Dirk-jan
@_dirkjan
Hacker at @OutsiderSec. Researches AD and Azure (AD) security. Likes to play around with Python and write tools that make work easier.
Some big personal news: last year I decided to start my own company. Today I'm making it official and announcing Outsider Security (@OutsiderSec). My focus will be on Azure AD and Active Directory security, converting my research experience into in-depth tests and advice.
91 slides so far for my BH/DC talk... Not even covering everything I wanted to yet. going to have to cut out all the jokes and speedrun it... In my defense I did put "advanced" in the title sooo I guess that gives me an excuse not to explain everything in-depth 😅
Shared the PoC with @mkolsek few days ago, the same one I gave to microsoft. Unlike microsoft however, they not only verified the issue within days but refined it demonstrating that ANY domain user can crash a fully patched windows 2025 server as of now.
Our researchers have confirmed this issue on freshly installed fully updated Windows Server 2025 domain controller, using a regular domain user as attacker. Instant domain controller BSOD by any domain user.
I'm very excited to share that Thomas Elling and I will be presenting "We Know What You Did (in Azure) Last Summer" at the DEF CON @cloudvillage_dc this year (Friday - 10 AM). We will go over some techniques that can be used to find the owners of multiple types of Azure resources
The Blog post about "Revisiting Cross Session Activation attacks" is now also public. Lateral Movement with code execution in the context of an active session? 😎 Here you go: r-tec.net/r-tec-blog-rev…
How not to do multi-tenant apps. Nice find by @_harleo from modzero, compromising Synology Active Backup client secrets (from the Synology tenant) during installation 🤦 modzero.com/en/blog/when-b…
🚨 Heads-up for #AppLocker admins on #Lenovo laptops. ICYMI There's a sneaky leftover file inside C:\Windows\ that can be used to bypass your AppLocker restrictions. 😱 It’s part of Lenovo’s OEM setup. Worth checking for and removing if you rely on AppLocker. 🔍 Info about the…
Got word from MSRC that the product team reevaluated their initial duplicate/not-a-vuln decision and will actually be fixing this validation flaw in EAM 😂
Last two weeks I talked about BYO Identity Providers in Entra ID and backdoors to External Auth Methods to bypass MFA. Only possible because MSFT doesn't implement the mandatory OIDC security measures. Slides with optional dark mode on: dirkjanm.io/talks/
If anything this week, I highly recommend giving this #EntraID research by @fabian_bader and @_dirkjan on CA bypasses a read. dirkjanm.io/assets/raw/Fin…
Don't miss #BHUSA Briefings "Advanced Active Directory to Entra ID Lateral Movement Techniques". Introducing several new lateral movement techniques that allow us to bypass authentication, MFA, stealthily exfiltrate data & more >> bit.ly/3TIyGHH
Pretty cool! If you use the tool with a public client and scope from entrascopes.com you can add this to roadtx interactiveauth with the -url parameter to catch the resulting token 😀
Okay folks, your going to want to bookmark this. Over the weekend I vibe coded a tool I'm calling Microsoft Entra Sign-in URL Builder This is something I've been wanting to build for some time and inspiration struck. Here's a quick walk through 🧵👇
Slides from my @WEareTROOPERS talk are available at aadinternals.com/talks
After today’s talk at #TROOPERS25 I’m releasing BitlockMove, a PoC to execute code on remote systems in the context of a loggedon user session 🔥 github.com/rtecCyberSec/B… No need to steal credentials, no impersonation, no injection needed 👌
One of the results of the joined research with @_dirkjan is entrascopes.com Basically the yellow pages for Microsoft first party apps. #TROOPERS25
Structured way to find conditional access bypasses from @fabian_bader and @_dirkjan ☝️
Ex colleague @TEMP43487580 from Secureworks rocking the stage at @WEareTROOPERS