Saturday, 16 July 2022

Access Checking Active Directory

Like many Windows related technologies Active Directory uses a security descriptor and the access check process to determine what access a u...
Sunday, 26 June 2022

Finding Running RPC Server Information with NtObjectManager

When doing security research I regularly use my NtObjectManager PowerShell module to discover and call RPC servers on Windows. Typically I&...
Friday, 13 May 2022

Exploiting RBCD Using a Normal User Account*

* Caveats apply. Resource Based Constrained Delegate (RBCD) privilege escalation, described by Elad Shamir in the "Wagging the Dog&quo...
Sunday, 20 March 2022

Bypassing UAC in the most Complex Way Possible!

While it's not something I spend much time on, finding a new way to bypass UAC is always amusing. When reading through some of the featu...
Monday, 6 September 2021

LowBox Token Permissive Learning Mode

I was recently asked about this topic and so I thought it'd make sense to put it into a public blog post so that everyone can benefit. W...
Saturday, 21 August 2021

How the Windows Firewall RPC Filter Works

I did promise that I'd put out a blog post on how the Windows RPC filter works. Now that I released my more general blog post on the W...
Saturday, 14 August 2021

How to secure a Windows RPC Server, and how not to.

The PetitPotam  technique is still fresh in people's minds. While it's not directly an exploit it's a useful step to get unauthe...