Bypassing Conditional Access policies that have a resource exclusion 12 minute read... 2026-6-22 14:0:57 | 阅读: 4 | 收藏 | dirkjanm.io - dirkjanm.io microsoft scopes client exclusion behaviour

One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens 这篇文章描述了一个严重的Entra ID漏洞，允许攻击者通过未记录的Actor令牌和Azure AD Graph API的验证缺陷跨租户访问数据，甚至完全控制其他租户。微软已修复该漏洞并发布了CVE-2025-55241。... 2025-9-17 13:0:57 | 阅读: 32 | 收藏 | dirkjanm.io - dirkjanm.io microsoft entra exchange tenants netid

Extending AD CS attack surface to the cloud with Intune certificates 文章探讨了Active Directory Certificate Services (AD CS)在混合云环境中的攻击面，重点分析了通过Intune和证书连接器分发证书可能导致的安全风险。指出Intune管理员可请求任意主题证书，甚至普通用户可能利用配置错误的设置提升权限至域管理员。... 2025-7-30 14:0:57 | 阅读: 31 | 收藏 | dirkjanm.io - dirkjanm.io intune scep ndes connector pkcs

Persisting on Entra ID applications and User Managed Identities with Federated Credentials 7 minute read... 2024-8-1 02:0:57 | 阅读: 22 | 收藏 | dirkjanm.io - dirkjanm.io federated entra identities roadoidc idp

Lateral movement and on-prem NT hash dumping with Microsoft Entra Temporary Access Passes 10 minute read... 2024-5-6 21:0:57 | 阅读: 22 | 收藏 | dirkjanm.io - dirkjanm.io tap prt windows taps

Phishing for Primary Refresh Tokens and Windows Hello keys 11 minute read... 2023-10-11 00:8:57 | 阅读: 37 | 收藏 | dirkjanm.io - dirkjanm.io phishing prt whfb microsoft

Obtaining Domain Admin from Azure AD by abusing Cloud Kerberos Trust 19 minute read... 2023-6-13 19:8:57 | 阅读: 30 | 收藏 | dirkjanm.io - dirkjanm.io premises prt cloud privileges rodc

Introducing ROADtools Token eXchange (roadtx) - Automating Azure AD auth, Primary Refresh Token (ab)use and device registration Ever since the initial release of ROADrecon and the ROADtools framework I have bee... 2022-11-9 19:8:57 | 阅读: 37 | 收藏 | dirkjanm.io roadtx prt keepass selenium

Abusing forgotten permissions on computer objects in Active Directory 9 minute read... 2022-7-12 00:8:57 | 阅读: 18 | 收藏 | dirkjanm.io bloodhound aces msds 11d0

Relaying Kerberos over DNS using krbrelayx and mitm6 11 minute read... 2022-2-23 02:8:57 | 阅读: 27 | 收藏 | dirkjanm.io victim client mitm6 krbrelayx

NTLM relaying to AD CS - On certificates, printers and a little hippo 14 minute read... 2021-7-29 01:8:57 | 阅读: 15 | 收藏 | dirkjanm.io pkinit relaying machine whitepaper

Active Directory forest trusts part 2 - Trust transitivity and finding a trust bypass 24 minute read... 2021-6-11 02:8:57 | 阅读: 30 | 收藏 | dirkjanm.io forest drw cloud sids trusts

A different way of abusing Zerologon (CVE-2020-1472) 17 minute read... 2020-9-25 03:0:0 | 阅读: 39 | 收藏 | dirkjanm.io machine zerologon netlogon relaying

Digging further into the Primary Refresh Token 19 minute read... 2020-8-6 02:38:0 | 阅读: 20 | 收藏 | dirkjanm.io prt derived cloudap tpm mimikatz

Abusing Azure AD SSO with the Primary Refresh Token 21 minute read... 2020-7-21 23:57:0 | 阅读: 21 | 收藏 | dirkjanm.io prt sso chrome browsercore joined

Introducing ROADtools - The Azure AD exploration framework 15 minute read... 2020-4-16 18:0:0 | 阅读: 24 | 收藏 | dirkjanm.io database roadrecon roadtools bloodhound

Updating adconnectdump - a journey into DPAPI Last year when I started playing with Azure I looked into Azure AD connect and how... 2019-12-12 01:8:57 | 阅读: 29 | 收藏 | dirkjanm.io keyset database masterkey adsync mimikatz

Office 365 network attacks - Gaining access to emails and files via an insecure Reply URL One of the main powers of Office 365 is the tight integration between all the onli... 2019-10-15 01:8:57 | 阅读: 25 | 收藏 | dirkjanm.io microsoft attacker network victim client

Exploiting CVE-2019-1040 - Combining relay vulnerabilities for RCE and Domain Admin - dirkjanm.io 7 minute read... 2019-08-23 22:46:33 | 阅读: 70 | 收藏 | dirkjanm.io exchange attacker ntlmrelayx