CybserSecurity News

Tag: Active Directory

  • Living Off The Registry: Master AD CS Enumeration with the Native LOLBAS Toolkit

    AD CS LOLBAS Toolkit

    Native Windows toolkit for AD CS enumeration and exploitation. Everything runs through built-in OS components (certreq.exe, certutil.exe, PowerShell AD module, .NET Framework) – no third-party tools needed(other than RSAT). Build with a sprinkle of FAFO and some finding out in lab env.

    Scripts

    Enumeration

    Invoke-Enumerate.ps1 – Scans for ESC1 through ESC13 conditions across templates, CA config, HTTP endpoints, and certificate binding enforcement. Outputs ready-to-run exploitation commands with discovered template names.

    Invoke-SnapshotAudit.ps1 – Offline AD CS audit against ADExplorer .dat snapshots. Parses the binary snapshot format directly (no external dependencies, no domain connectivity). Checks for ESC1, ESC2, ESC3, ESC4, ESC9, and ESC13. Enumerates high-value target groups (Domain Admins, Enterprise Admins, etc.) and generates ready-to-run Invoke-ESC* commands.

    [pastacode lang=”bash” manual=”%23%20Full%20audit%0A.%5CInvoke-SnapshotAudit.ps1%20-SnapshotPath%20.%5Csnapshot.dat%0A%0A%23%20Vulnerable%20templates%20only%0A.%5CInvoke-SnapshotAudit.ps1%20-SnapshotPath%20.%5Csnapshot.dat%20-VulnerableOnly%0A%0A%23%20Interactive%20mode%20-%20pick%20a%20target%20from%20discovered%20Domain%20Admins%0A.%5CInvoke-SnapshotAudit.ps1%20-SnapshotPath%20.%5Csnapshot.dat%20-List%0A%0A%23%20Specify%20target%20user%20for%20commands%0A.%5CInvoke-SnapshotAudit.ps1%20-SnapshotPath%20.%5Csnapshot.dat%20-Target%20administrator%0A%0A%23%20Export%20to%20files%0A.%5CInvoke-SnapshotAudit.ps1%20-SnapshotPath%20.%5Csnapshot.dat%20-OutputFile%20report.txt%20-CsvFile%20results.csv” message=”” highlight=”” provider=”manual”/]

    ESC Exploitation

    Each ESC script follows the same pattern: reconnaissance, certificate request, verification, then pass-the-cert authentication. Common parameters across most scripts:

    Parameter Description
    -CAConfig CA config string, e.g. "polaris.zsec.red\corp-DC01-CA"
    -TemplateName Vulnerable template name
    -TargetUPN UPN to impersonate, e.g. "administrator@zsec.red"
    -PFXPassword PFX export password (auto-generated if omitted)
    -OutputDir Artifact output directory (default: $env:TEMP\adcs-ops)
    -AuthMethod SchannelPKINIT, or Both (default)
    -DCTarget DC FQDN (auto-detected if omitted)
    -SkipAuth Skip the authentication stage, just get the cert

    Post-Exploitation

    Invoke-PassTheCert.ps1 – Authenticates to LDAP using a PFX certificate and performs post-exploitation operations. Includes an interactive LDAP shell with 70+ commands.

    [pastacode lang=”markup” manual=”%23%20Verify%20identity%0A.%5CInvoke-PassTheCert.ps1%20-PFXFile%20cert.pfx%20-PFXPassword%20%22pass%22%20-Action%20Whoami%0A%0A%23%20Interactive%20LDAP%20shell%0A.%5CInvoke-PassTheCert.ps1%20-PFXFile%20cert.pfx%20-PFXPassword%20%22pass%22%20-Action%20LdapShell%0A%0A%23%20Direct%20actions%0A.%5CInvoke-PassTheCert.ps1%20-PFXFile%20cert.pfx%20-PFXPassword%20%22pass%22%20-Action%20AddGroupMember%20-TargetDN%20%22CN%3DDomain%20Admins%2CCN%3DUsers%2CDC%3Dzsec%2CDC%3Dred%22%20-PrincipalDN%20%22CN%3Djsmith%2CCN%3DUsers%2CDC%3Dzsec%2CDC%3Dred%22%0A.%5CInvoke-PassTheCert.ps1%20-PFXFile%20cert.pfx%20-PFXPassword%20%22pass%22%20-Action%20SetRBCD%20-TargetDN%20%22CN%3DSERVER%24%2CCN%3DComputers%2CDC%3Dzsec%2CDC%3Dred%22%20-PrincipalDN%20%22CN%3DATTACKER%24%2CCN%3DComputers%2CDC%3Dzsec%2CDC%3Dred%22%0A.%5CInvoke-PassTheCert.ps1%20-PFXFile%20cert.pfx%20-PFXPassword%20%22pass%22%20-Action%20ResetPassword%20-TargetDN%20%22CN%3Dvictim%2CCN%3DUsers%2CDC%3Dzsec%2CDC%3Dred%22%0A.%5CInvoke-PassTheCert.ps1%20-PFXFile%20cert.pfx%20-PFXPassword%20%22pass%22%20-Action%20ReadGMSA%20-TargetDN%20%22svc_account%24%22%0A.%5CInvoke-PassTheCert.ps1%20-PFXFile%20cert.pfx%20-PFXPassword%20%22pass%22%20-Action%20ShadowCred%20-TargetDN%20%22DC01%24%22″ message=”” highlight=”” provider=”manual”/]

    LdapShell commands include: usergroupcomputeradminsdaseasspnsasrepunconstrainedconstraineddelegationsrbcdgmsalapstrustsgposoustemplatescasenrollcheckkerberoastaclservicemapdnsrecords, and action commands like adduseradddaaddcomputerpasswdaddmembershadowcredsetrbcdsetdcsyncwritedacldnsadd, and more. Type help in the shell for the full list.

    Invoke-ShadowCredentials.ps1 – Standalone shadow credentials attack using the current user’s domain context (no certificate needed). Adds, lists, or removes msDS-KeyCredentialLink values.

