Lukas Klein
@rantasec.bsky.social
Reposted by Lukas Klein
Entra Connect sync accounts can be exploited to hijack device userCertificate properties, enabling device impersonation and conditional access bypass.
@hotnops.bsky.social explores cross-domain compromise tradecraft within the same tenant.
Read more: ghst.ly/3ISMGN9
@hotnops.bsky.social explores cross-domain compromise tradecraft within the same tenant.
Read more: ghst.ly/3ISMGN9
Entra Connect Attacker Tradecraft: Part 3 - SpecterOps
How Entra Connect and Intune can be abused via userCertificate hijacking to bypass conditional access and compromise hybrid domains
ghst.ly
July 30, 2025 at 5:01 PM
Entra Connect sync accounts can be exploited to hijack device userCertificate properties, enabling device impersonation and conditional access bypass.
@hotnops.bsky.social explores cross-domain compromise tradecraft within the same tenant.
Read more: ghst.ly/3ISMGN9
@hotnops.bsky.social explores cross-domain compromise tradecraft within the same tenant.
Read more: ghst.ly/3ISMGN9
Reposted by Lukas Klein
One of the results of the joined research with @dirkjanm.io is entrascopes.com
Basically the yellow pages for Microsoft first party apps.
#TROOPERS25
Basically the yellow pages for Microsoft first party apps.
#TROOPERS25
June 26, 2025 at 9:48 AM
One of the results of the joined research with @dirkjanm.io is entrascopes.com
Basically the yellow pages for Microsoft first party apps.
#TROOPERS25
Basically the yellow pages for Microsoft first party apps.
#TROOPERS25
Reposted by Lukas Klein
In the year since Misconfiguration Manager's release, the security community has been actively researching new tradecraft & identifying new attack paths.
@subat0mik.bsky.social & @unsignedsh0rt.bsky.social dive into the research & its impact on the state of SCCM security. Read more: ghst.ly/460vI9d
@subat0mik.bsky.social & @unsignedsh0rt.bsky.social dive into the research & its impact on the state of SCCM security. Read more: ghst.ly/460vI9d
Misconfiguration Manager: Still Overlooked, Still Overprivileged - SpecterOps
It has been one year since Misconfiguration Manager's release and SCCM misconfigurations remain widespread, leading to dangerous attack paths across enterprises. Here we summarize the impact and commu...
ghst.ly
June 26, 2025 at 3:52 PM
In the year since Misconfiguration Manager's release, the security community has been actively researching new tradecraft & identifying new attack paths.
@subat0mik.bsky.social & @unsignedsh0rt.bsky.social dive into the research & its impact on the state of SCCM security. Read more: ghst.ly/460vI9d
@subat0mik.bsky.social & @unsignedsh0rt.bsky.social dive into the research & its impact on the state of SCCM security. Read more: ghst.ly/460vI9d
Reposted by Lukas Klein
I publish two blog posts today! 📝🐫
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
Good Fences Make Good Neighbors: New AD Trusts Attack Paths in BloodHound - SpecterOps
The ability of an attacker controlling one domain to compromise another through an Active Directory (AD) trust depends on the trust type and configuration. To better map these relationships and make i...
specterops.io
June 25, 2025 at 10:14 AM
I publish two blog posts today! 📝🐫
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
Reposted by Lukas Klein
Last two weeks I talked about BYO Identity Providers in Entra ID and backdoors to External Auth Methods to bypass MFA. Only possible because MSFT doesn't implement the mandatory OIDC security measures. Slides with optional dark mode on: dirkjanm.io/talks/
Presentations and external blogs
Dirk-jan’s personal blog, mostly containing research on topics I find interesting, such as (Azure) Active Directory internals, protocols and vulnerabilities.
dirkjanm.io
June 24, 2025 at 7:12 AM
Last two weeks I talked about BYO Identity Providers in Entra ID and backdoors to External Auth Methods to bypass MFA. Only possible because MSFT doesn't implement the mandatory OIDC security measures. Slides with optional dark mode on: dirkjanm.io/talks/
Reposted by Lukas Klein
Easily find and share BloodHound Cyphers on queries.specterops.io
Released with ~90 new Cypher queries, go check them out!
@joeydreijer.bsky.social and I spent many hours creating it and we hope you find it useful. All feedback is appreciated :)
Released with ~90 new Cypher queries, go check them out!
