Advanced Search
Search Results
31 total results found
Pass the PRT
This attack exploits devices with SSO enabled in hybrid Azure environments. PRTs can authenticate into any application, bypass MFA with the built-in MFA claim and satisfy every conditional access policy. This attack leverages the native presence of the Browser...
Pass the Cookie
If a user has an active logon session on Azure or M365, the browser stores a cookie called ESTSAUTH cookie which can be exposed or stolen from the browser cache, a memory dump of running processes, malicious browser extensions and the Chrome cookies file. The ...
Introduction to ADCS
ADCS is made of these main components CA: Certification Authority, an entity that issues and manages certificates. There can be multiple CAs, organized in a hierarchy to add more layers of "movement" between the end user and the main CA Certificate Templates:...
Abusing Managed Identities
Managed Identities are a type of Service Principal and they are used by applications to obtain tokens for authentication without need to manage credentials. We'll see how a misconfigured Managed Identity can allow an attacker to access resources in the same re...
Virtual Machine Abuse
This section is highly dependent on the Abusing Managed Identities module so i recommend checking that out first and then coming back to this ʕ •ᴥ•ʔ The setup is the same and the attack assumes you compromised a Linux-based VM and we can use it to execute comm...
Attacking Key Vaults
While owning users and devices in AAD environments, it's good practice to look out for permissions like Microsoft.KeyVault/vaults/read # read keys in a vault Microsoft.KeyVault/vaults/secrets/read # read the plaintext passwords in...
Child/Parent Trust Abuse
Whenever a child domain (child.domain.com) is added to a forest, the event automatically creates a transitive and bidirectional trust with the parent domain (domain.com). PS C:\users\otter\desktop> Get-ADTrust -Filter * Direction : BiDirectional...
One-Way Inbound Trust Abuse
A one-way inbound trusts looks like this PS C:\users\otter\desktop> Get-DomainTrust SourceName : trusteddomain.com TargetName : trustingdomain.com TrustType : WINDOWS_ACTIVE_DIRECTORY TrustAttributes : TrustDirection : Inbound WhenCreated ...
One-Way Outbound Trust Abuse
We are dealing with a one-way outbound trust when trustingdomain.com trusts trusteddomain.com so the users from the second domain are able to access the resources in the first one. Given that we have high-privilege access to trustingdomain.com we are able to "...
Dumping data from the Microsoft Recall folder
Recently, Microsoft announced their new AI Recall feature that will be enabled on a new hardware generation called Copilot+ PC. I won't bore you with the details as the topic has been vastly covered already in YouTube videos and other major information sources...
Gaining persistence on Windows with Time Providers
When authenticating into a Domain Controller using the Kerberos protocol, especially during a CTF, we've all encountered the infamous Kerberos Clock Skew error, it looks something like this: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) This er...