SERVICESEXPERTS BLOGLET'S TALK

Offensive Perspectives

Fortalice BOFHound Release - Granularize Your Active Directory Reconnaissance Game
Fortalice BOFHound Release - Granularize Your Active Directory Reconnaissance Game
Adam Brown

BloodHound has helped offensive and defensive teams since then conduct efficient and thorough auditing of Active Directory environments. For a while, reviewing Active Directory environments without BloodHound became almost unimaginable, and certainly unattractive. As the tool has evolved and grown, it has become a staple of the offensive tester's toolkit while simultaneously becoming an increasingly desired detection point for defensive teams. Several detection strategies have surfaced over the past 7 years. This post will cover a few helpful detection strategies. Some you may know of, and others, maybe not. Then we'll wrap by introducing two new tools which aim to give red teams a chance at avoiding detection when necessary.

Keeping Up with the NTLM Relay
Keeping Up with the NTLM Relay
Matthew Creel

ADCS: Playing with ESC4
ADCS: Playing with ESC4
Matthew Creel

Shadow Credentials: Workstation Takeover Edition
Shadow Credentials: Workstation Takeover Edition
Matthew Creel

Active Directory Certificates and PKINIT are hot topics these days and our operators at Fortalice have been doing their best to stay on top of the new research and tools. My previous blog touched on PyWhisker and referenced one of its resources available on https://thehacker.recipes. While reading through the documentation there, a note near the bottom caught my eye, which stated: User objects can't edit their own msDS-KeyCredentialLink attribute while computer objects can.

PKINIT FTW - Chaining Shadow Credentials and ADCS Template Abuse
PKINIT FTW - Chaining Shadow Credentials and ADCS Template Abuse
Matthew Creel

On a recent red team engagement, our team was tasked with focusing on Active Directory Certificate Services (ADCS) exploitation. The objective was to identify certificate template misconfigurations and potentially achieve privilege escalation by abusing them. The concepts and attacks used were based around the work and whitepaper by Will Shroeder (@harmj0y) and Lee Christensen (@tifkin_).

Elevating with NTLMv1 and the Printer Bug
Elevating with NTLMv1 and the Printer Bug
Matthew Creel

Demystifying Penetration Testing Pricing
Demystifying Penetration Testing Pricing
Kyle Macken

Hiding Behind the Front Door
Hiding Behind the Front Door
Red Team

Domain fronting is a generic technique based on HTTPS that allows an actor to hide the true destination of a communication from network equipment in the path. While domain fronting has been used in offensive engagements for several years now, the number of frontable cloud services continues to dwindle. Today, Fortalice is publicly adding another service to that list: Azure Front Door.

Interview with an Expert: OCO Director Matt Shirley
Interview with an Expert: OCO Director Matt Shirley
Fortalice Solutions

Fortalice Director of Offensive Cybersecurity Operations (OCO) Matt Shirley talks the red team's perspective on addressing cyber threats on behalf of our clients. 

Categories
Defensive Perspectives
Offensive Perspectives
Executive Perspectives
Recent Posts
Fortalice BOFHound Release - Granularize Your Active Directory Reconnaissance Game
Keeping Up with the NTLM Relay
Okta Breach Advisory