I wanted to bypass Event Tracing for Windows (ETW) without any memory patching or hardware breakpoints. The purpose of breaking ETW is almost always to prevent EDR from gaining telemetry on the ex...

All Active Directory user account password hashes are stored inside the ntds.dit database file on the Domain Controllers. However, if you have ever tried copying the file, you’ll probably have rece...

I wanted to complete the The Power of Kerberos series by looking at Constrained Delegation, the last type of Kerberos delegation. This post will demonstrate how Constrained Delegation can be levera...

We are continuing from Part 1 and leveraging Unconstrained Delegation on HEADHUNTER to gain Domain Admin privileges via the printer bug. Preconditions for Unconstrained Delegation Control of...

Imagine the below setup, with Bravo being a low privileged user, and HEADHUNTER being configured with Unconstrained Delegation. This can be exploited to achieve Domain Admin privileges by perfor...

Imagine if an unprivileged user (i.e. not a member of local administrators) found an NTLM hash of a user within the local administrators group. Could the unprivileged user obtain admin privileges? ...

I recently read https://www.chadduffey.com/windows/release_notes/2020/10/10/edgegdi.html which describes how EdgeGdi.dll can be used for persistence, although with the caveat that “Windows wont tol...

Windows Defender Application Control (WDAC), formerly known as Device Guard, is a Microsoft Windows secure feature that restricts executable code, including scripts run by enlightened Windows scrip...

Starting with Windows 8.1 (and Server 2012 R2) Microsoft introduced a feature termed LSA Protection. This feature is based on the Protected Process Light (PPL) technology which is a defense-in-dept...

On Windows a privilege is the right of an account, such as a user or group account, to perform various system-related operations on the local computer. There are 36 privileges defined in the Privil...