    OPSEC Notes

    Several scripts support options to reduce detection footprint:

    • -Delay / -Jitter on DomainRecon adds random sleep between operations to avoid rate-based detection (MDI, etc.)
    • delay command in LdapShell does the same for interactive queries
    • -SkipHTTP on Enumerate avoids network connections to CA web endpoints
    • cleanup in LdapShell removes temp artifacts from %TEMP% (PFX files, hashes, reports)
    • ESC7 check in Enumerate now uses LDAP instead of certutil -getreg where possible. ESC6 and ESC11 still require certutil (registry values with no LDAP equivalent)
    • Shadow credential commands always print cleanup reminders with the exact removal command

    Artifacts are written to %TEMP%\adcs-ops\ by default. Clean up after yourself.

    Download

  • Zero-Exfil Hijacking: How VMkatz Rips Windows Credentials Directly from VM Snapshots

    VMkatz

    Extract Windows credentials directly from VM memory snapshots and virtual disks

    You are three weeks into a red team engagement. Your traffic crawls through a VPN, then bounces across four SOCKS proxies chained through compromised jump boxes before it touches the target network. Every packet takes the scenic route.

    After days of lateral movement you land on a NAS attached to the virtualization cluster and the directory listing hits different: rows upon rows of .vmdk.vmsn.sav. Hundreds of gigabytes of virtual machines – domain controllers, admin workstations, the crown jewels – sitting right there.

    But your link wheezes at 200 KB/s. Pulling a single 100 GB disk image would take six days, and every hour of sustained exfil is another chance the SOC spots the anomaly, burns your tunnel, and the whole chain collapses.

    VMkatz exists because you shouldn’t have to exfiltrate what you can read in place. It extracts Windows secrets – NTLM hashes, DPAPI master keys, Kerberos tickets, cached domain credentials, LSA secrets, NTDS.dit, BitLocker keys – directly from VM memory snapshots and virtual disks, on the NAS, the hypervisor, wherever the VM files are.

    A single static binary, ~3 MB. Drop it on the ESXi host, the Proxmox node, or the NAS. Point it at a .vmsn.vmdk, or an entire VM folder. Walk away with credentials, not disk images.

    What It Extracts

    From memory snapshots (LSASS)

    All 9 SSP credential providers that mimikatz implements:

    Provider Data Notes
    MSV1_0 NT/LM hashes, SHA1 Physical-scan fallback for paged entries
    WDigest Plaintext passwords Linked-list walk + .data fallback
    Kerberos AES/RC4/DES keys, tickets (.kirbi/.ccache) AVL tree walk + ticket carving for freed sessions
    TsPkg Plaintext passwords RDP sessions only
    DPAPI Master key cache (GUID + decrypted key) SHA1 masterkey for offline DPAPI decrypt
    SSP Plaintext credentials SspCredentialList in msv1_0.dll
    LiveSSP Plaintext credentials Requires livessp.dll (rare post-Win8)
    Credman Stored credentials Hash-table + single-list enumeration
    CloudAP Azure AD tokens Typically empty for local-only logon

    Plus: BitLocker FVEK extraction from memory (pool tag scan for FVEc/Cngb).

    From virtual disks (offline)

    • SAM hashes: Local account NT/LM hashes with account status (disabled, blank password)
    • LSA secrets: Service account passwords, auto-logon credentials, machine account keys
    • Cached domain credentials: DCC2 hashes (last N domain logons)
    • DPAPI master keys: Hashcat-ready hashes ($DPAPImk$ — modes 15300/15310/15900/15910)
    • NTDS.dit: Full Active Directory hash extraction from domain controller disks (native ESE parser)
    • BitLocker decryption: Transparent disk decryption using FVEK extracted from memory

    Supported Inputs

    Format Extensions Source Status
    VMware snapshots .vmsn + .vmem Workstation, ESXi Tested
    VMware embedded snapshots .vmsn (no .vmem) ESXi suspend Tested
    VirtualBox saved states .sav VirtualBox Tested
    QEMU/KVM savevm states auto-detected Proxmox, QEMU Tested
    QEMU/KVM ELF core dumps .elf virsh dump Tested
    Hyper-V saved states .vmrs Hyper-V 2016+ Untested
    VMware virtual disks .vmdk (sparse + flat) Workstation, ESXi Tested
    VirtualBox virtual disks .vdi VirtualBox Tested
    QEMU/KVM virtual disks .qcow2 QEMU, Proxmox Tested
    Hyper-V virtual disks .vhdx.vhd Hyper-V Tested
    VMFS-5/6 raw SCSI devices /dev/disks/... ESXi (bypasses file locks) Tested
    LVM block devices /dev/... Proxmox LVM-thin Tested
    Raw registry hives SAMSYSTEMSECURITY reg save Tested
    Raw NTDS.dit ntds.dit + SYSTEM Domain controller Tested
    LSASS minidump .dmp procdump, Task Manager Tested
    VM directories any folder Auto-discovers all files Tested

    Target OS: Windows Server 2003 through Windows Server 2025 / Windows 11 24H2 (x86 PAE + x64).

    Download & Use

  • Ghost in the Browser: Hijacking Authenticated Sessions via NTLM Relay with ghostsurf

    ghostsurf

    NTLM HTTP relay tool with SOCKS proxy for browser session hijacking.

    Capture NTLM auth, relay to HTTP/HTTPS targets, then browse as the victim through a SOCKS proxy. This works even when cookie replay doesn’t.

    Features

    • Browser Session Hijacking: SOCKS5 proxy lets you browse as the relayed user
    • Auto Session Selection: Single session auto-selects; multiple sessions show an HTML picker
    • Kernel-Mode Auth Workaround: Probe-first strategy for IIS/HTTP.sys targets
    • Multi-User Relay: Relay multiple captured users to the same target with -r
    • Thread-Safe: Concurrent browser connections with socket locking
    • Header Preservation: Passes User-Agent, cookies, and other headers the target app depends on

    Attack Flow

    1. Start ghostsurf:

      ./ghostsurf -t https://target.local/ -k -r

    2. Set up browser proxy (Firefox + FoxyProxy recommended):

      • Install FoxyProxy in Firefox
      • Add proxy: SOCKS5, 127.0.0.1, port 1080
      • Enable the proxy profile before browsing

      Firefox is recommended over Chrome — Chrome makes extensive background telemetry and tracking requests that get routed through the proxy, polluting your output and logs with failed requests.

