Jonas Bülow Knudsen

BloodHound

Good Fences Make Good Neighbors: New AD Trusts Attack Paths in BloodHound

TL;DR The ability of an attacker controlling one domain to compromise another through an Active Directory (AD) trust depends on…

Research & Tradecraft

Untrustworthy Trust Builders: Account Operators Replicating Trust Attack (AORTA)

TL;DR The Incoming Forest Trust Builders group (not AdminSDHolder protected) can create inbound forest trusts with ticket-granting ticket (TGT) delegation…

Research & Tradecraft

ADCS Attack Paths in BloodHound — Part 3

ADCS Attack Paths in BloodHound — Part 3 In Part 1 of this series, we explained how we incorporated Active Directory Certificate Services…

Research & Tradecraft

ADCS Attack Paths in BloodHound — Part 2

ADCS Attack Paths in BloodHound — Part 2 In Part 1 of this series, we explained how we incorporated Active Directory Certificate Services…

Research & Tradecraft

Pwned by the Mail Carrier

How MS Exchange on-premises compromises Active Directory and what organizations can do to prevent that. At SpecterOps, we recommend our customers…

Research & Tradecraft

ADCS ESC14 Abuse Technique

The altSecurityIdentities attribute of Active Directory (AD) computers and users allows you to specify explicit certificate mappings. An explicit certificate…

Research & Tradecraft

ADCS ESC13 Abuse Technique

It is possible to configure an Active Directory Certificate Services (ADCS) certificate template with an issuance policy having an OID…

Research & Tradecraft

ADCS Attack Paths in BloodHound — Part 1

ADCS Attack Paths in BloodHound — Part 1 Since Will Schroeder and Lee Christensen published the Certified Pre-Owned whitepaper, the BloodHound Enterprise team…

Industry Insights

What is Tier Zero — Part 2

What is Tier Zero — Part 2 Round 2! This is Part 2 of our webinar and blog post series Defining the Undefined:…