See the latest by Daniel Heinsen
Entra Connect Attacker Tradecraft: Part 3
TL;DR Attackers can exploit Entra Connect sync accounts to hijack device userCertificate properties, enabling device impersonation...
By: Daniel Heinsen
Jul 30, 2025 • 16 min read
Read Post
Update: Dumping Entra Connect Sync Credentials
TL;DR Microsoft has recently changed how Entra Connect Sync authenticates to Entra ID. This blog post...
By: Daniel Heinsen
Jun 9, 2025 • 10 min read
Read Post
Entra Connect Attacker Tradecraft: Part 2
Now that we know how to add credentials to an on-premises user, lets pose a question:...
By: Daniel Heinsen
Jan 22, 2025 • 11 min read
Read Post
Attacking Entra Metaverse: Part 1
This is part one in a two (maybe three…) part series regarding attacker tradecraft around the...
By: Daniel Heinsen
Dec 13, 2024 • 8 min read
Read Post
An AWS Administrator Identity Crisis: Part 1
BLUF: Every attack path needs a destination. This is a formalized way of describing destinations in...
By: Daniel Heinsen
Jun 28, 2024 • 11 min read
Read Post
Summary: Given that: Temporary Access Passes (TAP) are enabled in the Azure AD tenant AND You...
By: Daniel Heinsen
Mar 29, 2023 • 22 min read
Read Post
Updates to Ghostwriter: UI and Operation Logs
By: Daniel Heinsen
Sep 30, 2020 • 7 min read
Read Post
Persistent AWS access with role chain juggling