Dirk-jan

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-glob…

Who knew a really long string could make an Entra ID login disappear from the logs entirely? In our #blog, @nyxgeek breaks down how overflowing #Azure's sign-in logging mechanism allowed access tokens to be issued without a single log entry. Read it now! hubs.la/Q047xTVc0

@EvanKlein338226 I'm not currently aware of another method that gives the same info!

@_dirkjan The classic "finding out your technique got patched during a live demo" moment 😭 At least it means someone at MS was paying attention to your research. What's your backup enumeration method now?

It appears that Microsoft removed the discovery of all domains in a tenant through ACS, a technique that I shared at my BH/DC talks last summer (though probably not many people spotted the reference). I found it out during a live demo of course 🙃

@DrAzureAD Why am I not surprised 😭

@_dirkjan @rotarydrone

@decoder_it Not satisfied with your CVE count I see? 😂

Gave some extra work to MSRC 😅

@NathanMcNulty I know the offensive side is tempting, but this is crossing into dark side territory 😅 should I be concerned? 😄

Doing some napkin math, I estimate just under 3 hours (fully optimized) to wipe 200K devices via Intune API If an attacker were unaware of API limits being per app, that bumps to ~5.5 hours under ideal conditions What happens if all admin devices are wiped first? 🤔 😳 🥺 😭

The next public edition of my "Offensive Entra ID" course will take place from June 8th to 11th in The Hague! Tickets are now available via events.outsidersecurity.nl/entra-26-07/. Last time the tickets sold out in a few weeks, so don't wait too long if you want to secure a spot.

@decoder_it Congrats! Pretty good number indeed 😄

With yesterday’s CVE I realized that I reached 20 CVEs. Nothing huge, but an honest number considering this isn’t even my job.🤷‍♂️

Are one-way trusts really one way? @lowercase_drm sums up how the TDO password lets you turn a one-way AD forest trust into bidirectional access, and releases a new tool to remotely extract these secrets. offsec.almond.consulting/trust-no-one_a…

@olafhartong The trees look different than what I remember.

Morzine, France 2026

Forgot to post it, but the recording of my Black Hat talk was released last week. If you're interested in all the hybrid AD attack surface you never knew about, give it a watch: youtu.be/rzfAutv6sB8?si…

Just dropped a short post on why some classic NTLM relay tricks seems to be dead on Server 2025. decoder.cloud/2026/02/25/wha…

More info and registration: insomnihack.ch/workshops/offe…

There are still some spots left for my class at @1ns0mn1h4ck next month. A good opportunity to visit a great conference in a beautiful place and even learn something about Entra ID at the same time!

@shahardorf & I found a phishing campaign abusing oauth applications in Entra in more than 50 organizations! And i promise you that in this blog we explain how you can do it too! And provide all the IOCs 🤭 It's one of these blogs i would enjoy reading! #tldr-0" target="_blank" rel="nofollow noopener">wiz.io/blog/detecting…

@NathanMcNulty @_subTee @fabian_bader @taviso Ah just noticed this is the login flow not the registration flow. In that case not sure why the Azure CLI specifically but it does have nice scopes 😄

@NathanMcNulty @_subTee @fabian_bader @taviso That looks like the Azure CLI client ID to me (which entrascopes.com confirms). This client has impersonation rights on the My Account API IIRC, why I don't know but that is probably why Fabian used it :)

Since I was bored in a plane I decided to revisit some of the Windows Hello tradecraft and finally implemented browser based FIDO2 auth using WHFB keys in roadtx. Thanks @fabian_bader and @NathanMcNulty for the inspiration!

@NathanMcNulty @_subTee @fabian_bader @taviso The Authenticator app has the correct delegated rights as I expected.

@_dirkjan @_subTee @fabian_bader @taviso Ahh, cool, I tried a minimal implementation to avoid adding dependencies :p For the MS Graph flow, don't you need an app registration for that? I couldn't get it work with delegated permissions :( The advantage of the one I got working is it uses delegated auth in My Signins :)

@NathanMcNulty @_subTee @fabian_bader @taviso Import cbor2 fixed most of it, plus I followed the documented MS Graph passkey registration flow for a change 😅 using the browser flow for registration would be a nice alternative.

@_dirkjan @_subTee @fabian_bader @taviso Haha, nice! I didn't realize you had done the full registration too I was just playing with it to learn, my Python is terrible, so decided it was a good first time to play with Antigravity Can't wait to see how you did it, CBOR dependency questions, command design, etc. :)

@childs999 @Cyb3rMonk @fabian_bader @NathanMcNulty Not yet :)

@_dirkjan @Cyb3rMonk @fabian_bader @NathanMcNulty Haa this update been released yet DJ?