      When browsing HTTPS targets, Firefox will show a certificate warning for the local SOCKS TLS connection (self-signed cert, patched for Firefox’s stricter certificate requirements). Accept it to proceed — this is expected and only applies to the local proxy, not the upstream target connection.

    3. Trigger NTLM auth (coerced auth, phishing, responder, etc.)

    4. Session captured → browse to target through proxy

    5. Multiple sessions? Session picker UI appears, just click one. A cookie binds all subsequent requests to that relay session. To switch to a different session, close and reopen Firefox to clear the cookie.

    Shell Commands

    [pastacode lang=”bash” manual=”ghostsurf%3E%20socks%20%20%20%20%20%20%23%20List%20active%20sessions%0Aghostsurf%3E%20targets%20%20%20%20%23%20List%20configured%20targets%0Aghostsurf%3E%20exit%20%20%20%20%20%20%20%23%20Shutdown” message=”” highlight=”” provider=”manual”/]

    Kernel-Mode Auth Workaround

    IIS with kernel-mode authentication enabled (the default since IIS 7) binds NTLM auth to TCP connections at the kernel level via HTTP.sys. If a request hits a path configured for Anonymous authentication (static CSS, JS, images, fonts), HTTP.sys resets the authenticated context on the connection. The relay session silently dies with no error.

    ghostsurf’s -k flag probes paths anonymously before using the relay socket:

    1. Opens a fresh anonymous connection, sends the same request without NTLM
    2. 401 response → path requires auth → forward through the authenticated relay socket
    3. 200 response → path is public → return anonymous response directly, relay socket untouched
    4. Results cached per path for negligible overhead after initial page load

    Use -k for any IIS target. This includes CyberArk, Passwordstate, Delinea Secret Server, IBM Verify Privilege Vault, Thycotic Secret Server, BeyondTrust Password Safe, OneIdentity Password Manager, SCCM, and other software that preserves default IIS authentication settings. If unsure, just use -k — the overhead is minimal and it prevents silent session death.

    Without -k, all requests go directly through the relay socket, which works for targets that don’t use kernel-mode authentication (Windows Admin Center, Apache, nginx, non-IIS stacks, IIS 6 and below on default settings).

    Install & Use

  • EvilMist: The Ultimate Swiss Army Knife for Azure and Entra ID Red Teaming

    EvilMist is a collection of scripts and utilities designed to support cloud security configuration audit, cloud penetration testing & cloud red teaming. The toolkit helps identify misconfigurations, assess privilege-escalation paths, and simulate attack techniques. EvilMist aims to streamline cloud-focused red-team workflows and improve the overall security posture of cloud infrastructures

    Tools

    Unauthenticated Entra ID Enumeration

    Unauthenticated Azure/Entra ID enumeration and reconnaissance tool. Performs passive/semi-passive enumeration using publicly accessible APIs and DNS queries without requiring any authentication tokens.

    Key Features:

    • No Authentication Required – Works without Azure tokens or credentials
    • Tenant Discovery – Retrieve tenant ID, name, region via azmap.dev and OpenID config
    • Domain Realm Analysis – Identify Managed vs Federated authentication
    • User Existence Checking – Verify email addresses via GetCredentialType API
    • DNS Reconnaissance – Enumerate MX, SPF, TXT, CNAME, SRV, Autodiscover records
    • Port Scanning – Check common Azure ports (HTTPS, LDAP, Kerberos, RDP)
    • Stealth Mode – Configurable delays and jitter to avoid rate limiting
    • Export Options – JSON and CSV export formats

    Enumerate-EntraUsers

    Comprehensive Azure Entra ID (Azure AD) user enumeration and security assessment tool, available in both PowerShell and Python versions.

    Key Features:

    • 15+ User Enumeration Methods – Works even when direct /users access is blocked
    • Security Assessment – MFA status, privileged roles, stale accounts, guest users
    • Credential Attack Surface – SSPR, legacy auth, app passwords analysis
    • Conditional Access Analysis – Policy enumeration and gap detection
    • Device & Intune Enumeration – Managed devices, compliance policies
    • Attack Path Analysis – Privilege escalation paths and lateral movement
    • Power Platform – Power Apps and Power Automate flow enumeration
    • Export Options – BloodHound/AzureHound JSON, HTML reports, CSV/JSON
    • Stealth Mode – Configurable delays and jitter to avoid detection

    MFA Security Check

    Focused security assessment tool to identify Azure Entra ID users without Multi-Factor Authentication (MFA) enabled. Includes advanced features for shared mailbox detection and sign-in activity analysis..

    Key Features:

    • MFA Detection – Identifies users without strong authentication methods
    • Last Sign-In Tracking – Shows last login date/time and activity patterns
    • Shared Mailbox Detection – Automatically identifies and filters shared mailbox accounts
    • Sign-In Capability Check – Determines if accounts can actually authenticate
    • Risk Assessment – Categorizes users by risk level (HIGH/MEDIUM/LOW)
    • Activity Analytics – Sign-in statistics, department breakdowns, stale accounts
    • Matrix View – Compact table format for quick visual scanning
    • Export Options – CSV/JSON with comprehensive user details
    • Stealth Mode – Configurable delays and jitter to avoid detection

    Guest Account Enumeration

    Comprehensive guest account analysis tool to identify, analyze, and assess the security posture of external users in Azure Entra ID. Essential for guest access governance and security audits.

