Our Blog

Diving Into AD CS: Exploring Some Common Error Messages

Reading time: ~26 min
Posted by Jacques Coertze on 07 March 2025
Categories: Active directory, Adcs, Certificates, Internals, Windows, Certificate
Abuse of Active Directory Certificate Services (AD CS) has become a staple of our internal network assessment methodology. In fact,...

Dumping LSA secrets: a story about task decorrelation

Reading time: ~16 min
Posted by aurelien.chalot@orangecyberdefense.com on 03 July 2024
Categories: Edr, Lsa, Registry, Windows
While doing an internal assessment, I was able to compromise multiple computers and servers but wasn’t able to dump the...

Guest vs Null session on Windows

Reading time: ~9 min
Posted by aurelien.chalot@orangecyberdefense.com on 18 April 2024
Categories: Active directory, Guest, Null sessions, Windows
If you have been doing internal assessments on Active Directory infrastructure you may have heard the following words: “Null session”,...

Sensecon 23: from Windows drivers to an almost fully working EDR

Reading time: ~54 min
Posted by aurelien.chalot@orangecyberdefense.com on 31 January 2024
Categories: Callbacks, Driver, Edr, Hooking, Kernel, Rootkit, Shellcodes, Ssdt, Winapi, Windows, Rootkits, Shellcode
TL;DR I wanted to better understand EDR’s so I built a dummy EDR and talk about it here. EDR (Endpoint...

Filter-Mute Operation: Investigating EDR Internal Communication

Reading time: ~21 min
Posted by jeanpascal.thomas@orangecyberdefense.com on 28 July 2023
Categories: Edr, Kernel, Reversing, Windows, Av bypass, Reverse engineering
For our annual internal hacker conference dubbed SenseCon in 2023, I decided to take a look at communication between a...

Protected Users: you thought you were safe uh?

Reading time: ~10 min
Posted by aurelien.chalot@orangecyberdefense.com on 31 March 2023
Categories: Kerberos, Ntlm, Windows, Delegation, Protected users
On the 31st of October 2022, a PR on CrackMapExec from Thomas Seigneuret (@Zblurx) was merged. This PR fixed Kerberos...

CertPotato – Using ADCS to privesc from virtual and network service accounts to local system

Reading time: ~14 min
Posted by Hocine Mahtout on 04 November 2022
Categories: Adcs, Kerberos, Rubeus, Windows, Certipy
The goal of this blog post is to present a privilege escalation I found while working on ADCS. We will...

Abusing Windows’ tokens to compromise Active Directory without touching LSASS

Reading time: ~34 min
Posted by aurelien.chalot@orangecyberdefense.com on 27 October 2022
Categories: Authentication, Internals, Redteam, Token, Windows
During an internal assessment, I performed an NTLM relay and ended up owning the NT AUTHORITY\SYSTEM account of the Windows...

WireSocks for Easy Proxied Routing

Reading time: ~9 min
Posted by Michael Kruger on 30 September 2022
Categories: Networking, Offence, Vpn, Windows
I built some infrastructure that you could deploy and use to easily tunnel from arbitrary sources over a proxy such...

Android Application Testing Using Windows 11 and Windows Subsystem for Android

Reading time: ~18 min
Posted by Michael Higgo on 16 November 2021
Categories: Android, Windows, Mobile, Objection, Windows 11, Windows subsystem for android, Wsa, Wsl
With the release of windows 11, Microsoft announced the Windows Subsystem for Android or WSA. This following their previous release,...

Building an offensive RPC interface

Reading time: ~28 min
Posted by aurelien.chalot@orangecyberdefense.com on 03 August 2021
Categories: Internals, Rpc, Windows
Using the Windows Remote Procedure Call (RPC) interface is an interesting concept when conssidering the fact that it allows you...

Masquerading Windows processes like a DoubleAgent.

Reading time: ~18 min
Posted by Philippe Vogler on 23 April 2020
Categories: Anti-virus, Malware, Persistence, Post-exploitation, Sysmon, Windows
I’ve been spending some time building new content for our Introduction to Red Teaming course, which has been great for...

Attacking smart cards in active directory

Reading time: ~10 min
Posted by Hector Cuesta on 26 March 2020
Categories: Abuse, Active directory, Research, Smartcards, Windows, Windows events, Forgery, Impersonation, Smartcard
Introduction Recently, I encountered a fully password-less environment. Every employee in this company had their own smart card that they...

Analysis of a 1day (CVE-2019-0547) and discovery of a forgotten condition in the patch (CVE-2019-0726) – Part 1 of 2

Reading time: ~16 min
Posted by Hector Cuesta on 02 May 2019
Categories: Cve, Cve-2019-0547, Cve-2019-0726, Dhcp, Exploit, Kb4480966, Patch diffing, Research, Diffing, Protocol, Windows
This post will cover my journey into the analysis of CVE-2019-0547 (Affecting the windows DHCP client), a vulnerability discovered by...

recreating known universal windows password backdoors with Frida

Reading time: ~21 min
Posted by Leon Jacobs on 23 April 2019
Categories: Backdoor, Frida, Lsass, Windows, Password
tl;dr I have been actively using Frida for little over a year now, but primarily on mobile devices while building...

Abusing GDI Objects for ring0 Primitives Revolution

Reading time: ~21 min
Posted by saif on 29 July 2017
Categories: Analysis, Defcon, Exploit, How-to, Materials, Reversing, Windows
Exploiting MS17-017 EoP Using Color Palettes This post is an accompaniment to the Defcon 25 talk given by Saif. One...

Intercepting passwords with Empire and winning!

Reading time: ~6 min
Posted by symeon on 18 November 2016
Categories: Empire, Windows, Dll injection, Hooking
This is my password,” said the King as he drew his sword. “The light is dawning, the lie broken. Now...