Skip to main content
Advanced Search
Search Terms
Content Type

Exact Matches
Tag Searches
Date Options
Updated after
Updated before
Created after
Created before

Search Results

31 total results found

Pass the PRT

Azure AD (AAD)

This attack exploits devices with SSO enabled in hybrid Azure environments. PRTs can authenticate into any application, bypass MFA with the built-in MFA claim and satisfy every conditional access policy. This attack leverages the native presence of the Browser...

AAD Lateral Movement

Pass the Cookie

Azure AD (AAD)

If a user has an active logon session on Azure or M365, the browser stores a cookie called ESTSAUTH cookie which can be exposed or stolen from the browser cache, a memory dump of running processes, malicious browser extensions and the Chrome cookies file. The ...

AAD Lateral Movement

Introduction to ADCS

Abusing Active Directory Certificate Se...

ADCS is made of these main components CA: Certification Authority, an entity that issues and manages certificates. There can be multiple CAs, organized in a hierarchy to add more layers of "movement" between the end user and the main CA Certificate Templates:...

Abusing Managed Identities

Azure AD (AAD)

Managed Identities are a type of Service Principal and they are used by applications to obtain tokens for authentication without need to manage credentials. We'll see how a misconfigured Managed Identity can allow an attacker to access resources in the same re...

AAD Lateral Movement

Virtual Machine Abuse

Azure AD (AAD)

This section is highly dependent on the Abusing Managed Identities module so i recommend checking that out first and then coming back to this ʕ •ᴥ•ʔ The setup is the same and the attack assumes you compromised a Linux-based VM and we can use it to execute comm...

AAD Lateral Movement

Attacking Key Vaults

Azure AD (AAD)

While owning users and devices in AAD environments, it's good practice to look out for permissions like Microsoft.KeyVault/vaults/read # read keys in a vault Microsoft.KeyVault/vaults/secrets/read # read the plaintext passwords in...

AAD Credential Theft

Child/Parent Trust Abuse

Domain Trust Abuse

Whenever a child domain (child.domain.com) is added to a forest, the event automatically creates a transitive and bidirectional trust with the parent domain (domain.com). PS C:\users\otter\desktop> Get-ADTrust -Filter * Direction : BiDirectional...

One-Way Inbound Trust Abuse

Domain Trust Abuse

A one-way inbound trusts looks like this PS C:\users\otter\desktop> Get-DomainTrust SourceName      : trusteddomain.com TargetName      : trustingdomain.com TrustType       : WINDOWS_ACTIVE_DIRECTORY TrustAttributes : TrustDirection  : Inbound WhenCreated   ...

One-Way Outbound Trust Abuse

Domain Trust Abuse

We are dealing with a one-way outbound trust when trustingdomain.com trusts trusteddomain.com so the users from the second domain are able to access the resources in the first one. Given that we have high-privilege access to trustingdomain.com we are able to "...

Dumping data from the Microsoft Recall folder

Articles

Recently, Microsoft announced their new AI Recall feature that will be enabled on a new hardware generation called Copilot+ PC. I won't bore you with the details as the topic has been vastly covered already in YouTube videos and other major information sources...

Gaining persistence on Windows with Time Providers

Articles

When authenticating into a Domain Controller using the Kerberos protocol, especially during a CTF, we've all encountered the infamous Kerberos Clock Skew error, it looks something like this: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) This er...