Recently Updated Pages
Malicious Device Join
This technique allows to bypass Conditional Access Policies based on device ownership. Since devi...
Compromising Azure Blobs and Storage Accounts
Storage Accounts are high-value targets in a tenant if an attacker is looking to exfiltrate sensi...
Service Principal Abuse
This persistence method consists in backdooring Azure applications leveraging the permissions of ...
Malicious MFA Takeover
This technique is pretty simple as it only consists in "backdooring" user accounts that don't hav...
AAD Federated Backdoor
The gist of this persistence technique is creating a malicious domain inside a target tenant and ...
ESC14
If we are able to enroll certificates as someone else (user or computer), we can compromise a tar...
ESC13
If a principal (user or computer) has enrollment rights on a certificate template configured with...
ESC11
The vulnerability identified as ESC11 involves exploiting the modification of the IF_ENFORCEENCRY...
ESC10
Case 1 Reviewing registry keys as Administrator bob$ python3 reg.py minions.com/'Administrator':'...
ESC8
Authentication coercion from a machine account where we relay the NTLM hash to AD CS to obtain a ...
ESC7
Vulnerable Certificate Authority Access Control where 2 sets of permissions poses security risks:...
ESC6
Note: ESC6 got patch on May of 2022. ESC6 permits the inclusion of user-defined values in subject...
ESC5
Vulnerable PKI Object Access Control where the objects have the following requirements: The AD ...
ESC4
You can create misconfigurations even in templates that are not initially vulnerable. For example...
Assess whether ADCS is installed
Check if ADCS installed Windows Presence of module ADCS: Get-WindowsFeature -Name ADCS-Cert-Auth...
ESC3
Unlike ESC1 and ESC2, this method requires two certificate templates with the following requireme...
ESC2
This privilege escalation technique requires the following: Any Purpose EKU which allows the att...
ESC1
For this technique to work we need a certificate template with the following requirements: ENRO...
Abusing User Administrator Role
Just like for the Cloud Administrator section, we'll walk though a small attack scenario which st...
Abusing Cloud Administrator Role
In this section we'll tackle an attack scenario that sees us compromising a Cloud Administrator a...