    Key Features:

    • Guest Account Discovery – Enumerate all guest users in the tenant
    • MFA Status Detection – Identify guests without Multi-Factor Authentication
    • Last Sign-In Tracking – Shows login date/time and activity patterns for guests
    • Guest Domain Extraction – Identifies originating organizations of guest users
    • Invite Status Tracking – Shows accepted, pending, or expired invitations
    • Risk Assessment – Categorizes guests by risk level (HIGH/MEDIUM/LOW)
    • Activity Analytics – Sign-in statistics, stale accounts, unused invites
    • Matrix View – Compact table format for quick visual scanning
    • Filtering Options – Show only guests without MFA or include disabled accounts
    • Export Options – CSV/JSON with comprehensive guest details
    • Stealth Mode – Configurable delays and jitter to avoid detection

    Critical Administrative Access Check

    Comprehensive security assessment tool to identify Azure Entra ID users with access to 10 critical administrative applications including PowerShell tools, management portals, core Microsoft 365 services, and privileged identity management. Essential for privileged access governance and administrative tool auditing.

    Key Features:

    • Critical Access Discovery – Enumerate users with administrative application access across all tiers
    • Explicit Assignment Focus – Shows users with elevated/administrative access (not basic user access)
    • Default Access Detection – Automatically detects and warns about apps with default access
    • Security-Focused Results – Filters out noise from basic user access to focus on privileged users
    • Multiple Application Coverage – Tracks 10 critical apps: Azure/AD PowerShell, Azure CLI, Graph Tools, M365/Azure Portals, Exchange/SharePoint Online, and PIM
    • MFA Status Detection – Identify privileged users without Multi-Factor Authentication
    • Last Sign-In Tracking – Shows login date/time and activity patterns
    • Assignment Tracking – Shows when users were granted management access
    • Risk Assessment – Categorizes users by risk level (HIGH/MEDIUM/LOW)
    • Activity Analytics – Sign-in statistics, stale accounts, inactive users
    • Matrix View – Compact table format for quick visual scanning
    • Filtering Options – Show only users without MFA or include disabled accounts
    • Export Options – CSV/JSON with comprehensive access details
    • Stealth Mode – Configurable delays and jitter to avoid detection

    Install & Use

  • Beyond the Active Session: Hunting Offline Secrets with ProfileHound’s New Graph Edge

    ProfileHound is a post-escalation tool to help find and achieve red-teaming objectives by locating domain user profiles on machines. It uses the BloodHound OpenGraph format to build a new edge called HasUserProfile which determines if a user profile exists on a computer. This edge allows operators to make informed decisions about which computers to target for looting secrets.

    This tool requires administrative access to the C$ share on target machines to enumerate user profiles.

    Post-exploitation objectives in Active Directory have shifted from data stored on-site into SaaS applications and the cloud. To prove value in offsec, we need to demonstrate how access to these services can be compromised. In many cases, these services are used only by certain groups or users, such as HR, Finance, etc. In some scenarios, certain SaaS applications can only be accessed from specific machines.

    BloodHound’s HasSession edge is great, but it’s only useful when a user is logged into a machine. If a user is not logged into a machine when the data is collected, it can be difficult to find which computer may contain secrets to facilitate further exploitation. User profiles may contain a significant amount of valuable intel within DPAPI, cached credentials, SSH keys, cloud keys, and more – these don’t require an active user session to access.

    ProfileHound uses BloodHound’s OpenGraph format to build a new graph edge called HasUserProfile which determines if a user profile exists on a domain machine. This can help operators focus on machines where a high-value user or group has a profile.

    The HasUserProfile edge contains properties for the profile’s creation date and last modified date. That information helps to determine:

    • If a profile is actively used (logged in within last few days)
    • If the profile has been used for years (likely to contain lots of secrets!)

    This edge also has properties for the profile creation and modification timestamps, allowing specific Cypher queries to find active or long-term user profiles on specific machines.

    How it Works

    ProfileHound uses the C$ share to enumerate user profiles on a domain machine at \\<target>\C$\Users\. It will read the user’s NTUSER.DAT file to determine if the user is a domain account or local account by retrieving the SID from the file metadata. For example, it will gather all user directories at \\<target>\C$\Users\ and then loop over each directory to find the NTUSER.DAT file at \\<target>\C$\Users\<username>\NTUSER.DAT. If the NTUSER.DAT file is owned by a well-known SID, it will try to find the user’s SID by reading their DPAPI directory (e.g. \\<target>\C$\Users\<username>\AppData\Roaming\Microsoft\Protect\<SID>).

    Because we are reaching the C$ share, we need an administrative account to authenticate to the target machine. ProfileHound will use the credentials provided to authenticate to the target machine. If you are using a domain account, you can use the --auth-domain option to specify the domain. If you are using a local account, you can use the --auth-local option.

    The creation and last modified times of the NTUSER.DAT file are gathered and can be used to determine if the profile is active. This correlation is handled within cypher queries on the edge properties, examples are below.

    It’s interesting to note that if the NTUSER.DAT file is last modified before the creation date, it is likely that the profile was created but not used in a tangible way. This condition exists because the NTUSER.DAT file is copied from the C:\Users\Default profile when a new user profile is created, maintaining the same modified date even though the creation date is later. Because of this, we can be reasonably confident that specific profile will not contain any secrets.

    Install & Use

  • Edge of Extinction: How FortiGate Flaws Open the Gates to Active Directory Subjugation

    The compromise of a perimeter network appliance can swiftly shepherd a malefactor toward domain controllers and the enterprise’s most critical data repositories. In the nascent months of 2026, cybersecurity sentinels chronicled a sequence of incursions wherein assailants weaponized vulnerabilities within FortiGate firewalls to breach corporate networks and subsequently orchestrate lateral movement deep within the infrastructure.

    The vanguard at SentinelOne meticulously dissected several such crucibles. Across all episodes, the malefactors initially usurped access to FortiGate Next-Generation Firewalls, whereupon they commenced their lateral traversal of the network. These kinetic sieges were successfully detected precisely during this phase of internal proliferation.

