Search Results

Storage Accounts are high-value targets in a tenant if an attacker is looking to exfiltrate sensitive data. What we'll focus on in this section is a common misconfiguration that exposes access keys for the storage account itself allowing an attacker to downloa...

This technique allows to bypass Conditional Access Policies based on device ownership. Since devices are identified with certificates created during the registration process, all we need is access to a user account that can register a new device that can be se...

Azure's audit logs provide the vast majority of logging in the tenant and can be easily used to figure out what has been compromised and how the attack was carried out but if we manage to compromise an account with the Compliance Administrator role we can disa...

In hybrid environments, every attacker with local administrator access can spoof AAD Sign-In events and every attacker with Global Administrator permissions can register fake agents to AAD. This technique can both be used to remove tracks and IOCs but also to ...

We talked about Spoofing AAD Logon logs as a ADFS administrator in [[15 - Spoofing Azure Sign-In Logs]], now we'll see how it's possible to do the same as a Global Administrator on the AAD side. As a Global Admin we can register our own AAD Connect Health agen...

This attack exploits devices with SSO enabled in hybrid Azure environments. PRTs can authenticate into any application, bypass MFA with the built-in MFA claim and satisfy every conditional access policy. This attack leverages the native presence of the Browser...

If a user has an active logon session on Azure or M365, the browser stores a cookie called ESTSAUTH cookie which can be exposed or stolen from the browser cache, a memory dump of running processes, malicious browser extensions and the Chrome cookies file. The ...

ADCS is made of these main components CA: Certification Authority, an entity that issues and manages certificates. There can be multiple CAs, organized in a hierarchy to add more layers of "movement" between the end user and the main CA Certificate Templates:...

Managed Identities are a type of Service Principal and they are used by applications to obtain tokens for authentication without need to manage credentials. We'll see how a misconfigured Managed Identity can allow an attacker to access resources in the same re...

This section is highly dependent on the Abusing Managed Identities module so i recommend checking that out first and then coming back to this ʕ •ᴥ•ʔ The setup is the same and the attack assumes you compromised a Linux-based VM and we can use it to execute comm...

While owning users and devices in AAD environments, it's good practice to look out for permissions like Microsoft.KeyVault/vaults/read # read keys in a vault Microsoft.KeyVault/vaults/secrets/read # read the plaintext passwords in...

It started with a URL I recently stumbled upon the following curious URL hxxps://rechnung-webmail.nizmo.cl/uw73oo29/?C96B33DB56A85F924D2C3C5E664D872DFA9A0EE4. The domain is now inactive, but at the time it ultimately redirected to hxxps://file.download.pelletq...

Whenever a child domain (child.domain.com) is added to a forest, the event automatically creates a transitive and bidirectional trust with the parent domain (domain.com). PS C:\users\otter\desktop> Get-ADTrust -Filter * Direction : BiDirectional...

A one-way inbound trusts looks like this PS C:\users\otter\desktop> Get-DomainTrust SourceName      : trusteddomain.com TargetName      : trustingdomain.com TrustType       : WINDOWS_ACTIVE_DIRECTORY TrustAttributes : TrustDirection  : Inbound WhenCreated   ...

We are dealing with a one-way outbound trust when trustingdomain.com trusts trusteddomain.com so the users from the second domain are able to access the resources in the first one. Given that we have high-privilege access to trustingdomain.com we are able to "...

SpecterOps https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf ESC13 https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53 ESC14 https://posts.specterops.io/adcs-esc14-abuse-technique-333a004dc2b9 HTB ADCS https://aca...

Web & Active Directory specialist. Find me on Hack The Box, VulnLab, PwnedLabs, etc. CTF / Socials Blog: https://bryanmcnulty.com LinkedIn: https://www.linkedin.com/in/bryanmcnulty GitHub: https://github.com/bryanmcnulty HTB: https://app.hackthebox.com/pro...

Recently, Microsoft announced their new AI Recall feature that will be enabled on a new hardware generation called Copilot+ PC. I won't bore you with the details as the topic has been vastly covered already in YouTube videos and other major information sources...

When authenticating into a Domain Controller using the Kerberos protocol, especially during a CTF, we've all encountered the infamous Kerberos Clock Skew error, it looks something like this: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) This er...

A cheatsheet for NetExec, featuring useful commands and modules for different services. NetExec: https://github.com/Pennyw0rth/NetExec Wiki: https://www.netexec.wiki Author: serioton Installation sudo apt install pipx git pipx ensurepath pipx install git+h...