Our Blog

Diving Into AD CS: Exploring Some Common Error Messages

Reading time: ~26 min
Posted by Jacques Coertze on 07 March 2025
Categories: Active directory, Adcs, Certificates, Internals, Windows, Certificate
Abuse of Active Directory Certificate Services (AD CS) has become a staple of our internal network assessment methodology. In fact,...

Abusing Windows’ tokens to compromise Active Directory without touching LSASS

Reading time: ~34 min
Posted by aurelien.chalot@orangecyberdefense.com on 27 October 2022
Categories: Authentication, Internals, Redteam, Token, Windows
During an internal assessment, I performed an NTLM relay and ended up owning the NT AUTHORITY\SYSTEM account of the Windows...

Constrained Delegation Considerations for Lateral Movement

Reading time: ~18 min
Posted by Sergio Lazaro on 18 May 2022
Categories: Active directory, Internals, Kerberos
The abuse of constrained delegation configuration, whereby a compromised domain user or computer account configured with constrained delegation can be...

Building an offensive RPC interface

Reading time: ~28 min
Posted by aurelien.chalot@orangecyberdefense.com on 03 August 2021
Categories: Internals, Rpc, Windows
Using the Windows Remote Procedure Call (RPC) interface is an interesting concept when conssidering the fact that it allows you...

Chaining multiple techniques and tools for domain takeover using RBCD

Reading time: ~27 min
Posted by Sergio Lazaro on 09 March 2020
Categories: Active directory, Internals, Bloodhound, Dacls, Mimikatz, Powerview, Rubeus
Intro In this blog post I want to show a simulation of a real-world Resource Based Constrained Delegation attack scenario...

Being Stubborn Pays Off pt. 1 – CVE-2018-19204

Reading time: ~13 min
Posted by Javier Jimenez on 18 April 2019
Categories: Cve, Exploit development, Internals, Webapps, 0day, Cve-2018-19204, Exploit, Prtg network monitor, Web application
Intro During an internal assessment, I came across monitoring software that had default credentials configured. This monitoring software allowed for...

USaBUSe Linux updates

Reading time: ~6 min
Posted by Rogan Dawes on 10 March 2017
Categories: Abuse, Backdoor, Build-it, Conferences, Empire, Exploit, Hardware, Internals, Linux, Metasploit, Programming, Real-world, Research, Shells, Tunnelling
(If you’re new to this project, read the intro first) For the past few months, I’ve been working on porting...

AutoDane at BSides Cape Town

Reading time: ~6 min
Posted by Dane Goodwin on 07 December 2015
Categories: Active directory, B-sides, Conferences, Internals, Post-exploitation, Tools, Zacon
Given the prevalence of Microsoft Active Directory domains as the primary means of managing large corporate networks both globally and...

Something about sudo, Kingcope and re-inventing the wheel

Reading time: ~5 min
Posted by george on 27 May 2013
Categories: Backdoor, Fun, Howto, Infrastructure, Internals, Linux, Local, Post-exploitation, Shells, Silly-yammerings, Tricks
Willems and I are currently on an internal assessment and have popped a couple hundred (thousand?) RHEL machines, which was...