Clik here to view.
Roasting AS-REPs
Last November, I published a post titled “Kerberoasting Without Mimikatz” that detailed new developments with PowerView and Tim Medin‘s Kerberoasting attack. This started me down the path of looking at...
View ArticleClik here to view.
Targeted Kerberoasting
This is a short followup demonstrating a technique that dawned on me after posting about decrypting AS-REPs earlier this week. As mentioned previously, @_wald0, @cptjesus, and I are currently working...
View ArticleClik here to view.
Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy
Nearly three years ago, I wrote a post named “Pass-the-Hash is Dead: Long Live Pass-the-Hash” that detailed some operational implications of Microsoft’s KB2871997 patch. A specific sentence in the...
View ArticleA Three Year Retrospective
I love blogging. One of my favorite parts of my job is figuring out details about an operationally useful topic and trying to explain it in a digestible way. I’ve found that blogging about (or...
View ArticleClik here to view.
A Pentester’s Guide to Group Scoping
Scopes for Active Directory groups were always a bit murky for me. For anyone with an AD sysadmin background, this topic is probably second nature, but it wasn’t until I read this SS64 entry that...
View ArticleClik here to view.
The PowerView PowerUsage Series #1
PowerView is probably my favorite bit of code I’ve written, and definitely the one I most regularly use (as evidenced by my recent posts). My team also heavily utilizes the toolkit, and we’ve come up...
View ArticleClik here to view.
Offensive Encrypted Data Storage (DPAPI edition)
Last September I wrote a post titled “Offensive Encrypted Data Storage” that detailed an approach to securely storing data on disk during offensive engagements. I recently revisited the idea a bit...
View ArticleClik here to view.
The PowerView PowerUsage Series #2
This is the second post in my “PowerView PowerUsage” series. The original post contains a constantly updated list of the entire series. This post will follow the same scenario/solution/explanation...
View ArticleClik here to view.
Hunting With Active Directory Replication Metadata
With the recent release of BloodHound’s ACL Attack Path Update as well as the work on Active Directory DACL backdooring by @_wald0 and myself (whitepaper here), I started to investigate ACL-based...
View ArticleClik here to view.
The PowerView PowerUsage Series #3
This is the third post in my “PowerView PowerUsage” series, and follows the same Scenario/Solution/Explanation pattern as the previous entries. The original post contains a constantly updated list of...
View ArticleClik here to view.
A Guide to Attacking Domain Trusts
It’s been a while (nearly 2 years) since I wrote a post purely on Active Directory domain trusts. After diving into group scoping, I realized a few subtle misconceptions I previously had concerning...
View ArticleClik here to view.
The PowerView PowerUsage Series #4
This is a short follow-up to my “A Guide to Attacking Domain Trusts” post, and the fourth post in my “PowerView PowerUsage” series. It follows the same Scenario/Solution/Explanation pattern as the...
View ArticleClik here to view.
Remote Hash Extraction On Demand Via Host Security Descriptor Modification
This is the long overdue follow-up to the “An ACE in the Hole: Stealthy Host Persistence via Security Descriptors” presentation (slides and video) that @tifkin_, @enigma0x3, and I gave at DerbyCon last...
View ArticleThe PowerView PowerUsage Series #5
This is the fifth post in my “PowerView PowerUsage” series, and follows the same Scenario/Solution/Explanation pattern as the previous entries. The original post contains a constantly updated list of...
View ArticleClik here to view.
GhostPack
Anyone who has followed myself or my teammates at SpecterOps for a while knows that we’re fairly big fans of PowerShell. I’ve been involved in offensive PowerShell for about 4 years, @mattifestation...
View ArticleClik here to view.
Operational Guidance for Offensive User DPAPI Abuse
I’ve spoken about DPAPI (the Data Protection Application Programming Interface) a bit before, including how KeePass uses DPAPI for its “Windows User Account” key option. I recently dove into some of...
View ArticleClik here to view.
From Kekeo to Rubeus
Kekeo, the other big project from Benjamin Delpy after Mimikatz, is an awesome code base with a set of great features. As Benjamin states, it’s external to the Mimikatz codebase because, “I hate to...
View ArticleClik here to view.
Rubeus – Now With More Kekeo
Rubeus, my C# port of some of features from @gentilkiwi‘s Kekeo toolset, already has a few new updates in its 1.1.0 release, and another new feature in its 1.2.0 release. This post will cover the main...
View ArticleClik here to view.
Another Word on Delegation
Every time I think I start to understand Active Directory and Kerberos, a new topic pops up to mess with my head. A few weeks ago, @elad_shamir contacted @tifkin_ and myself with some ideas about...
View ArticleClik here to view.
Not A Security Boundary: Breaking Forest Trusts
For years Microsoft has stated that the forest was the security boundary in Active Directory. For example, Microsoft’s “What Are Domains and Forests?” document (last updated in 2014) has a “Forests as...
View Article