Web browsers are inherently trusted by users. They are trained to trust websites which “have a padlock in the address bar” and that “have the correct name”, This trust leads...

BitLocker is a modern data protection feature that is deeply integrated in the Windows kernel. It is used by many corporations as a means of protecting company secrets in case of theft. Microsoft recommends that you have a Trusted Platform Module which can…

This is the first post in a series on cross-forest Active Directory trusts. It will explain what exactly Forest trusts are and how they are protected with SID filtering. If you’re new to Active Directory trusts, I recommend you start by reading harmj0y’s…

Overview In the ActiveBreach red team, we’re always looking for innovative approaches for lateral movement and privilege escalation. For many of the environments we operate in, focusing on the classic...

Introduction Active Directory (AD) Trusts have been a hot topic as of late.  @harmj0y posted a recent entry about domain trusts [A Guide to Attacking Domain Trusts].  It provides a great understand…

Understanding how Kerberos works, but also WHY it works the way it does

SeImpersonate is a powerful privilege that allows the ability to impersonate any token it can acquire a handle on. This is an already well researched privilege as there are a whole slew of privilege escalations that utilize this privilege and amazing articles…

When it comes to protecting against credentials theft on Windows, enabling LSA Protection (a.k.a. RunAsPPL) on LSASS may be considered as the very first recommendation to implement. But do you really know what a PPL is? In this post, I want to cover some…

Dump the memory of a PPL with a userland exploit. Contribute to itm4n/PPLdump development by creating an account on GitHub.

Abusing AD FS Replication. We demonstrate how a threat actor can extract the encrypted Token Signing Certificate from anywhere on an internal network.