Robin Granberg

401 posts

Robin Granberg

Robin Granberg

@ipcdollar1

Works @ Semperis, Tweets are my own. Blog: https://t.co/XdICuDKHxR Project: https://t.co/Z7OT8sQOep

Katılım Eylül 2011
298 Takip Edilen379 Takipçiler
Robin Granberg
Robin Granberg@ipcdollar1·
@SecIDFR Interesting! I think it would be a good idea to check IsCanonical on the DACL
English
0
0
0
16
Christophe Poirier
Christophe Poirier@SecIDFR·
@ipcdollar1 Recently debug a delegation issue. 3 Ou with the same Deny. On one Ou the Deny was not effective. May be related to your finding. The next time I will use your article :).
English
1
0
2
29
Robin Granberg
Robin Granberg@ipcdollar1·
Regarding Active Directory permissions, most people assume that a Deny ACE always wins. It doesn't! Windows stops the access check the moment enough rights are granted — any ACE after that point is never evaluated. New post: managedpriv.com/blog/acl-canon…
English
1
7
19
1.6K
Robin Granberg
Robin Granberg@ipcdollar1·
The .NET ActiveDirectorySecurity API was built for helpdesk scripts, not ACL fidelity. If you're using it for backup, migration, or exact cloning — you're going to have a bad time. New post: the 9 design problems you need to know. bit.ly/3Rl635L
English
1
3
18
1.3K
Robin Granberg retweetledi
Andrea P
Andrea P@decoder_it·
Remember the CredMarshalInfo trick? If you hadn’t applied the June 2025 patch, CVE-2025-33073 would have been critical. We know that in NTLM local auth, msg 3 is empty:You can drop sign/seal -> from Domain User to DomainAdmin escalation. 😅
Andrea P tweet mediaAndrea P tweet media
English
5
62
222
18.7K
Or Yair
Or Yair@oryair1999·
Excited to release LDAPNightmare! The first PoC tool exploiting CVE-2024-49112 that I created with @ShahakMo ! Check out the repo and blog post detailing about the vulnerability: github.com/SafeBreach-Lab… Honored to be a part of the @safebreach labs team once again🫠
SafeBreach@safebreach

Starting 2025 strong! We’ve developed a PoC exploit for CVE-2024-49112. Read the blog and check out the GitHub repo: hubs.ly/Q030X5Y00 Just the beginning of the great things SafeBreach will deliver this year; stay informed at hubs.ly/Q030X2pM0. #CTEM #whatisPropagate

English
8
92
268
35.3K
Robin Granberg retweetledi
Andrea P
Andrea P@decoder_it·
M'm glad to release the tool I have been working hard on the last month: #KrbRelayEx A Kerberos relay & forwarder for MiTM attacks! >Relays Kerberos AP-REQ tickets >Manages multiple SMB consoles >Works on Win& Linux with .NET 8.0 >... GitHub: github.com/decoder-it/Krb…
Andrea P tweet media
English
15
226
541
50.9K
Robin Granberg retweetledi
Andrea P
Andrea P@decoder_it·
A short and light post on one of my favorite topics: spotting and exploiting GPO misconfigurations, nothing too technical, just the basics! 😅 decoder.cloud/2024/11/08/gro…
English
0
40
135
8.8K
Robin Granberg retweetledi
Andrea P
Andrea P@decoder_it·
Now a good one: In the latest Windows 11 Enterprise Insider edition, with Credential Guard enabled (by default), the "tgtdeleg" trick, previously a key for attack chains, is no more possible #tgtdeleg #rubeus
Andrea P tweet media
English
5
68
262
31.7K
Robin Granberg
Robin Granberg@ipcdollar1·
@decoder_it You’re worth more… You’re awesome and I’m grateful to be working side by side with you 🙌
English
0
0
1
218
Andrea P
Andrea P@decoder_it·
After today's enlightening meeting, I've decided to end my collaboration with MSRC
English
6
9
57
12.2K
Robin Granberg retweetledi
Andrea P
Andrea P@decoder_it·
Is Kerberos relaying so limited? I'd say no, thanks to @tiraniddo CredMarshalTargetInfo trick. In this case, I'm relaying SMB to HTTP (ADCS) with a modified version of @cube0x0 krbrelay using DFSCoerce and PetitPotam - classic ESC8 attack with Kerberos, no DCOM involved ;)
Andrea P tweet mediaAndrea P tweet media
English
10
110
343
57.8K
Robin Granberg retweetledi
Eric Woodruff | MVP | CIDPRO
Eric Woodruff | MVP | CIDPRO@ericonidentity·
🤫 The part I’m most excited about with my #BHUSA talk is secretly teaching everyone about identity components of #Entra multi-tenant applications and service principals. 🤓 If that sounds boring, pretend you didn’t read this. #BlackHat2024 #infosec #EntraID #foreshadowing
Eric Woodruff | MVP | CIDPRO@ericonidentity

If you are curious how some lesser privileged admins in #Entra could have pivoted to Global Admin in a greenfield tenant, and you're going to be at #BHUSA, the knowledge on my important severity privilege elevation will be dropped 👇 #aad #m365 #azure #unoauthorized-a-technique-to-privilege-escalation-to-global-administrator-39231" target="_blank" rel="nofollow noopener">blackhat.com/us-24/briefing…

English
1
1
9
1.1K
Robin Granberg retweetledi
Hot Fiendish Dr. Noid Summer
Are you also on a conf bridge in the middle of the night dealing with Crowdstrike's bullshit?
Hot Fiendish Dr. Noid Summer tweet media
English
31
67
317
109K
Robin Granberg retweetledi
inversecos
inversecos@inversecos·
Detecting Lateral Movement in Entra ID 😍 Threat actors can perform tenant-to-tenant lateral movement by abusing Cross Tenant Synchronisation. Full blog 👇 xintra.org/blog/lateral-m… You can detect lateral movement from specific logons abusing this feature in Entra ID 😝 This blog covers: > Attack methodology > Detection methodology
English
11
163
503
61.3K