    Amidst these forensic inquiries, Fortinet definitively sealed several perilous vulnerabilities. CVE-2025-59718 and CVE-2025-59719 afflicted the Single Sign-On (SSO) architecture. Owing to a profound absence of cryptographic signature validation, an adversary possessed the capacity to dispatch a meticulously forged SSO token, thereby plundering unauthenticated administrative dominion. An auxiliary vulnerability, designated CVE-2026-24858, facilitated unauthorized ingress into FortiGate appliances whilst FortiCloud authentication was actively engaged. In certain instances, the assailants infiltrated the perimeter leveraging their proprietary FortiCloud credentials. Furthermore, inquisitors recorded systematic ingress attempts utilizing ubiquitous, feeble passwords.

    Subsequent to securing this foothold, the malefactor systematically exfiltrated the appliance’s configuration ledger via the show full-configuration directive. Such a dossier intrinsically harbors the network’s topological architecture alongside the credentials for vital service accounts. Given that the FortiOS architecture employs reversible encryption, the assailant can effortlessly decipher the ledger to harvest usernames and cryptographic keys.

    One specific incursion germinated in November 2025 and languished utterly undetected until February 2026. The assailant forged a localized administrative account christened support upon the FortiGate appliance, subsequently inscribing firewall edicts that empowered this rogue credential to seamlessly traverse all sequestered network zones. Thereafter, kinetic activity precipitously evaporated—a hallmark choreography reminiscent of an Initial Access Broker (IAB) who jealously guards a point of ingress, only to subsequently bequeath this access to auxiliary syndicates.

    At a later juncture, the malefactor excavated the credentials for the fortidcagent LDAP account from the configuration ledger, executing an authentication into the Active Directory from the IP coordinate 193.24.211[.]61. Following this triumphant ingress, the assailant conscripted two phantom workstations—WIN-X8WRBOSK0OF and WIN-YRSXLEONJY2—into the domain. This was orchestrated via the exploitation of the mS-DS-MachineAccountQuota attribute, a systemic parameter that permits a pedestrian account to tether up to ten computational hosts to the domain infrastructure.

    Thereafter commenced a relentless reconnaissance of the network and a barrage of brute-force password attacks. The systemic architecture chronicled a multitude of failed authentication endeavors, the provenance of which unequivocally aligned with the FortiGate appliance’s IP address. Forensic sentinels also unearthed the digital footprints of the SoftPerfect Network Scanner utility upon the subjugated systems. Concurrently, auxiliary ingress attempts were recorded emanating from the IP coordinates 185.156.73[.]62 and 185.242.246[.]127.

    Within a secondary incident, the adversary operated with profoundly terrifying celerity. Having usurped dominion over the FortiGate, the malefactor minted an administrative account dubbed ssl-admin, exfiltrated the appliance’s configuration, and plundered the sanctified credentials of a Domain Administrator. Within a mere ten minutes, the assailant had triumphantly logged into a multitude of servers masquerading beneath the aegis of the built-in Domain Admin credential.

    Upon these compromised servers, the assailant sequestered malignant artifacts within the C:\ProgramData\USOShared directory and entrenched the Pulseway and MeshAgent Remote Monitoring and Management (RMM) instruments. The installation payload for Pulseway was strategically staged within a Google Cloud Storage repository, whilst MeshAgent was covertly deployed upon the domain controller and the primary file server, meticulously obfuscated from the ledger of installed applications.

    Additionally, the malefactor retrieved a venomous archive from an Amazon S3 bucket. This malignant architecture masqueraded as benign Java components, surreptitiously invoking malicious libraries via the sophisticated artifice of DLL side-loading. Post-execution, the parasitic software established communications with the domains ndibstersoft[.]com and neremedysoft[.]com, subsequently proliferating across auxiliary servers via the PsExec utility.

    Progressing to the subsequent phase, the adversary forged a Volume Shadow Copy of the domain controller, ruthlessly extracting the sacrosanct NTDS.dit Active Directory database in tandem with the SYSTEM registry hive. These artifacts were systematically compressed and exfiltrated to an external nexus via a connection tethered to the IP coordinate 172.67.196[.]232—an address nested within the Cloudflare architecture. This illicit data hemorrhage persisted for approximately eight minutes, whereupon the purloined archives were meticulously purged from the host.

    Sieges of this nature are profoundly catastrophic, given that FortiGate appliances inherently possess privileged access to the foundational pillars of the infrastructure, unequivocally including the Active Directory. Compounding this vulnerability is the stark reality that such perimeter appliances cannot accommodate endpoint-level defensive agents. Consequently, the paramount defensive posture is inexorably reduced to the hyper-vigilant application of software remediations, the draconian governance of administrative access, and the protracted retention of systemic event ledgers. Security savants vehemently advocate for the preservation of these logs for a minimum of 14 days—ideally spanning 60 to 90 days—and their seamless transmission into centralized Security Information and Event Management (SIEM) architectures.

  • Connecting the Dots: PrivHound Transforms Windows Local Privilege Escalation into an Explorable Graph

    PrivHound

    Local Privilege Escalation, as a Graph.

    A BloodHound OpenGraph collector that models Windows local privilege escalation as interconnected attack paths not a wall of text.

    For a long time, BloodHound has proven that attackers think in graphs, transforming Active Directory misconfigurations from static checklists into explorable attack paths. Yet when it comes to local privilege escalation, the industry is still stuck in 2015: run a tool, read a wall of text, manually connect the dots or have LLM do it for you 😛

    WinPEAS, PowerUp, and Seatbelt are excellent at finding individual misconfigurations, but they cannot answer questions like:

    • “Does this writable Program Files directory actually lead to SYSTEM because a service runs a binary from it?”
    • “Does this PowerShell history file contain credentials that are valid for a local admin?”
    • “Can I read another user’s profile, find their stored credentials, log in as them, and exploit a service they have write access to?”

    These tools report findings in isolation. In reality, privilege escalation is a multi-step chain where one finding feeds into another. A writable directory means nothing if no service runs from it. A credential in a history file means nothing if it doesn’t belong to a privileged user. The real question is never “what misconfigurations exist?” — it’s “what can I actually reach from here?”

