Matan Bahar

@Bl4ckShad3

Joined October 2020

250Following

106Followers

Pinned

Matan Bahar Retweeted

Yehuda Smirnov@yudasm_ · Apr 27, 2023

Tzach Benita and I just finished developing a simple tool in C++ to dump the LSASS memory and encrypt the dump using AES with CBC. The tool worked against a fully patched Windows Server 2022. Link to github in the 1st comment. #cybersecurity #windows #infosec #redteam #PenTest

555

Matan Bahar@Bl4ckShad3 · Jul 23

New research alert, Phishing as a Service - Abuse Azure Apps to Phish the Tenant. While researching Azure App Permissions with my colleague @IdanLerman , we found a way to impersonate any user in the tenant and send an email on their behalf. medium.com/@matanb707/phi…

Bl4ckShad3's tweet card. Azure app registration utilizes a dedicated service principal for each app, enabling the application to interact with APIs and Azure…

692

Matan Bahar@Bl4ckShad3 · Jul 3

While researching in Azure with my partner @IdanLerman we found some cool misconfiguration in Azure role condition that can lead to full subscription compromise. medium.com/@matanb707/own… #RBAC #RoleCondition #Azure #ConditionByPass

Bl4ckShad3's tweet card. When a user assigns an administrative role to other users or themselves, some conditions may be created. When assigning a new owner with…

1.0K

Matan Bahar@Bl4ckShad3 · Mar 17

Im happy to share another part regarding my recent research "The Perfect Cover Masking Password Sprays as Microsoft Traffic" as i used the legitimate function apps in a malicious way to mask the IP address and the location. medium.com/@matanb707/the… #FunctionApps #DefenseEvasion

Bl4ckShad3's tweet card. Azure Functions (Serverless Code Execution):

397

Matan Bahar@Bl4ckShad3 · Mar 4

My recent research "The Perfect Cover: Masking Password Sprays as Microsoft Traffic" is shared by Merill Fernando, it is an honor to be in that blog, thank you for sharing! link for the blog: entra.news/p/entra-news-8… link for the research: medium.com/@matanb707/the…

Bl4ckShad3's tweet card. Automation accounts:

592

Matan Bahar@Bl4ckShad3 · Feb 27

Entra-Pass-Spray – A password spraying tool leveraging Azure Runbooks to evade detection. By running within Microsoft's infrastructure, it masks the attack source as a Microsoft IP in victim logs and therefore goes under the radar. medium.com/@matanb707/the…

155

Matan Bahar@Bl4ckShad3 · Feb 18

Can dMSA be abused for persistence in Active Directory? This article explores potential security risks, misuse scenarios, and defensive measures to prevent attackers from leveraging misconfigured dMSAs. medium.com/@matanb707/adv… #CyberSecurity #ActiveDirectory #dMSA

Bl4ckShad3's tweet card. Delegated Managed Service Accounts (dMSAs), introduced in Windows Server 2025, provide a more secure alternative to traditional service…

2.0K

Matan Bahar@Bl4ckShad3 · Oct 8

I am pleased to share the findings of my recent research on the Azure Virtual Desktop and Azure Event Hub. medium.com/@matanb707/spa… #Azure #EventHub #AVD #ProcessDump #SASToken

Bl4ckShad3's tweet card. Azure Virtual Desktop Overview:

697

Matan Bahar@Bl4ckShad3 · Aug 20

I am pleased to share the findings of my recent research on the Microsoft Graph API and its application permissions, specifically focusing on the EntitlementManagement.ReadWrite.All permission. medium.com/@matanb707/cat… #Azure #EntraID #AccessPackage #Catalog

Bl4ckShad3's tweet card. A catalog in Entra ID is a container which organizes and manages a set of resources, such as applications, groups, and SharePoint sites…

482

Matan Bahar@Bl4ckShad3 · Aug 14

I am pleased to share the findings of my recent research on the Microsoft Graph API and its application permissions, specifically focusing on the User.ReadWrite.All permission. medium.com/@matanb707/gue…

