Skip to main content

Recently Updated Pages

Malicious Device Join

Azure AD (AAD)

This technique allows to bypass Conditional Access Policies based on device ownership. Since devi...

Updated 7 months ago by otter

Compromising Azure Blobs and Storage Accounts

Azure AD (AAD)

Storage Accounts are high-value targets in a tenant if an attacker is looking to exfiltrate sensi...

Updated 7 months ago by otter

Service Principal Abuse

Azure AD (AAD)

This persistence method consists in backdooring Azure applications leveraging the permissions of ...

Updated 7 months ago by otter

Malicious MFA Takeover

Azure AD (AAD)

This technique is pretty simple as it only consists in "backdooring" user accounts that don't hav...

Updated 7 months ago by otter

AAD Federated Backdoor

Azure AD (AAD)

The gist of this persistence technique is creating a malicious domain inside a target tenant and ...

Updated 7 months ago by otter

ESC14

Abusing Active Directory Certificate Se...

If we are able to enroll certificates as someone else (user or computer), we can compromise a tar...

Updated 7 months ago by BobBuilder

ESC13

Abusing Active Directory Certificate Se...

If a principal (user or computer) has enrollment rights on a certificate template configured with...

Updated 7 months ago by otter

ESC11

Abusing Active Directory Certificate Se...

The vulnerability identified as ESC11 involves exploiting the modification of the IF_ENFORCEENCRY...

Updated 7 months ago by BobBuilder

ESC10

Abusing Active Directory Certificate Se...

Case 1 Reviewing registry keys as Administrator bob$ python3 reg.py minions.com/'Administrator':'...

Updated 7 months ago by BobBuilder

ESC8

Abusing Active Directory Certificate Se...

Authentication coercion from a machine account where we relay the NTLM hash to AD CS to obtain a ...

Updated 7 months ago by BobBuilder

ESC7

Abusing Active Directory Certificate Se...

Vulnerable Certificate Authority Access Control where 2 sets of permissions poses security risks:...

Updated 7 months ago by BobBuilder

ESC6

Abusing Active Directory Certificate Se...

Note: ESC6 got patch on May of 2022. ESC6 permits the inclusion of user-defined values in subject...

Updated 7 months ago by BobBuilder

ESC5

Abusing Active Directory Certificate Se...

Vulnerable PKI Object Access Control where the objects have the following requirements: The AD ...

Updated 7 months ago by BobBuilder

ESC4

Abusing Active Directory Certificate Se...

You can create misconfigurations even in templates that are not initially vulnerable. For example...

Updated 7 months ago by BobBuilder

Assess whether ADCS is installed

Abusing Active Directory Certificate Se...

Check if ADCS installed Windows Presence of module ADCS: Get-WindowsFeature -Name ADCS-Cert-Auth...

Updated 7 months ago by BobBuilder

ESC3

Abusing Active Directory Certificate Se...

Unlike ESC1 and ESC2, this method requires two certificate templates with the following requireme...

Updated 7 months ago by BobBuilder

ESC2

Abusing Active Directory Certificate Se...

This privilege escalation technique requires the following: Any Purpose EKU which allows the att...

Updated 7 months ago by BobBuilder

ESC1

Abusing Active Directory Certificate Se...

For this technique to work we need a certificate template with the following requirements: ENRO...

Updated 7 months ago by BobBuilder

Abusing User Administrator Role

Azure AD (AAD)

Just like for the Cloud Administrator section, we'll walk though a small attack scenario which st...

Updated 7 months ago by otter

Abusing Cloud Administrator Role

Azure AD (AAD)

In this section we'll tackle an attack scenario that sees us compromising a Cloud Administrator a...

Updated 7 months ago by otter