OneLogin, Many Issues: How I Pivoted from a Trial Tenant to Compromising Customer Signing Keys
TL;DR OneLogin was found to have security vulnerabilities in its AD Connector service that exposed authentication credentials and enabled account impersonation. This research showed that attackers could access credentials and signing keys to generate valid JWT tokens, allowing user impersonation. Leaked AWS credentials allowed SpecterOps to register an unclaimed S3 bucket referenced in the OneLogin […]
Update: Dumping Entra Connect Sync Credentials
TL;DR Microsoft has recently changed how Entra Connect Sync authenticates to Entra ID. This blog post will discuss what has been changed and how to adjust attacker tradecraft. Recently, Microsoft changed the way the Entra Connect Connect Sync agent authenticates to Entra ID. These changes affect attacker tradecraft, as we can no longer export the […]
Chatting with Your Attack Paths: An MCP for BloodHound
TL;DR In an effort to learn about Model Context Protocol servers, I created a MCP server that allows Claude Desktop to access and analyze data contained with a running instance of BloodHound Community Edition. This MCP is recommended to be used with Lab or Example data. Future releases will have Local LLM support. Introduction During […]
TL;DR Tokenization Confusion: We look at the new Prompt Guard 2 model from Meta, how “confusing” Unigram tokenization can lead to misclassification of malicious prompts, and why building up our ML knowledge will lead to better findings when assessing LLM API’s. Recently, upon getting ready to board a flight across the Atlantic, I was deciding […]
Getting the Most Value Out of the OSCP: After the Exam
TL;DR In the final post of this series, I’ll discuss what to do after your latest exam attempt to get the most value out of your OSCP journey. Introduction Throughout this series, I’ve shared practical advice for PEN-200: Penetration Testing with Kali Linux students seeking to maximize the professional, educational, and financial value of pursuing […]
TL;DR: This post shows how COM hijacking can serve as a reliable persistence method while also enabling execution within commonly used applications across an environment. Overview Persistence is one of the most important steps in any red team engagement. Without persistence, all it takes is a reboot, a user logout, or some unexpected disruption, and […]
Understanding & Mitigating BadSuccessor
TL;DR: BadSuccessor is a new AD attack primitive that abuses dMSAs, allowing an attacker who can modify or create a dMSA to escalate privileges and take over the forest. The DACL-based parts of the attack have relatively straightforward mitigations. Recently Yuval Gordon at Akamai released the blog post BadSuccessor: Abusing dMSA to Escalate Privileges in […]
(Why) IAM demands an #AttackGraph First Approach
TL;DR: Don’t start with access lists, start with attacker movement. Your new baseline: “Be the best at predicting how an attacker would reach identities that control critical assets”. Lead with an Attack Graph First approach. Add context and clear narrative to attack paths. Expose real risk and prioritize the most impactful fixes. Quick What Is: […]
Running From Complacency: Getting Off Your InfoSec Hamster Wheels
TL;DR Breaking free from InfoSec complacency: We discuss how security leaders can align their security strategy with business goals, evaluate metrics critically, and collaborate with peers instead of running aimlessly on their information security hamster wheels. The past months have been your typical Information Security chaos with a bit of extra political flair. A rapidly […]
Getting the Most Value Out of the OSCP: The Exam
TL;DR A practical guide to maximizing the short- and long-term benefits of your upcoming OSCP exam attempt(s). Introduction In the last post in this series, I discussed a few proactive steps students should take throughout the PEN-200: Penetration Testing with Kali Linux labs as part of their efforts to earn the Offensive Security Certified Professional […]
