosted:
Wild West Hackin' FestWWHackinFest@infosec.exchange
2023-04-08

The truth is out there... so are lies... but it's no lie that @DrAzureAD will be speaking at Deadwood 2023!

Grab your Deadwood 2023 in-person and virtual tickets here. → wildwesthackinfest.com/deadwoo

Dr Nestori Syynimaa :verified:DrAzureAD@infosec.exchange
2023-01-27

Seems that I may or may not present my "Azure Active Directory Token Theft and Manipulation Attacks" talk at RSA Conference in April 🤷‍♂️

#AlternativeSpeaker

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst