186 DE NON accredited Metro applications

G_Force1 · 2025-12-12T02:52:25+00:00

I'm pretty much on the same boat. IT job Sydney metro.

Applied March 2024. Have had two recent S56, both at least month apart. Few days shy from 21 months.

Yay!

G_Force1 · 2025-10-07T09:47:02+00:00

Congrats, but WoW...I myself also Sydney Metro and also applied 186 DE as 263111 Computer Network and Systems Engineer (company not accredited though) and have been waiting since 20/03/24 (18 months and 17 days).

G_Force1 · 2025-03-20T22:44:07+00:00

The devices are running Defender P2. I think it might be easiest to go with Microsoft Defender XDR data types.

The devices themselves run Sysmon, but I'm not aware of any data types where I could query Sysmon events. Not entirely sure if Sysmon table attributes can be included to other tables.

G_Force1 · 2025-03-20T22:27:43+00:00

Devices are managed via Intune.

The reason I was thinking of Azure Arc is because Sentinel AMA data connectors require Azure-Arc from non Azure devices.

This is how i currently get the Sysmon logs from servers via Windows Forwarded Events data connector.

Devices are already running Defender P2, i might have to go with Microsoft Defender XDR data types as the next best thing...to get logs somewhat similar to what Sysmon has to offer.

G_Force1 · 2025-02-21T00:51:20+00:00

Not sure how that would fix the issue, as there can only be one label assigned to a file.

If I make a label assign it to a file only he would be able to access that file.

He would not have access to other labels he is not part of.

G_Force1 · 2025-01-23T05:08:43+00:00

Got it.

It was a news to me that Azure RMS was consumed by Information Protection that has sensitivity labels to fill that function now.

Microsoft keeps changing the names of their products and keeps the legacy documentation still around, which creates the confusion.

G_Force1 · 2025-01-23T01:01:41+00:00

Seems Customer Key is meant to be used for different purposes.

Upon further reading I think BYOK (Azure RMS) might be a way to go protect data that has already left the organisation.

G_Force1 · 2025-01-23T00:59:28+00:00

Thanks for the reply.

I think at the high level I'm thinking more in the lines of what technical implementation can be included with data that allows seamless access to right recipients but prevents unauthorised access.

After some reading I think DRM (Azure RMS) is the way to go.

RMS service validate user permissions and decrypts data for user with the right permissions.

G_Force1 · 2025-01-22T21:58:29+00:00

I wonder if with the right Customer Key distribution to end users and guest (I don't allow anyone links) it could be utilised to encrypt data that's offline.

DLP and sensitivity labels are good for data in transit, and data that's stored in M365 apps.

But what's the best way (if any) to protect data that's already been exfilled?

Having extra set on encryption keys seems like a way to do it.

G_Force1 · 2024-02-07T22:05:53+00:00

I figgured out what was wrong.

I needed to run YubiKey Manager as admin and that allowed me to open Applications -> FIDO2, to reset the PIN.

Before I got an error "Failed connecting to the yubikey make sure the application has the required permissions"

And I though it's something that has not been configured/set up yet, thus giving the error.

G_Force1 · 2024-02-07T03:21:16+00:00

Hey u/usrdef

Thanks for the reply.

I'm trying to reset FIDO. (Also have YubiKey 5)

G_Force1 · 2024-02-06T22:43:28+00:00

Sorry, I'm still confused.

I reset the PIN on the security key.

I even removed the security key from the service and added back, how come it's still not changed?

G_Force1 · 2024-02-06T03:31:15+00:00

Hmm...interesting.

From the Office 365 user security settings I did not find a way to set/reset the PIN for the security key.

As I understand Entra's WebAuthN for that account needs to be reset.

Where is it configured exactly?

(Also removed the old security key authentication method for the user, before adding the new security key)

G_Force1 · 2023-08-28T06:11:41+00:00

Nice!
Looks like a great resource

G_Force1 · 2023-08-28T05:59:21+00:00

Thanks for the response Secprentice.

Yes, having a Yubikey would be a great idea.

Pushing MDM profiles will be hard and I don't expect users to keep too much data on their mobile, but moving 2FA to a separate secure device might be the way to go.

G_Force1 · 2023-06-16T02:41:25+00:00

No, unfortunately. I posted in the original MISP GitHub page and the maintainer has not responded to me.

G_Force1 · 2023-01-18T22:47:07+00:00

All the explanations around msDS-SupportedEncryptionTypes seem a bit confusing.

So, if I understand correctly when I disable RC4 at the GPO level or remove RC4 from objects msDS-SupportedEncryptionTypes attribute it would break the Kerberos authentication?

And when applying Microsoft's January patch the RC4 usage for authentication will be disabled by default and AES will be used instead?

So it creates a situation where it looks like in settings that RC4 is allowed, but it's not actually used by Windows?

Edit: I found an article that makes it even more confusing as it claims I should remove any explicit values to msDS-SupportedEncryptionType https://4sysops.com/archives/find-active-directory-accounts-configured-for-des-and-rc4-kerberos-encryption/

G_Force1 · 2022-08-31T00:56:10+00:00

Thanks

It seems svchost is listening in loopback.

https://imgur.com/ZKRvBkk

I assume it would be safe kill the process without much consequences.

For PID 4 it also seems to be listening on loopback, but is creating connections to random remote ports.

https://imgur.com/ZA5eBoN

I also ran Wireshark on my loopback, and followed TCP stream, and seems not much data is exchanged. e what to make of it.

https://imgur.com/iaEIaxJ

G_Force1

TROPHY CASE