//Posts

Active Directory Spotlight: Attacking Microsoft's Configuration Manager (SCCM/MECM) 2023-05-17
This spotlight covers the Microsoft Configuration Manager (ConfigMgr), also known as SCCM or MECM. Get an intro into the Configuration Manger, an overview and demonstration of known attacks against it, practical tool box knowledge and best practice defensive guidelines. Read more...
Offphish - Phishing revisited in 2023 2023-02-09
What is the state of the art with phishing in 2023? What techniques do exist, which do still work and what is know-how worth revisiting?... Read more...
Untangling Azure Active Directory Permissions II: Privileged Access 2022-11-10
I've focused on using my enumeration learnings to automate the process of identifying high privileged principals in an Azure Active Directory Tenant... Read more...
Untangling Azure Active Directory Principals & Access Permissions 2022-10-19
This blog post will untangle the question of 'who has access to what' in an Azure Active Directory environment. A PowerShell tool will also be released to automatically enumerate this. Read more...
Active Directory Spotlight: Windows Event Forwarding & Windows Event Collector 2022-07-22
Windows Event Forwarding (WEF) offers a simple, free and already built-in solution to configure Windows workstations and servers to send encrypted log events to a centralized location for storage, analysis, attack & anomaly detection... Read more...
Debugging and Reversing ALPC 2022-05-29
This post is an addendum to my journey to discover and verify the internals of ALPC, which I've documented in Offensive Windows IPC Internals 3: ALPC. While preparing this blog I figured a second post, explaining the debugging steps I took to verify and discover ALPC behaviour, could be useful to all of us that are beginners in the field of reverse engineering and/or debugging. Read more...
Offensive Windows IPC Internals 3: ALPC 2022-05-24
After talking about two inter-process communication (IPC) protocols that can be uses remotely as well as locally, namely Named Pipes and RPC, with ALPC we're now looking at a technology that can only be used locally... Read more...
Active Directory Spotlight: Trusts - Part 2. Operational Guidance 2021-10-10
This is part 2 of our Active Directory Trusts series. This part will cover guidance for red and blue teams on how to enumerate, attack and secure AD trusts. Read more...
Active Directory Spotlight: Trusts - Part 1. The Mechanics 2021-10-10
This post is intended to shed some light on Active Directory Trusts, to understand, dissect, configure and find vulnerabilities in AD trust environments. Read more...
Offensive Windows IPC Internals 2: RPC 2021-02-21
Remote Procedure Calls (RPC) is a technology to enable data communication between a client and a server across process and machine boundaries (network communication). Therefore RPC is an Inter Process Communication (IPC) technology... Read more...
Offensive Windows IPC Internals 1: Named Pipes 2021-01-10
Although the name might sound a bit odd Pipes are very basic and simple technology to enable communication and share data between two processes, where the term pipe simply describes ... Read more...
Kerberos Delegation: A Reference Overview 2020-02-15
There are 3 Delegation types: Unconstrained, Constrained and Resources Based. This post is will list the attributes used to define these types and outline attack paths to abuse misplaced delegation settings Read more...
Kerberos Delegation: A Wrap Up 2020-02-10
Delegation allows a server application to impersonate a client when the server connects to other network resources.
In other words: Delegation specifies the client's action to authorize a server in order to allow this server to impersonate itself (the client).
Read more...
A Beginner's Guide to Windows Shellcode Execution Techniques 2019-07-24
This blog post is aimed to cover basic techniques of how to execute shellcode within the memory space of a process. The background idea for this post is simple: New techniques to achieve stealthy code execution appear every day and it’s not always trivial to break these new concepts into their basic parts to understand how they work. By explaining basic concepts of In-Memory code execution i'm aiming to improve everyone’s ability to do this... Read more...
A Windows Authorization Guide 2018-06-14
Compared to Linux, the Window's authorization process is quite complex and quite a few actors and objects are involved in this process. As a result, there a lot of terms and acronyms that must be known in order to understand and follow up on the topic. To get an idea of what is covered in this guide take a look on this overview of terms and acronyms... Read more...
Downgrade SPNEGO Authentication 2018-04-04
Microsoft's SPNEGO protocol is a less well known sub protocol used by better known protocols to negotiate authentication. This blog post covers weaknesses i've discovered in SPNEGO and leverages this to highlight an inconsistency in the SMBv2 protocol, both of which lead to user credentials being sent over the wire in a way which makes them vulnerable to offline cracking... Read more...
Kerberos Authentication: A Wrap Up 2017-09-12
This post is intended as a wrap-up to refresh/update your understanding of how Kerberos works in a Windows domain network... Read more...
NTLM Authentication: A Wrap Up 2017-09-10
This post is intended as a wrap-up to refresh/update your understanding of how the NTLM authentication scheme works in a Windows domain network... Read more...