The contents of this blogpost was written by Nick Powers (@zyn3rgy) and Steven Flores (@0xthirteen), and is a written version of the content presented at Defcon30. With the barrier to entry for initial access ever increasing, we spent some time digging into potentially lesser-known weaponization options for ClickOnce deployments. A few of the hurdles we’d […]

In his 1931 paper “A Non-Aristotelian System and Its Necessity for Rigour in Mathematics and Physics,” Mathematician Alfred Korzybski introduced an idea that many today find helpful when dealing with complex systems. The idea is commonly referred to as “The map is not the territory,” and Korzybski lays it out according to the following points: […]

Within the cybersecurity industry, many of us have a natural inclination towards digging into technical concepts and understanding what is going on under the hood. Or, if you are like me, you develop this over time and realize many of the complexities and dependencies you had missed, resulting in a desire to dig in and […]

We are excited to share the release of BloodHound version 4.3.1. We have accepted a lot of pull requests made by BloodHound users for bug fixes and cool improvements in this release. We are super grateful for the continued support and contributions from our dedicated community. Together, we are making BloodHound a better tool. Let’s jump […]

By Nathan Davis This body of work also appears in the form of a webinar, which can be accessed here. What is security? This is a question that struck me some time ago, and I realized that I didn’t have a concrete answer. For context, this question actually came about as a derivation of a separate issue […]

There’s a new, practical way to escalate from Domain Admin to Enterprise Admin. ESC5 You’ve heard of ESC1 and ESC8. But what about ESC5? ESC5 is also known as “Vulnerable PKI Object Access Control”. Will Schroeder and Lee Christensen’s whitepaper mentions three classes of objects when discussing ESC5: The CA server’s AD computer object (i.e., […]

— Title by ChatGPT for introducing Mythic 3.0 What is Mythic? Mythic is a plug-n-play command and control (C2) framework that heavily leverages Docker and a microservice architecture where new agents, communication channels, and modifications can happen on the fly. Some of the Mythic project’s main goals are to provide quality of life improvements to operators, improve […]

Introduction Impersonation happens often natively in Windows, however, adversaries also use it to run code in the context of another user. Recently I was researching named pipe impersonation which naturally led me digging into the Win32 API ImpersonateNamedPipeClient. I had never really dug into how ImpersonateNamedPipeClient worked under the hood, so I wanted to do […]

Introducing BloodHound 4.3 — Get Global Admin More Often Discover new attack paths traversing Microsoft Graph and seven new Azure Resource Manager objects. Checking out BloodHound for the first time? Here are some handy resources: Get the latest version of BloodHound on GitHub Read our official documentation Come hang out with us in the BloodHound Slack Major Contributions from BloodHound […]

Summary: Given that: Temporary Access Passes (TAP) are enabled in the Azure AD tenantAND You have an authentication admin role in Azure AD You can assign users a short lived password called a Temporary Access Pass (TAP) that satisfies most multi-factor authentication requirements implemented in Azure AD conditional access without alerting the user or modifying their […]