    If Active Directory attacks can be thought of as a graph, why not local privilege escalation?

    PrivHound changes this by modeling local privilege escalation as a graph. Built on BloodHound’s OpenGraph framework, it enumerates 29 categories of Windows privilege escalation vectors, from weak service permissions to COM hijacking to WebClient relay and outputs them as interconnected nodes and edges.

    The result: multi-hop escalation chains become visiblequeryable with Cypher, and overlayable on top of existing Active Directory attack paths.

    What It Checks

    # Check Technique MITRE
    1 Weak Service Permissions Modifiable services running as SYSTEM T1574.011
    2 Writable Service Binaries Replace service .exe with payload T1574.010
    3 Unquoted Service Paths Path hijacking via writable intermediate dirs T1574.009
    4 DLL Hijacking (PATH) Writable directories in system PATH T1574.001
    5 AlwaysInstallElevated Install malicious MSI as SYSTEM T1548.002
    6 Token Privileges SeImpersonate, SeDebug, SeBackup, etc. T1134.001
    7 Scheduled Tasks Writable binaries for SYSTEM tasks T1053.005
    8 Autorun Executables Writable binaries in Run/RunOnce keys T1547.001
    9 Registry Service Keys Writable service ImagePath in HKLM T1574.011
    10 Stored Credentials Credential Manager, AutoLogon passwords T1552.001
    11 GPP Cached Passwords Group Policy Preferences cpassword T1552.006
    12 Unattended Install Files Credentials in unattend/sysprep XML T1552.001
    13 PowerShell History PSReadLine history and transcripts T1552.001
    14 Sensitive Files SAM backups, .kdbx, .rdg, git-credentials T1552.001
    15 UAC Bypass Opportunities UAC misconfig or admin-not-elevated T1548.002
    16 Writable Program Directories Writable dirs in Program Files T1574.010
    17 Cross-User Profiles Readable profiles with sensitive files T1552.001
    18 Credential Login Paths Validate extracted creds against local users T1078.003
    19 Cross-User Privilege Escalation Analyze what discovered users can access T1078.003
    20 JIT Admin Tools MakeMeAdmin, CyberArk EPM, Admin By Request T1548
    21 Print Spooler / PrintNightmare Vulnerable Point and Print configuration T1068
    22 WSUS HTTP (non-SSL) WSUS MITM for SYSTEM code execution T1557
    23 SCCM/MECM NAA Credentials Network Access Account DPAPI extraction T1552.001
    24 COM Object Hijacking HKCU CLSID hijack for SYSTEM-context DLL load T1546.015
    25 Named Pipe Permissions Permissive SYSTEM pipe ACLs → impersonation T1134.001
    26 Cached Credentials DCC2, WiFi, WinSCP, FileZilla, PuTTY creds T1552.001
    27 WMI Event Subscriptions Writable WMI consumer binaries/scripts T1546.003
    28 WebClient Relay NTLM relay via WebClient to DC LDAP → SYSTEM T1187
    29 Service Recovery Commands Writable failure recovery command binaries T1574.010
    30 Shadow Copy Sensitive Files SAM/SYSTEM hives accessible in VSS snapshots T1003.002

    Multi-Hop Attack Paths

    This is what separates PrivHound from traditional privesc tools. Instead of listing findings in isolation, PrivHound connects them into exploitable chains:

    Chain Path
    Credential pipeline User → PSHistory → PHContainsCreds → PHCanLoginAs → LocalUser → Admin
    Writable dir → service User → WritableProgramDir → PHHostsBinaryFor → Service → SYSTEM
    Cross-user profile User → Profile → SensitiveFile → PHCanLoginAs → LocalUser → Admin
    Cross-user escalation User → (creds) → PHCanLoginAs → UserX → PHCanWriteBinary → Service → SYSTEM
    SeBackup sub-chain User → SeBackup → PHCanReadProtected → SAM → PHCanExtractHashes → Admin
    Stored creds → runas User → StoredCred → PHCanLoginViaRunas → LocalUser → Admin
    SCCM NAA → creds User → SCCMCred → PHContainsCreds → PHCanLoginAs → Admin
    WebClient relay User → WebClientRelay → PHEscalatesTo → SYSTEM
    COM hijack User → COMHijack → PHExecutesAs → SYSTEM
    WMI subscription User → WMISubscription → PHRunsAs → SYSTEM
    Named pipe User → NamedPipe → PHRunsAs → SYSTEM
    Service recovery User → PHCanWriteRecoveryBin → Service → SYSTEM
    Shadow copy hashes User → ShadowCopy → SAM → PHCanExtractHashes → Admin
    JIT admin User → MakeMeAdmin → PHGrantsTempAdmin → Admin

    Cross-User Privilege Escalation

    When PrivHound discovers valid credentials for other local users (via GPP passwords, AutoLogon, unattend files, PowerShell history, cross-user profiles, etc.), it doesn’t stop at creating a PHCanLoginAs edge. It analyzes what those discovered users can actually do.

    How it works (no SeImpersonatePrivilege required):

    1. LogonUser obtains a token handle for each discovered user
    2. GetTokenInformation extracts group memberships (SIDs) and token privileges
    3. ACL checks run using the discovered user’s groups — not the current user’s
    4. Edges are created from the discovered user’s node to any vulnerable resources they can access
    5. The token is closed — no impersonation occurs, no elevated privileges needed

    What it checks for each discovered user:

    Sub-check Edge created
    Service binary write PHCanWriteBinary
    Service SDDL modify PHCanModifyService
    Unquoted path hijack PHCanHijackPath
    DLL hijack PATH dirs PHCanWriteTo
    Scheduled task binary PHCanWriteTaskBinary
    Autorun binary PHCanWriteAutorun
    Program directory PHCanWriteProgDir
    Token privileges PHHasPrivilege
    Service recovery binary PHCanWriteRecoveryBin

    All cross-user edges include a discovered_via="credential" property for filtering.