@joeydreijer.bsky.social and I spent many hours creating it and we hope you find it useful. All feedback is appreciated :)
June 17, 2025 at 7:57 PM
Easily find and share BloodHound Cyphers on queries.specterops.io
Released with ~90 new Cypher queries, go check them out!
@joeydreijer.bsky.social and I spent many hours creating it and we hope you find it useful. All feedback is appreciated :)
Released with ~90 new Cypher queries, go check them out!
@joeydreijer.bsky.social and I spent many hours creating it and we hope you find it useful. All feedback is appreciated :)
Reposted by Lukas Klein
My second post for the month is now live 🎉
Get the scoop on the incoming Administrator Protection for Windows 11.
@xpnsec.com covers the architecture, access controls, and why some legacy UAC bypass techniques remain effective in his latest blog post. ghst.ly/44mw5JM
@xpnsec.com covers the architecture, access controls, and why some legacy UAC bypass techniques remain effective in his latest blog post. ghst.ly/44mw5JM
Administrator Protection Review - SpecterOps
Microsoft will be introducing Administrator Protection into Windows 11. This post explores security considerations for red teamers.
ghst.ly
June 18, 2025 at 6:54 PM
My second post for the month is now live 🎉
Reposted by Lukas Klein
Since we now can use Entra ID connect sync with a service principal, I thought I'd look into the new security measures. On hosts without a TPM, we can dump the cert+key. On hosts with TPM (second picture) we can use the key to create an auth assertion for roadtx to req tokens.
May 30, 2025 at 9:37 AM
Since we now can use Entra ID connect sync with a service principal, I thought I'd look into the new security measures. On hosts without a TPM, we can dump the cert+key. On hosts with TPM (second picture) we can use the key to create an auth assertion for roadtx to req tokens.
Reposted by Lukas Klein
Here's (finally!) what I've found about this 😉
bsky.app/profile/cnot...
bsky.app/profile/cnot...
Microsoft hardened the Entra ID synchronization feature last year:
- restricted permissions on Directory Synchronization Accounts role
- new dedicated sync app
Let’s find out how sync still works 🔍
Some old tricks persist—and new ones have emerged 💥
tenable.com/blog/despite... 🧵
- restricted permissions on Directory Synchronization Accounts role
- new dedicated sync app
Let’s find out how sync still works 🔍
Some old tricks persist—and new ones have emerged 💥
tenable.com/blog/despite... 🧵
Despite Recent Security Hardening, Entra ID Synchronization Feature Remains Open for Abuse
Microsoft synchronization capabilities for managing identities in hybrid environments are not without their risks. In this blog, Tenable Research explores how potential weaknesses in these synchroniza...
tenable.com
April 24, 2025 at 1:46 PM
Here's (finally!) what I've found about this 😉
bsky.app/profile/cnot...
bsky.app/profile/cnot...
Reposted by Lukas Klein
My new blog for CPR: introducing Waiting Thread Hijacking - a remote process injection technique targeting waiting threads: research.checkpoint.com/2025/waiting... #ProcessInjection
Waiting Thread Hijacking: A Stealthier Version of Thread Execution Hijacking - Check Point Research
Research by: hasherezade Key Points Introduction Process injection is one of the important techniques used by attackers. We can find its variants implemented in almost every malware. It serves purpose...
research.checkpoint.com
April 14, 2025 at 6:17 PM
My new blog for CPR: introducing Waiting Thread Hijacking - a remote process injection technique targeting waiting threads: research.checkpoint.com/2025/waiting... #ProcessInjection
Reposted by Lukas Klein
"the heart of every incident - incident coordination" is a blog post, yes good old blog post that covers an aspect that I truly share, the importance of a key element, highly recommend:
dfir-delight.de/p/incident-c...
@moettle.bsky.social
dfir-delight.de/p/incident-c...
@moettle.bsky.social
The Heart of every Incident: Incident Coordination
Without effective coordination, major incidents cannot be resolved efficiently. This article explains why incident coordination is critical and outlines its key responsibilities.
dfir-delight.de
April 9, 2025 at 4:40 PM
"the heart of every incident - incident coordination" is a blog post, yes good old blog post that covers an aspect that I truly share, the importance of a key element, highly recommend:
dfir-delight.de/p/incident-c...
