Services
PROGRAM DEVELOPMENT
Overview
Developing Capabilities
Expert Support
Assessments
Penetration Testing
Red Team Engagements
Purple Team Assessments
Maturity Assessments
Solutions
BloodHound Enterprise
Training
Adversary Tactics Training Courses
Red Team Operations
Tradecraft Analysis
Mac Tradecraft
Detection
Vulnerability Research for Operators
Active Directory Security Fundamentals
Private Training
Talk to us
About
ABOUT
Who We Are
Values
Team
Careers
News
Announcements
Media
Resources
Recent Posts
White Papers
Sponsored Tools
Vulnerability Acknowledgements
Datasheets
Blog
Events
Sponsored Events
Talks
Training Courses
Webinars
Contact Us
FEATURED BLOG
Introducing BloodHound 4.3 — Get Global Admin More Often
Read Post
All
Blog
Research
Solutions
Search
Blog
All Posts
10 Min Read | Jul 13
Dealing with Failure: Failure Escalation Policy in CLR Hosts
Offensive tooling built upon the .NET framework and its runtime environment, the Common Language Runtime (CLR), is an important part of the red teaming ecosystem. .NET tools offer rapid development times, a [...]
11 Min Read | Jul 07
Koh: The Token Stealer
Years ago I was chatting with a few experienced red teamers and one was lamenting token abuse. Specifically, they wanted to be able to automatically “harvest” tokens on a host [...]
13 Min Read | Jun 30
Relaying NTLM Authentication from SCCM Clients
tl;dr: Seriously, please disable NTLM I recently learned that you can coerce NTLM authentication from SCCM servers using any Windows SCCM client when automatic site-wide client push installation is enabled and [...]
8 Min Read | Jun 28
The Phantom Credentials of SCCM: Why the NAA Won’t Die
TL;DR — Stop Using Network Access Accounts! If a Windows machine has ever been an SCCM client, there may be credential blobs for the network access account (NAA) on disk. If an Active [...]
9 Min Read | Jun 27
Understanding the Function Call Stack
There’s more than meets the eye under the function call hood This post is based on a September 2021 Twitter thread that I wrote to describe the same concept regarding function [...]
17 Min Read | Jun 20
Establish security boundaries in your on-prem AD and Azure environment
Preventing escalation from initial access in your Active Directory (AD) environment to Domain Admins can feel impossible, especially after years of successful red team engagements finding new attack paths each [...]
4 Min Read | Jun 16
Hang Fire: Challenging our Mental Model of Initial Access
For as long as I’ve been working in security, initial access has generally looked the same. While there are high degrees of variation within each technique (i.e., payloads, pretexts, delivery [...]
4 Min Read | Jun 14
Introducing Ghostwriter v3.0
The Ghostwriter team recently released v3.0.0. This release represents a significant milestone for the project, and there has never been a better time to try out Ghostwriter. Our goal was [...]
8 Min Read | Jun 08
Managed Identity Attack Paths, Part 3: Function Apps
Intro and Prior Work In this three part blog series we have explored attack paths that emerge out of Managed Identity assignments in three Azure services: Automation Accounts, Logic Apps, and [...]
PREV
1
2
3
4
5
6
7
8
NEXT
Get Started
Defend Against
Advanced Attacks
Talk to an Expert