Lightnews — Scholar-powered news

Dirk-jan @dirkjanm.io · 24d

Thx Ryan!

Dirk-jan @dirkjanm.io · 24d

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...

One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens

While preparing for my Black Hat and DEF CON talks in July of this year, I found the most impactful Entra ID vulnerability that I will probably ever find. One that could have allowed me to compromise ...

dirkjanm.io

9 38 85

Dirk-jan @dirkjanm.io · Sep 1

📢 New date for my "Offensive Entra ID security" course: December 8-11th 2025. This will be the last event this year. The previous events sold out quite fast so don't wait too long if you want to attend! 😀 events.outsidersecurity.nl/entra-25-12/

Training: Offensive Entra ID (Azure AD) and Hybrid AD security

Dec. 8th – 11th, 2025

events.outsidersecurity.nl

1 5

Dirk-jan @dirkjanm.io · Aug 26

It seems there now is a BOF implementation of ADSyncDecrypt to dump Entra ID connect creds 👀

github.com/Paradoxis/AD...

GitHub - Paradoxis/ADSyncDump-BOF: The ADSyncDump BOF is a port of Dirkjan Mollema's adconnectdump.py / ADSyncDecrypt into a Beacon Object File (BOF) with zero dependencies.

The ADSyncDump BOF is a port of Dirkjan Mollema's adconnectdump.py / ADSyncDecrypt into a Beacon Object File (BOF) with zero dependencies. - Paradoxis/ADSyncDump-BOF

github.com

8

Dirk-jan @dirkjanm.io · Aug 20

If you didn't find my Black Hat / Def Con slides yet, they are available on dirkjanm.io/talks . Also includes the demo videos where I use actor tokens from on-prem to access SharePoint online and get Global Admin.

Presentations and external blogs

Dirk-jan’s personal blog, mostly containing research on topics I find interesting, such as (Azure) Active Directory internals, protocols and vulnerabilities.

dirkjanm.io

3

Reposted by Dirk-jan

Katie Knowles @siigil.bsky.social · Aug 14

🎉 Exciting news: The Office 365 Exchange Online SP privilege escalation we documented in "I SPy" is no longer possible! We've updated the post to reflect this. Thanks to Eli Guy for the tip on this one:
securitylabs.datadoghq.com/articles/i-s...

I SPy: Escalating to Entra ID's Global Admin with a first-party app | Datadog Security Labs

Backdooring Microsoft's applications is far from over. Adding service principal credentials to these apps to escalate privileges and obfuscate activities has been seen in nation-state attacks, and led...

securitylabs.datadoghq.com

1 1 11

Dirk-jan @dirkjanm.io · Aug 6

The ADSyncCertDump tool is now part of the adconnectdump tools and can be used to extract SP credentials from Entra ID connect hosts. I will cover that during my BH/DC talks today and Friday! Tool is heavily based on Shwmae by @ethicalchaos.bsky.social
Link: github.com/dirkjanm/adc...

2 5

Dirk-jan @dirkjanm.io · Jul 30

It's been almost a year since my last blog... So, here is a new one: Extending AD CS attack surface to the cloud with Intune certificates.

Also includes ESC1 over Intune (in some cases).
dirkjanm.io/extending-ad...

Oh, and a new tool for SCEP: github.com/dirkjanm/sce...

Extending AD CS attack surface to the cloud with Intune certificates

Active Directory Certificate Services (AD CS) attack surface is pretty well explored in Active Directory itself, with *checks notes* already 16 “ESC” attacks being publicly described. Hybrid attack pa...

dirkjanm.io

9 15

Dirk-jan @dirkjanm.io · Jul 25

For those like me who prefer to stay in the terminal and want to call REST APIs like the Microsoft Graph without complicated commands or copy/pasting tokens: roadtx now has a graphrequest command to perform simple requests against these APIs and parse the JSON.

2 1 20

Reposted by Dirk-jan

modzero @modzero.bsky.social · Jun 29

Teammate Leonid discovered a leaked credential that allowed anyone unauthorized access to all Microsoft tenants of orgs that use Synology's "Active Backup for Microsoft 365" (ABM), including sensitive data like Teams channel messages. 🤓
#synology #disclosure #modzero
modzero.com/en/blog/when...

When Backups Open Backdoors: Accessing Sensitive Cloud Data via

modzero.com

1 14 21

Dirk-jan @dirkjanm.io · Jul 3

Got word from MSRC that the product team reevaluated their initial duplicate/not-a-vuln decision and will actually be fixing this validation flaw in EAM 😂

Dirk-jan @dirkjanm.io · Jun 24

Last two weeks I talked about BYO Identity Providers in Entra ID and backdoors to External Auth Methods to bypass MFA. Only possible because MSFT doesn't implement the mandatory OIDC security measures. Slides with optional dark mode on: dirkjanm.io/talks/

Presentations and external blogs

Dirk-jan’s personal blog, mostly containing research on topics I find interesting, such as (Azure) Active Directory internals, protocols and vulnerabilities.

dirkjanm.io

1 13

Reposted by Dirk-jan

Fabian Bader @fabian.bader.cloud · Jun 26

One of the results of the joined research with @dirkjanm.io is entrascopes.com

Basically the yellow pages for Microsoft first party apps.