@moettle.bsky.social
dfir-delight.de/p/incident-c...
@moettle.bsky.social
Reposted by Lukas Klein
ICYMI: We recently introduced NTLM relay edges into BloodHound.
Elad Shamir unpacks everything you need to know about NTLM & how the new edges help make identifying and visualizing these attack paths remarkably simple. ghst.ly/4lv3E31
Elad Shamir unpacks everything you need to know about NTLM & how the new edges help make identifying and visualizing these attack paths remarkably simple. ghst.ly/4lv3E31
April 10, 2025 at 4:27 PM
ICYMI: We recently introduced NTLM relay edges into BloodHound.
Elad Shamir unpacks everything you need to know about NTLM & how the new edges help make identifying and visualizing these attack paths remarkably simple. ghst.ly/4lv3E31
Elad Shamir unpacks everything you need to know about NTLM & how the new edges help make identifying and visualizing these attack paths remarkably simple. ghst.ly/4lv3E31
Reposted by Lukas Klein
Threat hunters rejoice! This is HUUUGE news 👏
Microsoft just introduced linkable identifiers in Microsoft Entra ID logs.
The bad guys 🥷 are going to hate this so much 😂
Learn more at learn.microsoft.com/...
Share the good news 👍
Microsoft just introduced linkable identifiers in Microsoft Entra ID logs.
The bad guys 🥷 are going to hate this so much 😂
Learn more at learn.microsoft.com/...
Share the good news 👍
April 1, 2025 at 3:55 AM
Threat hunters rejoice! This is HUUUGE news 👏
Microsoft just introduced linkable identifiers in Microsoft Entra ID logs.
The bad guys 🥷 are going to hate this so much 😂
Learn more at learn.microsoft.com/...
Share the good news 👍
Microsoft just introduced linkable identifiers in Microsoft Entra ID logs.
The bad guys 🥷 are going to hate this so much 😂
Learn more at learn.microsoft.com/...
Share the good news 👍
Reposted by Lukas Klein
🛡️ We found a bug in restricted AUs that let accounts stay restricted (forever!) without an AU, preventing containment. Glad this is fixed now! More details here: securitylabs.datadoghq.com/articles/cre...
Creating immutable users through a bug in Entra ID restricted administrative units | Datadog Security Labs
Imagine trying to disable a malicious user in your Azure environment, only to find it can't be modified! We recently identified a timing-based bug in Entra ID's restricted administrative units (AUs) t...
securitylabs.datadoghq.com
March 25, 2025 at 6:09 PM
🛡️ We found a bug in restricted AUs that let accounts stay restricted (forever!) without an AU, preventing containment. Glad this is fixed now! More details here: securitylabs.datadoghq.com/articles/cre...
Reposted by Lukas Klein
KrbRelayEx-RPC tool is out! 🎉
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)
github.com/decoder-it/K...
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)
github.com/decoder-it/K...
GitHub - decoder-it/KrbRelayEx-RPC
Contribute to decoder-it/KrbRelayEx-RPC development by creating an account on GitHub.
github.com
March 14, 2025 at 10:18 AM
KrbRelayEx-RPC tool is out! 🎉
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)
github.com/decoder-it/K...
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)
github.com/decoder-it/K...
Reposted by Lukas Klein
In our new #blog, Senior Research Analyst @codewhisperer84.bsky.social unveils his new tool DIT Explorer which he created after researching NTDS.dit files on Active Directory. Read part one of this series now to find out what this tool can do! trustedsec.com/blog/explori...
Exploring NTDS.dit – Part 1: Cracking the Surface with DIT Explorer
trustedsec.com
February 20, 2025 at 6:54 PM
In our new #blog, Senior Research Analyst @codewhisperer84.bsky.social unveils his new tool DIT Explorer which he created after researching NTDS.dit files on Active Directory. Read part one of this series now to find out what this tool can do! trustedsec.com/blog/explori...
Reposted by Lukas Klein
It appears Microsoft quietly mitigated most of the risk of the "Intune company portal" device compliance CA bypass by restricting the scope of Azure AD graph tokens issued to this app, making them almost useless for most abuse scenarios. Thx @domchell.bsky.social for the heads up.
