Navigating the Uncharted: A Framework for Attack Path Discovery
This is the second post in a series on Identity-Driven Offensive Tradecraft, which is also the focus of the new course we will launch in October. In the previous post, I asked, “How does one discover and abuse new attack paths?” To start answering this question, I made two key ... Read More
The Security Principle Every Attacker Needs to Follow
Earlier this year, I was tasked with developing a follow-on course for our renowned Adversary Tactics: Red Team Operations course. The new course needed to cover the advanced tradecraft we perform on engagements and teach students how to navigate highly secure environments.I decided to focus on “Identity-Driven Offensive Tradecraft”, which ... Read More
At the Edge of Tier Zero: The Curious Case of the RODC
The read-only Domain Controller (RODC) is a solution that Microsoft introduced for physical locations that don’t have adequate security to host a Domain Controller but still require directory services for resources in those locations. A branch office is the classic use case.While RODCs, by definition, are not part of the set ... Read More
SPN-jacking: An Edge Case in WriteSPN Abuse
Some people are a hammer in search of a nail, but I’m a hammer in search of Kerberos delegation. So, when I heard that a WriteSPN edge was introduced to BloodHound 4.1, I started exploring alternative abuse techniques beyond targeted Kerberoasting, and I found an edge case (pun intended) that ... Read More
3 Steps to Mitigating Two Recent Active Directory Domain Service Privilege Escalation Security Flaws
After releasing security patches for two Active Directory vulnerabilities during the November 2021 Patch Tuesday, Microsoft urged customers on December 20 to apply the patches immediately to prevent attackers from taking over Windows domains. In addition to patching, organizations can increase their defenses against attacks by executing a couple of ... Read More
