Archives

2024

• 14 Feb SharpADWS - 滥用 ADWS 协议枚举 Active Directory
• 18 Jan WinT - 2023 第七届“强网杯”决赛 RPC 本地提权 Review

2023

• 03 Dec AD CS - New Ways to Abuse ManageCA Permissions
• 27 Nov Revisiting a Abuse of Read-Only Domain Controllers (RODCs)
• 02 Aug S4UTomato - Escalate Service Account To LocalSystem via Kerberos
• 29 Jul Revisiting a UAC Bypass By Abusing Kerberos Tickets
• 09 Jul How to Forge a Kerberos Ticket by Yourself
• 06 Jul Creating Windows Access Tokens With God Privilege
• 28 Feb Pass The Certificate when PKINIT Padata Type is NOSUPP
• 08 Feb Sekurlsa - 如何滥用 CreateProcessWithLogonW 函数实现哈希传递
• 06 Feb Sekurlsa - 如何从 Wdigest 中转储用户登录凭据
• 31 Jan Sekurlsa - 如何从 MSV1_0 中转储用户登录凭据
• 18 Jan Revisiting a Credential Guard Bypass From Wdigest
• 06 Jan DCSync - 如何滥用 IDL_DRSGetNCChanges 接口转储域数据

2022

• 27 May Privilege Escalation - Exploiting RBCD Using a User Account
• 21 May PetitPotato - How Do I Escalate To SYSTEM Via Named Pipe
• 19 May Domain Escalation - Certifried combined with KrbRelay
• 12 May Certifried - Active Directory 域权限提升漏洞（CVE-2022–26923）
• 02 May Privilege Escalation - NTLM Relay over HTTP (Webdav)
• 27 Apr Shadow Credentials
• 26 Apr 使用 MITM6 通过 DNS 中继 Kerberos 身份验证
• 26 Mar 使用 MITM6 中继 WPAD 身份验证
• 15 Mar Attack Surface Mining For AD CS
• 12 Mar Abusing Domain Delegation to Attack Active Directory