February 20, 2025 at 11:08 AM
It appears Microsoft quietly mitigated most of the risk of the "Intune company portal" device compliance CA bypass by restricting the scope of Azure AD graph tokens issued to this app, making them almost useless for most abuse scenarios. Thx @domchell.bsky.social for the heads up.
Reposted by Lukas Klein
Normally you can't auth to Entra ID connected webapps with bearer tokens. But if Teams can open SharePoint/OneDrive with an access token, I guess so can we. roadtx now supports opening SharePoint with access tokens in the embedded browser 😀
February 18, 2025 at 1:12 PM
Normally you can't auth to Entra ID connected webapps with bearer tokens. But if Teams can open SharePoint/OneDrive with an access token, I guess so can we. roadtx now supports opening SharePoint with access tokens in the embedded browser 😀
Reposted by Lukas Klein
Today, Google Threat Intelligence is alerting the community to increasing efforts from several Russia state-aligned threat actors (GRU, FSB, etc.) to compromise Signal Messenger accounts.
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger | Google Cloud Blog
Russia state-aligned threat actors target Signal Messenger accounts used by individuals of interest to Russia's intelligence services.
cloud.google.com
February 19, 2025 at 11:05 AM
Today, Google Threat Intelligence is alerting the community to increasing efforts from several Russia state-aligned threat actors (GRU, FSB, etc.) to compromise Signal Messenger accounts.
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Reposted by Lukas Klein
Our team just dropped BloodHound v7.0! 😎
Check out our latest blog post from Dev Bhatt to learn about the enhancements in this update, aimed at helping security teams visualize #AttackPaths, prioritize risks, & track remediation. ghst.ly/3CPDQwT
🧵: 1/4
Check out our latest blog post from Dev Bhatt to learn about the enhancements in this update, aimed at helping security teams visualize #AttackPaths, prioritize risks, & track remediation. ghst.ly/3CPDQwT
🧵: 1/4
February 11, 2025 at 6:20 PM
Our team just dropped BloodHound v7.0! 😎
Check out our latest blog post from Dev Bhatt to learn about the enhancements in this update, aimed at helping security teams visualize #AttackPaths, prioritize risks, & track remediation. ghst.ly/3CPDQwT
🧵: 1/4
Check out our latest blog post from Dev Bhatt to learn about the enhancements in this update, aimed at helping security teams visualize #AttackPaths, prioritize risks, & track remediation. ghst.ly/3CPDQwT
🧵: 1/4
Reposted by Lukas Klein
I came across GraphPreConsentExplorer which lets you extract a list of first party apps and their pre-consented permissions
👇
www.reddit.com/r/ent...
👇
www.reddit.com/r/ent...
February 10, 2025 at 6:28 AM
I came across GraphPreConsentExplorer which lets you extract a list of first party apps and their pre-consented permissions
👇
www.reddit.com/r/ent...
👇
www.reddit.com/r/ent...
Reposted by Lukas Klein
ROADtools update: I just released roadlib v1.0! This version drops the adal dependency, all auth flows are now implemented natively 🎉 This was mostly a personal goal, but it helps with adding new features, such as forcing MFA during device code auth independent of CA policies 😀
February 7, 2025 at 2:50 PM
ROADtools update: I just released roadlib v1.0! This version drops the adal dependency, all auth flows are now implemented natively 🎉 This was mostly a personal goal, but it helps with adding new features, such as forcing MFA during device code auth independent of CA policies 😀
Reposted by Lukas Klein
✳️ Quick heads up.
Microsoft just dropped a bunch of new least privilege Graph permissions.
Avoid granting super privileges like Directory.ReadWrite.All and User.ReadWrite.All to apps. Instead use these new least privilege permissions where possible.
Microsoft just dropped a bunch of new least privilege Graph permissions.
Avoid granting super privileges like Directory.ReadWrite.All and User.ReadWrite.All to apps. Instead use these new least privilege permissions where possible.
February 5, 2025 at 10:41 AM
✳️ Quick heads up.
Microsoft just dropped a bunch of new least privilege Graph permissions.
Avoid granting super privileges like Directory.ReadWrite.All and User.ReadWrite.All to apps. Instead use these new least privilege permissions where possible.
Microsoft just dropped a bunch of new least privilege Graph permissions.
Avoid granting super privileges like Directory.ReadWrite.All and User.ReadWrite.All to apps. Instead use these new least privilege permissions where possible.