How to mitigate DnsAdmins privilege escalation ?

    Hello,

    Glad to see you in this second part of this post. In our previous article we showed which rights were involved in the DnsAdmins privilege escalation. Now let’s talk about how to properly mitigate this.

    Read more ...

    Why DnsAdmins privilege escalation is still working ?

    Hello,

    In this article, first part of a serie, i’m talking about DnsAdmins and why this is a group you should take care of. I know that several articles talk about the privilege escalation (DNS service running on a domain controller and loading an arbitrary DLL).

    We will quickly review this attack, but mainly i would rather focus on why it is still working nowadays, which permissions do you need to run this attack. I will conclude in a second part with the mitigations which can be implemented to prevent this attack.

    Read more ...

    Kerberos constrained delegation with protocol transition

    Hello,

    Today, we are talking about the exploitation of Kerberos protocol extensions S4U2Self and S4U2Proxy in order to impersonate a privileged user of the domain.

    This post aims at focusing on the Kerberos constrained delegation with protocol transition which we will shorten T2A4D (TrustedToAuthForDelegation); how to enumerate it, how to exploit it and use it as a method of persistence.

    Read more ...

    More BloodHound Cypher queries

    Hello,

    In this blog post i will share my Cypher queries which i’m using in my daily engagements. I aim to be complementary to the cheatsheets you can found out there and to the default queries you will find in BloodHound.

    Read more ...