    Download & Use

  • Beyond the Perimeter: Auditing Active Directory Security with ADPulse’s 35-Point Automated Scan

    ADPulse — Active Directory Security Scanner

    ADPulse is an open-source Active Directory security auditing tool that connects to a domain controller via LDAP(S), runs 35 automated security checks, and produces detailed reports in console, JSON, and HTML formats.

    It is designed for IT administrators, penetration testers, and security teams who need a fast, read-only assessment of AD misconfigurations and attack surface.

    A PowerShell script named test_environment.ps1 is also included if you wish to set up your own vulnerable domain controller to test with.

    Features

    Security Checks (35 total)

    # Check Description
    1 Password Policy Minimum length, history, complexity, lockout threshold, reversible encryption, fine-grained PSOs
    2 Privileged Accounts Membership of Domain Admins, Enterprise Admins, Schema Admins, and other sensitive groups; stale members, non-expiring passwords, passwords in descriptions, built-in Administrator status, krbtgt age
    3 Kerberos Kerberoastable accounts (SPNs on user objects), AS-REP roastable accounts, DES-only encryption, high-value targets combining adminCount=1 + SPN + PasswordNeverExpires
    4 Unconstrained Delegation Non-DC computers and user accounts trusted for unconstrained Kerberos delegation
    5 Constrained Delegation Accounts with protocol transition (S4U2Self) and standard constrained delegation targets
    6 ADCS / PKI ESC1, ESC2, ESC3, ESC6, ESC8, ESC9, ESC10, ESC11, ESC13, ESC15, weak key sizes, enrollee ACL enumeration
    7 Domain Trusts Bidirectional trusts without SID filtering, forest trusts, external trusts
    8 Account Hygiene Stale users/computers, never-logged-in accounts, PASSWD_NOTREQD flag, reversible encryption per-account, old passwords, duplicate SPNs
    9 Protocol Security LDAP signing/channel binding, DC operating system versions, domain/forest functional level, NTLMv1/WDigest guidance
    10 Group Policy Objects Disabled, orphaned, unlinked, and empty GPOs; excessive GPO count
    11 LAPS Legacy LAPS and Windows LAPS schema detection; computers without LAPS passwords
    12 LAPS Coverage Percentage-based coverage of all non-DC computers with a LAPS-managed password
    13 DNS & Infrastructure Wildcard DNS records, LLMNR/NetBIOS-NS poisoning guidance
    14 Domain Controllers Single-DC detection, legacy OS on DCs, FSMO roles, RODC password replication policy
    15 ACL / Permissions ESC4, ESC5, ESC7, DCSync rights on non-privileged principals, Protected Users group, delegation ACLs
    16 Optional Features AD Recycle Bin, Privileged Access Management (PAM)
    17 Replication Health Site count, site link replication intervals, nTDSDSA objects
    18 Service Accounts gMSA adoption, regular user service accounts, service accounts with adminCount=1
    19 Miscellaneous Hardening Machine account quota, tombstone lifetime, Schema Admins/Enterprise Admins membership, Guest account, audit policy guidance
    20 Deprecated Operating Systems Enabled computer accounts reporting end-of-life Windows versions
    21 Legacy Protocols SMBv1 detection, SMB signing enforcement, null session acceptance (live network probes)
    22 Exchange Exchange Windows Permissions group (PrivExchange / CVE-2019-0686), Exchange Trusted Subsystem
    23 Protected Admin Users adminCount=1 inventory — orphaned, ghost (disabled), and stale accounts
    24 Passwords in Descriptions Keyword-based detection of credentials stored in the Description field of users, admins, and computers
    25 GPP / cpassword (MS14-025) Walks SYSVOL for Group Policy Preferences XML files containing cpassword attributes and decrypts them using Microsoft’s publicly-known AES key
    26 AdminSDHolder ACL Reads the binary DACL on CN=AdminSDHolder and flags non-privileged principals with write access — these ACEs auto-propagate to all protected accounts every 60 minutes via SDProp
    27 SID History Detects accounts with sIDHistory populated; escalates to CRITICAL if any injected SID maps to a privileged group (Domain Admins, Enterprise Admins, etc.)
    28 Shadow Credentials Flags unexpected msDS-KeyCredentialLink entries on user and computer objects, enabling certificate-based authentication without knowing the account password
    29 RC4 / Legacy Kerberos Encryption Checks msDS-SupportedEncryptionTypes on service accounts, DCs, and admin accounts to identify those still permitting RC4-HMAC — the weak enctype attackers specifically request for offline cracking
    30 Foreign Security Principals in Privileged Groups Enumerates CN=ForeignSecurityPrincipals and flags any FSP from a trusted domain that is a member of a sensitive local group (Domain Admins, Backup Operators, etc.)
    31 Pre-Windows 2000 Compatible Access Checks whether Everyone or Anonymous Logon are members of this group, which enables unauthenticated SAMR/LSARPC enumeration from anywhere on the network
    32 Dangerous Constrained Delegation Targets Cross-references delegation targets against DC hostnames and flags accounts delegating to high-value service classes (ldap/cifs/host/gc/krbtgt/) on Domain Controllers
    33 Orphaned AD Subnets Finds subnets with no siteObject assignment, causing clients to receive a random DC and potentially routing authentication traffic across WAN links
    34 Legacy FRS SYSVOL Replication Detects whether SYSVOL is still replicating via the deprecated File Replication Service instead of DFSR, and flags stalled mid-migration states
    35 RBCD on Domain Object / DCs Checks msDS-AllowedToActOnBehalfOfOtherIdentity on the domain NC head and all DC computer objects — either configuration grants effective Domain Admin to the permitted principals via S4U2Proxy

    Reporting

    • Console — colour-coded terminal output with at-a-glance critical findings and key metrics
    • JSON — machine-readable export for integration with SIEMs, ticketing systems, or custom dashboards
    • HTML — self-contained dark-themed report with collapsible sections, severity badges, stat cards, scoring legend, and an ADCS template inventory

    Scoring

    Every finding carries a risk-score deduction. The overall score starts at 100 and is reduced per finding:

    Score Risk Level Meaning
    80–100 LOW Good security posture, minor issues only
    60–79 MEDIUM Notable weaknesses that should be addressed
    40–59 HIGH Significant vulnerabilities present
    0–39 CRITICAL Severe risks — immediate remediation required

    Download & Use

  • Shadows in the Server: How the Warlock Group Weaponized a “Forgotten” VM to Breach SmarterTools

    SmarterTools has disclosed a comprehensive retrospective regarding a recent infiltration of its infrastructure, meticulously delineating the adversaries’ entry vector and their subsequent maneuvers. The incursion originated from a solitary, neglected virtual mail server that had remained unpatched for an extended duration—a critical oversight that served as the primary gateway for the assault.

