Daniel Heinsen

See the latest by Daniel Heinsen

Research & Tradecraft

Entra Connect Attacker Tradecraft: Part 3

TL;DR Attackers can exploit Entra Connect sync accounts to hijack device userCertificate properties, enabling device impersonation and bypassing conditional access…

By: Daniel Heinsen

16 mins

Research & Tradecraft

Update: Dumping Entra Connect Sync Credentials

TL;DR Microsoft has recently changed how Entra Connect Sync authenticates to Entra ID. This blog post will discuss what has…

By: Daniel Heinsen

10 mins

Research & Tradecraft

Entra Connect Attacker Tradecraft: Part 2

Now that we know how to add credentials to an on-premises user, lets pose a question: “Given access to a…

By: Daniel Heinsen

11 mins

Research & Tradecraft

Attacking Entra Metaverse: Part 1

This is part one in a two (maybe three…) part series regarding attacker tradecraft around the syncing mechanics between Active…

By: Daniel Heinsen

8 mins

Research & Tradecraft

An AWS Administrator Identity Crisis: Part 1

BLUF: Every attack path needs a destination. This is a formalized way of describing destinations in AWS. In cloud providers…

By: Daniel Heinsen

11 mins

Research & Tradecraft

I’d TAP That Pass

Summary: Given that: Temporary Access Passes (TAP) are enabled in the Azure AD tenant AND You have an authentication admin…

By: Daniel Heinsen

22 mins

Research & Tradecraft

AWS ReadOnlyAccess: Not Even Once

By: Daniel Heinsen

9 mins

Research & Tradecraft

Updates to Ghostwriter: UI and Operation Logs

By: Daniel Heinsen

7 mins

Research & Tradecraft

Persistent AWS access with role chain juggling

By: Daniel Heinsen

7 mins