Authentication reflection has been around for more than 20 years, but its implications in modern Windows networks are far from obsolete. Even after all the patches Microsoft has rolled out over the years, reflection attacks are still very much exploitable 😉 This post walks through what authentication reflection actually is, why it remains dangerous today,…

While I was reading Elad Shamir recent excellent post about NTLM relay attacks, I decided to contribute a companion piece that dives into the mechanics of Kerberos relays, offering an analysis and practical insights into how these attacks work and how they differ from NTLM based relays. If you've been following my posts , tweets…

Why write a post about changing Windows passwords programmatically when so many built-in and third-party tools already let us do it effortlessly? The answer is simple: curiosity. It drives us to understand the underlying mechanisms of the systems we interact with, explore hidden parts, and sometimes even uncover unintended behaviors or security flaws. This post…

Vulnerable Windows drivers remain one of the most exploited methods attackers use to gain access to the Windows kernel. The list of known vulnerable drivers seems almost endless, with some not even blocked by AV/EDR solutions or included in Microsoft's Driver Block List. Some time ago, I revisited an old post of mine about creating…

In this second super short post, I want to explore an unusual Group Policy Object (GPO) configuration I recently encountered. The GPO in question used a File Preference policy to copy a custom HOSTS file from a remote share to the local machine's HOSTS file: This caught my attention because it introduced an unexpected element…

In the realm of IT administration, Group Policies serve as a powerful tool for centrally managing and controlling various aspects of an Active Directory network environment in a Windows-based operating system. They provide a way to enforce consistent settings and configurations across multiple computers and user accounts within a domain or organizational unit. In this…

While exploring the DCOM objects for the "SilverPotato" abuse, I stumbled upon the "ShellWindows" DCOM application. This, along with "ShellBrowserWindows", is well-known in the offensive security community for performing lateral movements by instantiating these objects remotely with admin privileges. However, I was curious to understand if they could be abused locally by a standard user.…

In a recent assessment, it was found that a specific Group Poilcy granted via "User Right Assignments" the SeRelabelPrivilege to the built-in Users group and was applied on several computer accounts. I never found this privilege before and was obviously curious to understand the potential implications and the possibility of any (mis)usage scenario. Microsoft documentation…

TL;DR (really?): Members of Distributed COM Users or Performance Log Users Groups can trigger from remote and relay the authentication of users connected on the target server, including Domain Controllers. #SilverPotato Remember my previous article? My insatiable curiosity led me to explore the default DCOM permissions on Domain Controllers during a quiet evening... Using some…

In my exploration of all the components and configurations related to the Windows Active Directory Certification Services (ADCS), after the "deep dive" in Cert Publishers group, I decided to take a look at the "Certificate Service DCOM Access" group. This group is a built-in local security group and is populated by the special NT AUTHORITY\Authenticaterd…