Our Blog

Diving Into AD CS: Exploring Some Common Error Messages

Reading time: ~26 min
Posted by Jacques Coertze on 07 March 2025
Categories: Active directory, Adcs, Certificates, Internals, Windows, Certificate
Abuse of Active Directory Certificate Services (AD CS) has become a staple of our internal network assessment methodology. In fact,...

InvokeADCheck – A PowerShell Module for Assessing Active Directory

Reading time: ~5 min
Posted by niels.hofland@orangecyberdefense.com on 06 March 2025
Categories: Active directory, Automation, Powershell, Tool
Introduction During an Active Directory (AD) assessment, I found myself struggling with a collection of individual PowerShell scripts and their...

Guest vs Null session on Windows

Reading time: ~9 min
Posted by aurelien.chalot@orangecyberdefense.com on 18 April 2024
Categories: Active directory, Guest, Null sessions, Windows
If you have been doing internal assessments on Active Directory infrastructure you may have heard the following words: “Null session”,...

Constrained Delegation Considerations for Lateral Movement

Reading time: ~18 min
Posted by Sergio Lazaro on 18 May 2022
Categories: Active directory, Internals, Kerberos
The abuse of constrained delegation configuration, whereby a compromised domain user or computer account configured with constrained delegation can be...

DirectAccess and Kerberos Resource-based Constrained Delegation

Reading time: ~8 min
Posted by Paul van der Haas on 19 August 2020
Categories: Acl, Active directory, Directaccess, Kerberos resource-based constrained delegation, Rubeus
Background Are you tired of working from home due to COVID? While this is quite a unique situation we find...

ACE to RCE

Reading time: ~20 min
Posted by Justin Perdok on 24 July 2020
Categories: Acl, Active directory, Powershell, Genericwrite, Rcm
tl;dr: In this writeup I am going to describe how to abuse a GenericWrite ACE misconfiguration in Active Directory to...

Attacking smart cards in active directory

Reading time: ~10 min
Posted by Hector Cuesta on 26 March 2020
Categories: Abuse, Active directory, Research, Smartcards, Windows, Windows events, Forgery, Impersonation, Smartcard
Introduction Recently, I encountered a fully password-less environment. Every employee in this company had their own smart card that they...

Chaining multiple techniques and tools for domain takeover using RBCD

Reading time: ~27 min
Posted by Sergio Lazaro on 09 March 2020
Categories: Active directory, Internals, Bloodhound, Dacls, Mimikatz, Powerview, Rubeus
Intro In this blog post I want to show a simulation of a real-world Resource Based Constrained Delegation attack scenario...

A new look at null sessions and user enumeration

Reading time: ~23 min
Posted by Reino Mostert on 11 May 2018
Categories: Active directory, Deepdive, Tools
Hello, TLDR; I think I found three new ways to do user enumeration on Windows domain controllers, and I wrote...

AutoDane at BSides Cape Town

Reading time: ~6 min
Posted by Dane Goodwin on 07 December 2015
Categories: Active directory, B-sides, Conferences, Internals, Post-exploitation, Tools, Zacon
Given the prevalence of Microsoft Active Directory domains as the primary means of managing large corporate networks both globally and...