Carrie Roberts //* (Updated 2/12/2020) ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential […]

With clients increasingly relying on cloud services from Azure, one of the technologies that has been my radar for a while is Azure AD. For those who have not had the opportunity to work with this, the concept is simple, by extending authentication beyond…

There have been some interesting new developments recently to abuse Kerberos in Active Directory, and after my dive into Kerberos across trusts a few months ago, this post is about a relatively unknown (from attackers perspective), but dangerous feature:…

Kerberos relaying and unconstrained delegation abuse toolkit - dirkjanm/krbrelayx

Combine a bug in Antidote, a popular enterprise spellchecker, and unsafe defaults in Active Directory, and you get more NTLM hashes than you can deal with.

Rubeus is a C# Kerberos abuse toolkit that started as a port of @gentilkiwi‘s Kekeo toolset and has continued to evolve since then. For…

Constrained Language Mode + AMSI bypass all in one - decoder-it/powershellveryless

Whether analyzing a Windows binary or assessing new data sources for detection engineering purposes, using lesser known tracing mechanisms…

Logging in with RunAs certificates is a great way for maintaining access in an Azure environment during a penetration test. See how we export the PFX files.

Last month, Elad Shamir released a phenomenal, in depth post on abusing resource-based constrained delegation (RBCD) in Active Directory…

CVE-2018–9022

Remote Command Execution as SYSTEM on Windows IoT Core (releases available for Python2.7 & Python3) - SafeBreach-Labs/SirepRAT

After my in-depth post last month about unconstrained delegation, this post will discuss a different type of Kerberos delegation: resource-based constrained delegation. The content in this post is based on Elad Shamir’s Kerberos research and combined with…

Learn about what MAQ is and beyond in our blog ennoscriptd MachineAccountQuota is USEFUL Sometimes: Exploiting One of Active Directory's Oddest Settings.

As red teamers regularly operating against mature organisations, we frequently come in to contact with a variety of Endpoint Detection & Response solutions. To better our chances of success in...

Extracting BitLocker keys sealed with a TPM by sniffing the LPC bus

Background On 2019-02-26 3:27am EST, I alerted Elastic to a reliable bypass for Winlogbeat. Thankfully, it is now fixed as of  6.6.2 I ...