harmj0y

Remote Hash Extraction On Demand Via Host Security Descriptor Modification

2 Comments / ActiveDirectory / April 10, 2018

This is the long overdue follow-up to the “An ACE in the Hole: Stealthy Host Persistence via Security Descriptors” presentation (slides and video) that @tifkin_, @enigma0x3, and I gave at DerbyCon last year. This past weekend we gave a talk at @Sp4rkCon titled “The Unintended Risks of Trusting Active Directory” that explored combining our host-based …

Remote Hash Extraction On Demand Via Host Security Descriptor Modification Read More »

The PowerView PowerUsage Series #4

Leave a Comment / Powershell / November 20, 2017

This is a short follow-up to my “A Guide to Attacking Domain Trusts” post, and the fourth post in my “PowerView PowerUsage” series. It follows the same Scenario/Solution/Explanation pattern as the previous entries, with the original post containing a constantly updated list of the entire series. One of the methods for trust hopping that I …

The PowerView PowerUsage Series #4 Read More »

A Guide to Attacking Domain Trusts

5 Comments / ActiveDirectory, Red Teaming, Top Posts / October 30, 2017

It’s been a while (nearly 2 years) since I wrote a post purely on Active Directory domain trusts. After diving into group scoping, I realized a few subtle misconceptions I previously had concerning trusts and group memberships. That, combined with the changes made to PowerView last year, convinced me to publish an up-to-date guide on …

A Guide to Attacking Domain Trusts Read More »

The PowerView PowerUsage Series #3

Leave a Comment / Powershell / September 19, 2017

This is the third post in my “PowerView PowerUsage” series, and follows the same Scenario/Solution/Explanation pattern as the previous entries. The original post contains a constantly updated list of the entire series. Active Directory access control is something my workmates and I have been very interested in over the past year. So far, this has …

The PowerView PowerUsage Series #3 Read More »

Hunting With Active Directory Replication Metadata

2 Comments / ActiveDirectory, Defense / September 6, 2017

With the recent release of BloodHound’s ACL Attack Path Update as well as the work on Active Directory DACL backdooring by @_wald0 and myself (whitepaper here), I started to investigate ACL-based attack paths from a defensive perspective. Sean Metcalf has done some great work concerning Active Directory threat hunting (see his 2017 BSides Charm “Detecting …

Hunting With Active Directory Replication Metadata Read More »

The PowerView PowerUsage Series #2

1 Comment / Powershell / August 16, 2017

This is the second post in my “PowerView PowerUsage” series. The original post contains a constantly updated list of the entire series. This post will follow the same scenario/solution/explanation format, and is definitely a bit simpler than the first post. The Scenario While on an engagement in a multi-domain forest, you end up with a …

The PowerView PowerUsage Series #2 Read More »

Offensive Encrypted Data Storage (DPAPI edition)

2 Comments / Red Teaming / July 31, 2017

Last September I wrote a post titled “Offensive Encrypted Data Storage” that detailed an approach to securely storing data on disk during offensive engagements. I recently revisited the idea a bit while once again thinking about disk artifacts, and remembered about DPAPI. The Windows Data Protection API (DPAPI) provides a simplified set of cryptographic functions …

Offensive Encrypted Data Storage (DPAPI edition) Read More »

The PowerView PowerUsage Series #1

2 Comments / Powershell / July 17, 2017

PowerView is probably my favorite bit of code I’ve written, and definitely the one I most regularly use (as evidenced by my recent posts). My team also heavily utilizes the toolkit, and we’ve come up with some cool uses for it over the past several years. For a long time I’ve wanted to share some …

The PowerView PowerUsage Series #1 Read More »

A Three Year Retrospective

2 Comments / Informational / May 24, 2017

I love blogging. One of my favorite parts of my job is figuring out details about an operationally useful topic and trying to explain it in a digestible way. I’ve found that blogging about (or teaching) a particular subject really helps solidify my knowledge, at least as I understand it at the time. It also …

A Three Year Retrospective Read More »