#TROOPERS25

2 6 24

Dirk-jan @dirkjanm.io · Jun 24

Thanks for everyone who attended the talk at either x33fcon or OffensiveX. Both were amazing conferences and it was super fun to meet old and new people!

1 2

Dirk-jan @dirkjanm.io · Jun 24

Last two weeks I talked about BYO Identity Providers in Entra ID and backdoors to External Auth Methods to bypass MFA. Only possible because MSFT doesn't implement the mandatory OIDC security measures. Slides with optional dark mode on: dirkjanm.io/talks/

Presentations and external blogs

Dirk-jan’s personal blog, mostly containing research on topics I find interesting, such as (Azure) Active Directory internals, protocols and vulnerabilities.

dirkjanm.io

1 5 11

Reposted by Dirk-jan

Fabian Bader @fabian.bader.cloud · Jun 22

Rerunning my test scenarios for the #TROOPERS25 presentation...

1 4

Dirk-jan @dirkjanm.io · Jun 18

That's awesome, see you there!

1

Dirk-jan @dirkjanm.io · Jun 10

Received the news today that my talk "Advanced Active Directory to Entra ID lateral movement techniques" was also accepted for @defcon.bsky.social 🎉 hope to see everyone there!

5 27

Dirk-jan @dirkjanm.io · May 30

Since we now can use Entra ID connect sync with a service principal, I thought I'd look into the new security measures. On hosts without a TPM, we can dump the cert+key. On hosts with TPM (second picture) we can use the key to create an auth assertion for roadtx to req tokens.

1 2 15

Dirk-jan @dirkjanm.io · May 20

That's awesome, congrats!

1

Dirk-jan @dirkjanm.io · May 16

I'll be returning to #BHUSA @blackhatevents.bsky.social this summer for a brand talk about moving laterally from AD to Entra ID. I don't think I've ever been this excited about a talk, with lots of cool stuff to share 🎢 😄.

Advanced Active Directory to Entra ID Lateral Movement Techniques
Dirk-jan Mollema | Security Researcher, Outsider Security
Format: 40-Minute Briefings
Tracks: Cloud Security, Enterprise Security

Is there a security boundary between Active Directory and Entra ID in a hybrid environment? The answer to this question, while still somewhat unclear, has changed over the past few years as there has been more hardening of how much "the cloud" trusts data from on-premises. The reason for this is that many threat actors, including APTs, have been making use of known lateral movement techniques to compromise the cloud.

In this talk, we will take a deep dive together into Entra ID and hybrid trust internals. We will introduce several new lateral movement techniques that allow us to bypass authentication, MFA and stealthily exfiltrate data using on-premises AD as a starting point, even in environments where the classical techniques didn't work. All these techniques are new, not really vulnerabilities, but part of the design. Several of them have been remediated with recent hardening efforts by Microsoft. Very few of them leave useful logs behind when abused. As you would expect, none of these "features" are documented.

Join me for a wild ride into Entra ID internals, undocumented authentication flows and tenant compromise from on-premises AD.

1 1 15

Dirk-jan @dirkjanm.io · Apr 25

Congratulations! New chapter unlocked 😀

1

Reposted by Dirk-jan

Dr Nestori Syynimaa @drazuread.com · Apr 18

Just pushed a new versions for #AADInternals and AADInternals-Endpoint modules! Some bug fixes plus support for:
1️⃣ Microsoft Authentication Library (MSAL)
2️⃣ Token Protection
3️⃣ Continuous Access Evaluation (CAE)

1 5 16

Dirk-jan @dirkjanm.io · Apr 16

Just found something super useful for my research...... In my own notes from 2023 😅 how I found it back then and why I didn't do anything with it remains a complete mystery.

14

Dirk-jan @dirkjanm.io · Apr 10

There's still snow? 😮

1

Dirk-jan @dirkjanm.io · Apr 10

Two new Entra ID training opportunities in the next few months! I will give another 4-day edition of my public training July 7-10 in The Hague, NL.

I will also return to RomHack (Rome, IT) this year for a training Sept 23-27 😀

Info and ticket links: outsidersecurity.nl/training/

Outsider Security - Training

Outsider Security - Training in Entra ID (Azure AD) and Active Directory security.

outsidersecurity.nl

2