EntropyCapture: Simple Extraction of DPAPI Optional Entropy
IntroDuring a short application assessment, enumeration and decryption of a third-party application’s Windows Data Protection API (DPAPI) blobs using SharpDPAPI produced non-readable data because optional entropy was being used. This may be ...
LSA Whisperer
Thank you to SpecterOps for supporting this research, to Elad for helping draft this blog, and to Sarah, Daniel, and Adam for proofreading and editing! Crossposted on GitHub.What follows is the culmination of ...
Another CVE (PAN-OS Zero-Day), Another Reason to Consider Zero Trust
A Year of Critical Zero Days: Firewalls, VPNs, and more This past year has been, in many ways, the year of zero-day vulnerabilities for externally exposed assets — a trend that has ...
Misconfiguration Manager: Overlooked and Overprivileged
TL;DR: Misconfiguration Manager is a central knowledge base for all known Microsoft Configuration Manager tradecraft and associated defensive and hardening guidance. We’re also presenting this material at SO-CON 2024 on March 11, ...
SCCM Hierarchy Takeover with High Availability
TL;DR: SCCM sites configured to support high availability can be abused to compromise the entire hierarchyI previously wrote about how targeting site systems hosting the SMS Provider role can be used to ...
Juliet C# Benchmark and the SecureString case
Juliet C# is a project from the National Institute of Standards and Technology of the USA. As a security benchmark project, we used Juliet C# 1.3 to test and improve our C# ...
Patch Tuesday Update – December 2023
The post Patch Tuesday Update - December 2023 appeared first on Digital Defense ...
Abusing Slack for Offensive Operations: Part 2
When I first started diving into offensive Slack access, one of the best public resources I found was a blog post by Cody Thomas from back in 2020 (which I highly recommend ...
Domain of Thrones: Part I
Written by Nico Shyne & Josh PragerThe Game of Domain DominanceJust as in the political landscape of Westeros, defenders face a dynamic adversarial relationship…except instead of fighting rival families, defenders are locked into ...
Site Takeover via SCCM’s AdminService API
tl:dr: The SCCM AdminService API is vulnerable to NTLM relaying and can be abused for SCCM site takeover.Prior Work and CreditBefore I get started, I’d like to acknowledge some of the work previously ...