Introducing BloodHound 4.3 — Get Global Admin More Often

Offensive tooling built upon the .NET framework and its runtime environment, the Common Language Runtime (CLR), is an important part of the red teaming ecosystem. .NET tools offer rapid development times, a [...]

Years ago I was chatting with a few experienced red teamers and one was lamenting token abuse. Specifically, they wanted to be able to automatically “harvest” tokens on a host [...]

tl;dr: Seriously, please disable NTLM I recently learned that you can coerce NTLM authentication from SCCM servers using any Windows SCCM client when automatic site-wide client push installation is enabled and [...]

TL;DR — Stop Using Network Access Accounts! If a Windows machine has ever been an SCCM client, there may be credential blobs for the network access account (NAA) on disk. If an Active [...]

There’s more than meets the eye under the function call hood This post is based on a September 2021 Twitter thread that I wrote to describe the same concept regarding function [...]

Preventing escalation from initial access in your Active Directory (AD) environment to Domain Admins can feel impossible, especially after years of successful red team engagements finding new attack paths each [...]

For as long as I’ve been working in security, initial access has generally looked the same. While there are high degrees of variation within each technique (i.e., payloads, pretexts, delivery [...]