DirectoryRanger
@DirectoryRanger
This account assembles and disseminates information related to Active Directory and Windows security.
24/7 Active Directory Incident Response Contact: Tel. +49 (0) 6221 7569637 E-mail: [email protected]
Windows Hello for Business – The Face Swap, on @Insinuator insinuator.net/2025/07/window…
Slides of the @WEareTROOPERS #TROOPERS25 'AD & Entra ID Security' track have been published. Just click on the individual talks in the agenda. Day 1 troopers.de/troopers25/age… Day 2 troopers.de/troopers25/age…
Microsoft Active Directory Forest Recovery Guide, by @shorinsean semperis.com/wp-content/upl…
NTUSER.DAT Forensics Analysis 2025 #DFIR cybertriage.com/blog/ntuser-da…
Activities that are audited in Microsoft 365 #DFIR learn.microsoft.com/en-us/purview/…
Entra ID groups inspector: a Log Analytics dashboard for tracking changes to groups systanddeploy.com/2025/05/entra-…
Pwning Reflection Using NTLM Reflection, by @seriotonctf seriotonctf.github.io/Pwning-Reflect…
The Art of the Honeypot Account: Making the Unusual Look Normal, by @PyroTek3 hub.trimarcsecurity.com/post/the-art-o…
Nothing Funny About It. Threat Hunting for Living off the Land Binaries (LoLBins) #DFIR abcbyd.substack.com/p/nothing-funn…
The slides from #TROOPERS25 are now available🔥 The key point in the talk is that Device Registration Service is often forgotten in Conditional Access, leading to various abuse. This talk introduces one of the examples and explains lateral movement tips. troopers.de/downloads/troo…
It was great to attend #TROOPERS25! Beautiful city, nice weather, talented researchers. My talk was just based on how Entra works but I hope it contributed to the community. Thanks for everyone I had a chance to talk to! No jet lug now. Time to go home😂 github.com/temp43487580/E…
ernw.de research (II) Input Validation Vulnerabilities in Microsoft Bookings insinuator.net/2025/05/disclo… When Your Edge Browser Syncs Private Data to Your Employer insinuator.net/2025/02/when-y… Jigsaw RDPuzzle: Piecing Attacker Actions Together insinuator.net/2025/01/jigsaw…
This is so much! 🔥🔥😎 Found two new Potato triggers just today. Not only Potato but can also be used for LPE as remote auth is done which could be relayed to LDAP without Signing enabled. Or relayed to ADCS for a certificate. github.com/warpnet/MS-RPC…
Entra ID First Party Apps & Scope Browser, by @fabian_bader & @_dirkjan entrascopes.com
To trigger local SYSTEM authentication for relaying to ADCS or LDAP for LPE you would usually need the printer service or EFS service to be enabled (printerbug/petitpotam). Here is an alternative without this requirement 🤠 github.com/rtecCyberSec/R…
Strengthen identity threat detection and response with linkable token identifiers techcommunity.microsoft.com/blog/microsoft…
Hi, I just released this python-version of @CICADA8Research's nice RemoteKrbRelay-tool. It is based on @_dirkjan's KrbRelayx and @sploutchy's potato.py and rpcrelayserver.py. Please check it out: github.com/OleFredrik1/re…
Secure your default domain administrator (RID 500) account! For guidance see (at the top page using this link): jorgequestforknowledge.wordpress.com/blog-post-seri…