Want to run roadrecon, but a device compliance policy is getting in your way? You can use the Intune Company Portal client ID, which is a hardcoded and undocumented exclusion in CA for device compliance. It has user_impersonation rights on the AAD Graph 😃

Client ID: 9ba1a5c7-f17a-4de9-a1f1-6178c8d51223 I originally shared this in an Outflank OST knowledge sharing session about a year ago, but since %TEMP% dropped this at BH EU as well I guess the cat is out of the bag now 😄

Pytune : a post-exploitation tool for enrolling a fake device into Intune with mulitple platform support : github.com/secureworks/py… Unveiling the Power of Intune: Leveraging Intune for Breaking Into Your Cloud and On-Premise : i.blackhat.com/EU-24/Presenta… (Slides)

TokenSmith - Bypassing Intune Compliant Device Conditional Access labs.jumpsec.com/tokensmith-byp… #redteam

stuck in implementing gss_wrap function when AcceptorSubkey is not set. Need advice if anyone knows good implementation

I was too lazy to implement this before, but I've now added support for proxy usage to Pytune. It helped when sending authentication traffic through a target network during red teaming github.com/secureworks/py…

My talk accepted for this year's Troopers! Very excited to discuss Entra ID's attack technique in Heidelberg! 🇩🇪 #TROOPERS25 TROOPERS Conference

First round of #TROOPERS25 talks published: troopers.de/troopers25/tal…

The rumours are true! I'll be back at TROOPERS Conference this year for a joint talk with Fabian Bader! We'll talk about signing in to all the apps, the challenges that brings and how to request 600k different tokens in 20 minutes 😅

Great talk from blackhat Europe! It shows a lot more than the intune bypass we all know! Thanks for another great talk 🙂 %TEMP% youtu.be/YX5P99JUwlw?si…

Incredible line-up for the #TROOPERS25 AD & Entra ID Security Track, featuring Jonas Bülow Knudsen Martin Haller Dirk-jan Fabian Bader Dr. Nestori Syynimaa S3cur3Th1sSh1t Duane Michael & many more linkedin.com/posts/enno-rey…

Happy to share that my talk "The Ultimate Guide for Protecting Hybrid Identities in Entra ID" was accepted to TROOPERS Conference! troopers.de/troopers25/tal…

👏

Excited to share that our proposal for BSidesLV, led by Fumiya IMAI, got accepted! Stay tuned for more details!

One of the results of the joined research with Dirk-jan is entrascopes.com Basically the yellow pages for Microsoft first party apps. #TROOPERS25

Since several people already asked: the slides from Fabian Bader and myself for TROOPERS Conference are available! "Finding Entra ID CA bypasses-the structured way". We talked about FOCI, BroCI, CA bypasses, scopes and getting tons of tokens. Check it at dirkjanm.io/talks/

GraphSpy was extremely powerfull in the last engagement, and happy to see pytune integrated with it👏

The slides from #TROOPERS25 are now available🔥 The key point in the talk is that Device Registration Service is often forgotten in Conditional Access, leading to various abuse. This talk introduces one of the examples and explains lateral movement tips. troopers.de/downloads/troo…