256

Matan Bahar@Bl4ckShad3 · Jun 17, 2024

Together with my colleague Idan Lerman I am pleased to introduce LAPS Extractor, a new PowerShell script designed for securely retrieving LAPS (Local Administrator Password Solution) passwords in Active Directory environments. medium.com/@matanb707/ret…

104

7.0K

Matan Bahar@Bl4ckShad3 · Jun 11, 2024

I'm excited to introduce StealthPasswordSpray, a new PowerShell script designed for stealthy password spraying attacks on Active Directory environments. It has been tested on Defender and various EDR solutions, successfully bypassing them. github.com/ADPunisher/Ste…

Bl4ckShad3's tweet card. Contribute to ADPunisher/StealthPasswordSpray development by creating an account on GitHub.

549

Matan Bahar@Bl4ckShad3 · Jun 6, 2024

Together with my colleague Idan Lerman I am pleased to share some research about the Kerberos protocol and develop a POC that bypasses AV\EDR and extracts the TGS. medium.com/@matanb707/ker…

5.0K

Matan Bahar Retweeted

כפר סבא של האוהדים@kfans1928 · Feb 21, 2024

קמפיין גיוס המונים כפר סבא של האוהדים 1928💚 אנחנו כמועדון צריכים עוד כסף על מנת לצלוח את העונה הנוכחית. סכום היעד הינו 120,000₪. הקמפיין מיועד לכל אדם שכדורגל וקהילה מרגשים אותו לכל מי שרוצה להיות בעלים של קבוצה- בקיצור, מיועד לכולם! צריכים אתכם איתנו! headstart.co.il/project/77519

123

13.0K

Matan Bahar Retweeted

Uriel Kosayev@MalFuzzer · Jun 15, 2023

The security research blog I promised you has been released - One Electron to Rule Them All! Thanks to my amazing team @VakninHai @Tamirye94 and @Bl4ckShad3 for working closely with me on this fun research ❤️ medium.com/@MalFuzzer/one… #cybersecurity #infosec #redteam

123

21.0K

Matan Bahar@Bl4ckShad3 · May 1, 2023

EnumSecToolkit Release Proud to launch EnumSecToolkit on GitHub! Developed with @R3dTeamN1nja , it simplifies identifying security vulnerabilities. New script: EnumLocalAdminAccess, using WMI, WinRM, RPC & SMB. Feedback appreciated! GitHub Repo & PoC github.com/ADPunisher/Enu…

Bl4ckShad3's tweet image. EnumSecToolkit Release

Proud to launch EnumSecToolkit on GitHub! Developed with @R3dTeamN1nja , it simplifies identifying security vulnerabilities. New script: EnumLocalAdminAccess, using WMI, WinRM, RPC &amp; SMB. Feedback appreciated!
GitHub Repo &amp; PoC
github.com/ADPunisher/Enu…

616

Matan Bahar@Bl4ckShad3 · Apr 24, 2023

Another offensive PoC tool for the fun that leverages the SeBackupPrivilege security token to be able to harvest sam and system. Here is a link to my GitHub repo that also includes a recorded PoC: github.com/ADPunisher/Bac…

Bl4ckShad3's tweet card. Contribute to ADPunisher/Backup-Harvester development by creating an account on GitHub.

2.0K

Matan Bahar@Bl4ckShad3 · Apr 20, 2023

I've decided to release yet another offensive PoC tool that leverages the SeTakeOwnershipPrivilege security token to be able to takeover and fully control files on the operating system. Here is a link to my GitHub repo that also includes a recorded PoC: github.com/ADPunisher/Own…

Bl4ckShad3's tweet card. Contribute to ADPunisher/OwnershipStealer development by creating an account on GitHub.

139

19.0K

Matan Bahar@Bl4ckShad3 · Apr 13, 2023

Excited to present a project that my colleague @YudaSm2 and I have been working on: the EnumSecToolkit. This advanced tool has been specifically designed to streamline and automate the enumeration and reconnaissance phase of red team assessments.