Our Blog
Dumping LSA secrets: a story about task decorrelation
Reading time:
~16 min
Posted
by aurelien.chalot@orangecyberdefense.com
on
03 July 2024
While doing an internal assessment, I was able to compromise multiple computers and servers but wasn’t able to dump the...
Guest vs Null session on Windows
Reading time:
~9 min
Posted
by aurelien.chalot@orangecyberdefense.com
on
18 April 2024
If you have been doing internal assessments on Active Directory infrastructure you may have heard the following words: “Null session”,...
Sensecon 23: from Windows drivers to an almost fully working EDR
Reading time:
~54 min
Posted
by aurelien.chalot@orangecyberdefense.com
on
31 January 2024
TL;DR I wanted to better understand EDR’s so I built a dummy EDR and talk about it here. EDR (Endpoint...
Filter-Mute Operation: Investigating EDR Internal Communication
Reading time:
~21 min
Posted
by jeanpascal.thomas@orangecyberdefense.com
on
28 July 2023
For our annual internal hacker conference dubbed SenseCon in 2023, I decided to take a look at communication between a...
Protected Users: you thought you were safe uh?
Reading time:
~10 min
Posted
by aurelien.chalot@orangecyberdefense.com
on
31 March 2023
On the 31st of October 2022, a PR on CrackMapExec from Thomas Seigneuret (@Zblurx) was merged. This PR fixed Kerberos...
CertPotato – Using ADCS to privesc from virtual and network service accounts to local system
Reading time:
~14 min
Posted
by Hocine Mahtout
on
04 November 2022
The goal of this blog post is to present a privilege escalation I found while working on ADCS. We will...
Abusing Windows’ tokens to compromise Active Directory without touching LSASS
Reading time:
~34 min
Posted
by aurelien.chalot@orangecyberdefense.com
on
27 October 2022
During an internal assessment, I performed an NTLM relay and ended up owning the NT AUTHORITY\SYSTEM account of the Windows...
WireSocks for Easy Proxied Routing
Reading time:
~9 min
Posted
by Michael Kruger
on
30 September 2022
I built some infrastructure that you could deploy and use to easily tunnel from arbitrary sources over a proxy such...
Android Application Testing Using Windows 11 and Windows Subsystem for Android
Reading time:
~18 min
Posted
by Michael Higgo
on
16 November 2021
With the release of windows 11, Microsoft announced the Windows Subsystem for Android or WSA. This following their previous release,...
Building an offensive RPC interface
Reading time:
~28 min
Posted
by aurelien.chalot@orangecyberdefense.com
on
03 August 2021
Using the Windows Remote Procedure Call (RPC) interface is an interesting concept when conssidering the fact that it allows you...
Masquerading Windows processes like a DoubleAgent.
Reading time:
~18 min
Posted
by Philippe Vogler
on
23 April 2020
I’ve been spending some time building new content for our Introduction to Red Teaming course, which has been great for...
Attacking smart cards in active directory
Reading time:
~10 min
Posted
by Hector Cuesta
on
26 March 2020
Introduction Recently, I encountered a fully password-less environment. Every employee in this company had their own smart card that they...
Analysis of a 1day (CVE-2019-0547) and discovery of a forgotten condition in the patch (CVE-2019-0726) – Part 1 of 2
Reading time:
~16 min
Posted
by Hector Cuesta
on
02 May 2019
This post will cover my journey into the analysis of CVE-2019-0547 (Affecting the windows DHCP client), a vulnerability discovered by...
recreating known universal windows password backdoors with Frida
Reading time:
~21 min
Posted
by Leon Jacobs
on
23 April 2019
tl;dr I have been actively using Frida for little over a year now, but primarily on mobile devices while building...
Abusing GDI Objects for ring0 Primitives Revolution
Reading time:
~21 min
Posted
by saif
on
29 July 2017
Exploiting MS17-017 EoP Using Color Palettes This post is an accompaniment to the Defcon 25 talk given by Saif. One...
Intercepting passwords with Empire and winning!
Reading time:
~6 min
Posted
by symeon
on
18 November 2016
This is my password,” said the King as he drew his sword. “The light is dawning, the lie broken. Now...