😈 Security researcher (#ActiveDirectory), developer, pentester 🤓 I share technical tips and ideas 👌 Low volume / high signal account 🎉 #CTF with @tipi_hack

France 🇫🇷🗼
Joined February 2011
🤔 Windows credential theft without Mimikatz, admin nor touching LSASS? 💡 Discover #Kekeo by @gentilkiwi to abuse CredSSP / TSPKG (RDP SSO)! ➡️ Read the article to learn how to exploit it & how to discover such dangerous configuration in your environment clement.notin.org/blog/2019/…
4
323
649
"Whilst I could have blindly tested the Exchange Online instance, this would have likely resulted in 0 high impact findings. Assuming that Microsoft know what they are doing, it’s unlikely that I would have a found a high impact RCE vulnerability without accessing source code" 👍
A story on how I gained RCE against Microsoft Exchange Online using CVE-2020-16875 and bypassed their patches twice over. Latest patch bypass is unpatched against on-premise deployments! Making Clouds Rain - Remote Code Execution in Microsoft Office 365: srcincite.io/blog/2021/01/12…
0
0
6
Windows advanced audit policy can apparently be defined for specific users... But I've never seen it used, and I am not even sure it can be done with the GUI! Perhaps by editing audit.csv? github.com/nsacyber/Windows-… "Policy Target" column Source: [MS-GPAC] docs.microsoft.com/en-us/ope…
2
0
4
"- In which Active Directory attribute could we store the ADFS private key? 🤔 - I don't know... What about 'thumbnailPhoto'? 🤓" I suppose that a complicated engineering trade-off was decided here! github.com/fireeye/ADFSDump/…
1
5
29
Blue teams can now test their #ActiveDirectory attack detection mechanisms (SIEM, FW...) using #AtomicRedTeam by @redcanary thanks to code I wrote with a colleague @AlsidOfficial ⚒ ⬇ Details below with @MITREattack IDs
6
218
633
T1003.006 DCSync github.com/redcanaryco/atomi… T1207 DCShadow github.com/redcanaryco/atomi… T1558.001 Golden ticket github.com/redcanaryco/atomi… T1110.001 Brute Force github.com/redcanaryco/atomi… T1110.003 Password spraying github.com/redcanaryco/atomi… T1055 Remote Process Injection github.com/redcanaryco/atomi…
0
23
63
Clément Notin retweeted
WinInfoSec community, what's your opinion on policy for local Administrator & Guest accounts on wks/srv? I would go with: * keeping default account w/o renaming * disable guest * LAPS on RID 500 * FilterAdministratorToken = 0 * LocalAccountTokenFilterPolicy = 0 Do you agree?
61% Yes!
22% With conditions (comment)
17% No (comment)
23 votes • Final results
1
5
6
Replying to @cnotin @cvedetails
We finally have a nice open-source alternative with updated content 👍
OpenCVE, a platform used for your CVE alerting and formerly known as Saucs, is now available ! The code is on Github, so you can install it or directly use opencve.io ;)
0
0
8
Show this thread