This year, LAPS 2.0 was released by Microsoft, and thankfully it now comes built-in to Windows. This time it comes ready for use with Active Directory, as well as being supported in Azure AD aka Entra ID. In this post, weβll look at how LAPS 2.0 for Active Directory works under the hood, so you can make those fresh recommendations to your clients, and prepare yourself for the inevitable question... βBut we just deployed LAPS.. what does LAPS 2.0 do differently?!β.
This post looks at the recent trend of pulling Azure tokens from Office process memory and tries to identify just how these tokens were loaded, how Office handles a Microsoft Account (MSA), and how we can recover cached credentials from the Token Broker Cache.
In this post we'll explore just how SCCM uses its HTTP API to initialise a client, take a look at how Network Access Accounts are retrieved from SCCM, and see how we can decrypt these credentials without having to go anywhere near DPAPI.
With the leaking of code signing certificates and exploits for vulnerable drivers becoming common occurrences, adversaries are adopting the kernel as their new playground. And with Microsoft making technologies like Virtualization Based Security (VBS) and Hypervisor Code Integrity (HVCI) available, I wanted to take some time to understand just how vulnerable endpoints are when faced with an attacker set on escaping to Ring-0.
In this post, we'll dig into just how SMB over QUIC works, answer some of the immediate questions around which attacks are feasible, and show how we can repurpose some existing tooling to capture NTLM handshakes.
In this post we are going to look at one such technique that I thought was cool while playing around with the Windows Object Manager, and which should allow us to load an arbitrary DLL of our creation into a Windows process during initial execution, something that I've been calling "Object Overloading" for reasons which will hopefully become apparent in this post.