Saturday, 16 July 2022
Access Checking Active Directory
Like many Windows related technologies Active Directory uses a security descriptor and the access check process to determine what access a u...
Sunday, 26 June 2022
Finding Running RPC Server Information with NtObjectManager
When doing security research I regularly use my NtObjectManager PowerShell module to discover and call RPC servers on Windows. Typically I&...
Friday, 13 May 2022
Exploiting RBCD Using a Normal User Account*
* Caveats apply. Resource Based Constrained Delegate (RBCD) privilege escalation, described by Elad Shamir in the "Wagging the Dog&quo...
Sunday, 20 March 2022
Bypassing UAC in the most Complex Way Possible!
While it's not something I spend much time on, finding a new way to bypass UAC is always amusing. When reading through some of the featu...
Monday, 6 September 2021
LowBox Token Permissive Learning Mode
I was recently asked about this topic and so I thought it'd make sense to put it into a public blog post so that everyone can benefit. W...
Saturday, 21 August 2021
How the Windows Firewall RPC Filter Works
I did promise that I'd put out a blog post on how the Windows RPC filter works. Now that I released my more general blog post on the W...
Saturday, 14 August 2021
How to secure a Windows RPC Server, and how not to.
The PetitPotam technique is still fresh in people's minds. While it's not directly an exploit it's a useful step to get unauthe...
View web version