Releasing Tunnel Vision Toolkit, part of my @x33fcon talk on Microsoft Global Secure Access.
Includes BOFs to assist in engagements where you face GSA, plus a rogue client that lets you connect to internal resources from unmanaged devices.
https://t.co/ol16oRH6v9
here's my writeup for the latest Netskope LPE
this was a fun bypass of CVE-2025-0309, and highlights an interesting cloud-based attack surface :)
https://t.co/VadYben8ge
Thank you for coming to today's talk at #Insomnihack . I will upload the slides later but here is the new release of the BAADTokenBroker bof for those of you interested
https://t.co/NUxFLzY7hO
Are one-way trusts really one way? @lowercase_drm sums up how the TDO password lets you turn a one-way AD forest trust into bidirectional access, and releases a new tool to remotely extract these secrets.
https://t.co/jh9MRAeHk9
@shahardorf & I found a phishing campaign abusing oauth applications in Entra in more than 50 organizations! And i promise you that in this blog we explain how you can do it too! And provide all the IOCs 🤭 It's one of these blogs i would enjoy reading!
https://t.co/2Eh1nkc0nN
Every Entra ID assessment ends here: “How do I get a token without triggering Conditional Access controls?” 🤔
@rbnroot built CAPSlock, an offline ROADrecon-based Conditional Access engine that simulates sign-ins & flags gaps without touching the tenant. https://t.co/MRogABIkL2
As promised, today we released DumpBrowserSecrets a tool which extracts passwords, tokens, cookies and other data from several browsers.
https://t.co/EaswGdihdU
Reversing Microsoft Defender's signatures for evasion.
Deep dive into VDM guts - a gzip-compressed files with no encryption to evade entire signatures with just 1 byte change.
A research by RETooling crew (@DrCh40s && @t0nvi). Nicely done, chaps!
Post: https://t.co/RibfSrsMZR
#redteam #blueteam #maldev #evasion #reverseengineering #antivirus #malwaredevelopment
The Azure AD Broker plays a key role in Entra ID sign-in & token handling, but how well do we really understand it?
@winternl_t unpacks its on-disk cache, how to decode it, & the security implications. 🔐 https://t.co/eC86G7QFzy
I have released an OpenGraph collector for network shares and my first blogpost at @SpecterOps on the subject!
You can now visualize attack paths to network shares in BloodHound 👀
https://t.co/2e2DBIndcU
Inspired by @TrustedSec article on remotely starting Windows services, enjoy our python unauthenticated EFS trigger developed with @Hypnoze57
Enjoy!
https://t.co/lfXowfPYtv
Check out Titanis, my new C#-based protocol library! It features implementations of SMB and various Windows RPC protocols along with Kerberos and NTLM.
https://t.co/GC5wA2y3EO
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: https://t.co/jD6EaGtsn3
Happy to release SAMLSmith together with @ericonidentity
- Generate forged SAML responses
- Simulate Silver SAML & Golden SAML attacks
- Extract usable certificate files from AD FS encrypted materials.
The tool is written in C#
Check it out here - https://t.co/ZI7h4HhvPK
The slides from #TROOPERS25 are now available🔥
The key point in the talk is that Device Registration Service is often forgotten in Conditional Access, leading to various abuse.
This talk introduces one of the examples and explains lateral movement tips.
https://t.co/gUcMFvRkxI
So you've compromised a host that isn’t cloud-joined. Antero Guy breaks down how to request OAuth tokens & enumerate an Entra ID tenant by using an SSO cookie from a non cloud-joined device. Read more ⬇️ https://t.co/3v1l0Sd1Ar
Following @ShitSecure's TROOPERS talk and release of BitlockMove, we're releasing our internal DCOMRunAs PoC made by @SAERXCIT last year.
It uses a similar technique with a few differences, such as DLL hijacking to avoid registry modification.
https://t.co/yq80EAtSEo