    According to corporate disclosures, the network architecture comprised approximately thirty servers running the SmarterMail platform. One specific instance, deployed independently by a staff member, had bypassed routine security updates, allowing antagonists to gain a foothold within a segment of the internal network. Notably, mission-critical services—including the primary website, procurement systems, and client portals—remained operational and uncompromised, with user credentials and core business applications evading impact.

    The offensive permeated the corporate office network and a discrete data processing facility housing laboratory environments and customer support systems. Approximately twelve Windows-based servers were affected, whereas Linux-based systems remained unscathed; a portion of the compromised infrastructure was successfully remediated utilizing backups captured a mere six hours prior to detection. Upon the identification of anomalous activity, all servers across both sites were summarily disconnected to facilitate a rigorous forensic audit.

    In the aftermath of the breach, the infrastructure underwent a profound architectural metamorphosis. The organization significantly reduced its reliance on Windows environments where feasible and entirely dismantled its Active Directory services. Furthermore, a mandatory global password reset was enforced across the entire network. SmarterTools specifically lauded the efficacy of the SentinelOne security suite, which proved instrumental in identifying vulnerabilities and thwarting attempts at data encryption.

    SmarterTools reminded its clientele that critical remediations were integrated into the SmarterMail 9518 build released on January 15, 2026. A subsequent iteration, build 9526, introduced further refinements and addressed minor security discrepancies identified during an internal audit. The developers emphasize that even incremental security updates are paramount in preempting denial-of-service attacks and mitigating server overloads.

    Analysts further detailed the behavioral patterns of the adversarial collective, identified as the Warlock Group. Following initial penetration, these actors typically maintain a dormant presence for six to seven days before commencing active operations; consequently, certain compromises occurred even after the installation of updates. The group’s primary objective involves seizing control of the Active Directory domain controller, creating fraudulent accounts, and disseminating remote access tools and ransomware across Windows-based servers. They typically secrete malicious binaries within shared folders, AppData, ProgramData, and SmarterMail directories, utilizing randomized nomenclature and deceptive service tasks to evade detection.

    SmarterTools observed that such collectives aggressively exploit vulnerabilities across a diverse spectrum of products, including corporate collaboration platforms and backup systems. These threats often manifest as ostensibly legitimate applications previously instantiated on the server. At present, the developer reports no extant critical vulnerabilities within SmarterMail and has pledged to enhance the transparency of its security advisories, noting that support response times have been drastically reduced from days to hours.

  • The Browser Trap: KongTuke’s “CrashFix” Extension Turns Chrome into a Backdoor

    Adversaries affiliated with the KongTuke threat collective have inaugurated a sophisticated malicious lineage dubbed CrashFix, specifically engineered to compromise Google Chrome users. According to findings from Huntress, the incursion commences with the procurement of a fraudulent extension titled NexShield, which surreptitiously masquerades as the esteemed advertisement filter uBlock Origin Lite. Its presence within the official Chrome Web Store afforded the implant a deceptive veneer of authenticity.

    A victim encounters the CrashFix stratagem when their browser succumbs to unresponsiveness and abruptly terminates. Upon restoration, a pop-up interface manifests, alleging a critical systemic failure and proposing a “security audit” to remediate the anomaly. The user is coerced into invoking the Windows “Run” dialog and executing a pre-copied command. In reality, this command triggers a deleterious PowerShell script retrieved from an adversarial infrastructure. To evade heuristic detection, the legitimate utility finger.exe is migrated to the %temp% directory and rechristened as ct.exe, serving as a LOLBin (Living off the Land Binary).

    The offensive predominantly targets domain-joined corporate environments. In such instances, the victim’s workstation is infected with a bespoke trojan identified as ModeloRAT. Authored in Python, this malware is bundled within an archive containing its own WinPython environment, thereby ensuring operational independence from any pre-existing Python installations. ModeloRAT is characterized by a sophisticated RC4 encryption regimen, the capacity for registry-based persistence, and comprehensive telemetry harvesting. To shroud its presence, it adopts innocuous nomenclature for its autorun keys, such as “Spotify47” or “Adobe2841.”

    Conversely, residential users are subjected to a divergent infection chain predicated on multi-layered PowerShell obfuscation and a Domain Generation Algorithm (DGA) that refreshes command-and-control addresses weekly. The terminal script scrutinizes system parameters to generate a unique numerical fingerprint; should the system exhibit the hallmarks of a research or sandbox environment, the payload remains dormant.

    NexShield incorporates a delayed execution mechanism, activating its malevolent functions only sixty minutes post-installation to dissociate the extension from the ensuing instability. The extension deliberately overwhelms the browser by initiating billions of concurrent connections via the Chrome API, inducing the very freezes and crashes it later offers to “fix.” This cycle of engineered failures persists until the user either excises the extension or executes the commands that finalize the compromise.

    The extension further exfiltrates user metadata—including UUIDs and versioning—to the nexsnield.com domain, meticulously tracking installations and removals. Furthermore, anti-analysis techniques are employed to inhibit the invocation of developer tools or the inspection of page source code. The architectural sophistication of the KongTuke campaign reveals a concerted effort to deepen their foothold within corporate networks, specifically targeting Active Directory and internal infrastructures. Experts from Huntress emphasize that robust network monitoring and the vigilant oversight of background PowerShell processes remain the most efficacious vanguards against such multifaceted incursions.