Understanding how Kerberos works, but also WHY it works the way it does

SeImpersonate is a powerful privilege that allows the ability to impersonate any token it can acquire a handle on. This is an already well researched privilege as there are a whole slew of privilege escalations that utilize this privilege and amazing articles…

When it comes to protecting against credentials theft on Windows, enabling LSA Protection (a.k.a. RunAsPPL) on LSASS may be considered as the very first recommendation to implement. But do you really know what a PPL is? In this post, I want to cover some…

Dump the memory of a PPL with a userland exploit. Contribute to itm4n/PPLdump development by creating an account on GitHub.

Abusing AD FS Replication. We demonstrate how a threat actor can extract the encrypted Token Signing Certificate from anywhere on an internal network.

Deep Dive Into Windows PE Format - GetProcAddress Spoofing - Malware researchers - Beware of GetProcAddress spoofing via manipulation of PE format in memory.

Overview This article describes methods by which an attacker can induce a victim user into authenticating using the NT Lan Manager (NTLM) Authentication Protocol to an attacker-controlled “Intranet” site, even in instances where that site points to an external…

I've been going through the various token privileges on Windows trying to find where they're used. One which looked interesting is  SeTruste...

Table of Contents:

Based on my previous blog post I recently had a conversation with a friend and well-known Windows security researcher about token privilege...

I'm currently in the process of trying to do some improvements to the Chrome sandbox. As part of that I'm doing updates to my Sandbox Attack...

As security teams continue to advance, it has become essential for attacker’s to have complete control over every part of their operation, from the infrastructure down to individual actions that...

Active Directory Certificate Services has a lot of attack potential!