DirectoryRanger

24/7 Active Directory Incident Response Contact: Tel. +49 (0) 6221 7569637 E-mail: incident-response@ernw.de

Stealthy WMI lateral movement - StealthyWMIExec.py ghaleb0x317374.github.io/2026/03/15/Ste…

It appears that Microsoft removed the discovery of all domains in a tenant through ACS, a technique that I shared at my BH/DC talks last summer (though probably not many people spotted the reference). I found it out during a live demo of course 🙃

@pinkflawd @DrAzureAD @Earl553 @WEareTROOPERS @ChadBrigance @_Sn0rkY @theevilbit And – which may be of interest for some on this thread, too ;-) – only 17 days left in the CfP and the CfT troopers.de/troopers26/con…

The C:\User Data in Windows Forensics, by @ElcomSoft blog.elcomsoft.com/2026/03/the-cu…

Try doing this in orgs with over 50k SharePoint sites. Welcome to my world :P learn.microsoft.com/en-us/copilot/…

VMkatz. Extract Windows credentials directly from VM memory snapshots and virtual disks, by @Nikaiw github.com/nikaiw/VMkatz

Thank you for coming to today's talk at #Insomnihack . I will upload the slides later but here is the new release of the BAADTokenBroker bof for those of you interested github.com/temp43487580/B…

Jigsaw RDPuzzle: Piecing Attacker Actions Together, by @insinuator insinuator.net/2025/01/jigsaw…

Trustify. command-line tool for creating (and deleting) inbound Active Directory forest trusts with TGT delegation enabled using native Windows LSA APIs (see also this @WeAreTROOPERS talk by @jonas_b_k: troopers.de/troopers25/tal…) github.com/bytewreck/Trus…

Entra Connect Attacker Tradecraft, by @hotnops Part 1 specterops.io/blog/2024/12/1… Part 2 specterops.io/blog/2025/01/2… Part 3 specterops.io/blog/2025/07/3…

The Azure Lab Diaries - Detecting EDR Silencers mahmoudelfawair.me/posts/theazure…

Vulnerabilities in Broadcom VMware Aria Operations: Privilege Escalation (CVE-2025-41245 / CVE-2026-22721), via @Insinuator insinuator.net/2026/03/vulner…

Consent & Compromise: Abusing Entra OAuth for Fun and Access to Internal Microsoft Applications research.eye.security/consent-and-co…

Vulnerability Disclosure: Stealing Emails via Prompt Injections, via @Insinuator insinuator.net/2025/09/steali…

Extending AD CS attack surface to the cloud with Intune certificates, by @_dirkjan dirkjanm.io/extending-ad-c…

gpoParser. tool designed to extract and analyze configurations applied through GPOs, by @wil_fri3d github.com/synacktiv/gpoP…

Different ways of dumping lsass, by @yo_yo_yo_jbo github.com/yo-yo-yo-jbo/d…

Windows Hello for Business – Faceplant: Planting Biometric Templates, by @insinuator insinuator.net/2025/08/window…

Malicious Encoded PowerShell: Detecting, Decoding & Modeling detect.fyi/malicious-enco…

What Did the Attacker Read? MailItemAccessed Tells You #DFIR blog.nviso.eu/2025/10/02/wha…