Pivoting from Azure back down to on-prem AD opens up some very exciting attack path possibilities. In this post, I explain what Hybrid Azure Join is, target enumeration, and how to abuse Intune/Endpoint Manager to execute code as SYSTEM on target systems posts.specterops.io/death-from-abo…

Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472) secura.com/blog/zero-logon Hmm, it looks bad. Looking forward to reading the whitepaper tomorrow!

#Zerologon is (at least) one of the most critical vulns discovered this year. Its severity is equivalent to MS-14-068 (forged-pac). Exploits are public (Dirk-jan and #mimikatz). You should patch ASAP. If you can't, this tool github.com/preempt/ntlm-s… scans for *actual* attacks.

Are all your DCs already patched against Zerologn (CVE-2020-1472)? Check out this simplified overview of the critical vulnerability discovered by Secura + further steps you can take to protect your network 😎 Yaron Zinar Preempt, A CrowdStrike Company preempt.com/blog/security-…

Excited to join the CrowdStrike team! 🎉

Great write up on how any service account with Kerberos constrained delegation permissions can be used with protocol transition to get a ticket for any user (including "sensitive users which cannot be delegated") by flipping a single bit ("forwardable" flag of the service ticket)

Just merged Jake Karnes implementation CVE-2020-17049 (aka Kerberos Bronze Bit Attack). Great stuff and thorough explanations in the blogposts. Great research Jake! Enjoy! github.com/SecureAuthCorp…

While the Bronze Bit vulnerability was patched, the ability to bypass the "Kerberos Only" protection in Kerberos Constrained Delegation was published 2 years ago by Elad Shamir and still works today against patched DCs 😇 shenaniganslabs.io/2019/01/28/Wag…

NTLM relay refuses to die! A new blog is alive with details about the cool vuln in Print Spooler we have found! It was patched by Microsft in the last Patch Tuesday. We also have a PoC we intend to release later. The blog was written jointly with Alex Ionescu crowdstrike.com/blog/cve-2021-…

5 months ago Lee Chagolla-Christensen and I started looking into the security of Active Directory Certificate Services. Today we're releasing the results of that research- a blog post posts.specterops.io/certified-pre-… + a 140-page whitepaper and defensive audit tool (links at the top of the post) [1/6]

Excited to share I'll be (virtually) in Vegas presenting in DEF CON a talk titled: "Adventures in MitM-land: Using Machine-in-the-Middle to Attack Active Directory Authentication Schemes" with Sagi Sheinfeld Eyal Karni 🍅. We'll present cool new MitM attacks against NTLM and Kerberos

We saw a lots of problem after KB5005565 patch (or others KB on September 2021 patch tuesday), thinking it was related to #printnightmare 4x branch fix But don't forget a nightmare can hide another one ( CVE-2021-1678 ), and see: msrc.microsoft.com/update-guide/v…

Spooler service disabled, RPC filters installed to prevent PetitPotam and File Server VSS Agent Service not installed but you still want to relay DC authentication to ADCS? Don't worry MS-DFSNM have your back ;) github.com/Wh04m1001/DFSC…

I've added the material from my Black Hat US talk yesterday to my blog. If you are interested in Azure AD security, love account hijacks, MFA bypass, persistence techniques and privescs, give it a read: dirkjanm.io/assets/raw/US-…

Today we're publishing new techniques for recovering NTLM hashes from encrypted credentials protected by Windows Defender Credential Guard. These techniques also work on victims logged on before the server was compromised. research.ifcr.dk/pass-the-chall…

Connect your powerful AI agent to an MCP server. Enable auto-run. What could possibly go wrong? 😈 Turns out, when using Cursor with a Jira MCP, any local secret - API keys, AWS creds, SSH keys - is up for grabs. labs.zenity.io/p/when-a-jira-…

we got a persistent 0click on ChatGPT by sharing a doc that allowed us to exfiltrate sensitive data and creds from your connectors (google drive, sharepoint, ..) + chat history + future conversations it gets worse. we deploy a memory implant #DEFCON #BHUSA Tamir Ishay Sharbat

next. we hijacked cursor via jira mcp by submitting a support ticket cursor harvests and exfiltrate all creds from your dev machine and then reports back to the dev that "the 2-hour downtime that affected user transactions has been resolved" #DEFCON #BHUSA Marina Simakov