Lukas Klein | @rantasec.bsky.social

Check out GoLinHound: - Discovers Linux & SSH attack paths - Outputs OpenGraph JSON for BloodHound ingestion - Integrates with SharpHound and AzureHound data to unveil cross-technology attack paths github.com/RantaSec/golin…

SpecterOps released "DumpGuard" along with a detailed article on how they were able to bypass Windows Credential Guard in both privileged and unprivileged contexts. I learned a ton about Isolated LSA and friends: specterops.io/blog/2025/10/2…

Fact: Remote service and scheduled task creation bypass firewalls on DCs and Win file servers because of SMB tunnelling. Solution: Create RPC filters that block MS-SCMR and MS-TSCH over named pipes. The latter has 3 UUIDs, so blocking the atsvc pipe is more elegant. #DSInternals

Check out Titanis, my new C#-based protocol library! It features implementations of SMB and various Windows RPC protocols along with Kerberos and NTLM. github.com/trustedsec/Tit…

The DSInternals.RpcFilters PowerShell module for Windows RPC filter management is out! Includes support for the new OpNum matching capability of Windows Server 2025. Looking forward to community feedback. github.com/MichaelGrafnet…

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-glob…

Can't kill sysmon.exe anymore? Cut it off from its own log by stopping ETW logger! LocalSystem required, of course.

Check out @elad_shamir's recent blog post to learn more about NTLM relay attacks. ⬇️ ghst.ly/4lv3E31

Catch @IzySec's recent podcast discussing Rogue Remote Desktop Protocol: open.spotify.com/episode/5AGW25…

Check out this new blog post from @_wald0 discussing the fundamental components & mechanics that enable the emergence of critical Attack Paths in Microsoft's increasingly popular Intune product. ⬇️ ghst.ly/3Cd5cwH

Now available in my tenant ADSynchronization.ReadWrite.All

The Chinese threat intelligence report is here: mp.weixin.qq.com/s/3bmehaRuvaL5… It’s always nice to see reports from other parts of the world because they can give a different perspective. That said, the translation I read was super confusing so I’m sure I missed some details

I finished my talk at BHEU! The attack methods and techniques shared in the talk are not a great deal, but I hope this serves as an opportunity to draw attention to the importance of security measures for Intune. Here is the tool released for the talk. github.com/secureworks/py…

FLARE is releasing a tool today that I've been working on over this year that helps break down binaries into smaller functional clusters and uses Gemini to describe their relationships, behavior and the overall malware functionality. It's called XRefer and it is out for you to read about and try out. Check out the write up here, and look below for some examples: cloud.google.com/blog/topics/th…

Unauthenticated Remote Code Execution (RCE) on Domain Controllers (DC). It does not get worse than that. Probably will be included in #ransomware campaigns. Any technical analysis of CVE-2024-49112 published? CC: @gentilkiwi @harmj0y @_wald0

How many audits or IR engagements do you think pull the UAL without checking if any accounts have Audit Bypass enabled?

Want to run roadrecon, but a device compliance policy is getting in your way? You can use the Intune Company Portal client ID, which is a hardcoded and undocumented exclusion in CA for device compliance. It has user_impersonation rights on the AAD Graph 😃

New #AADInternals version is finally out now: ▪ Moved endpoint related stuff to new module: AADInternals-Endpoints ▪ Added blue team stuff: Get app consent info, find backdoors, convert SID<>Entra ID Object ID, find abusable dynamic groups ▪ Added red team stuff: Get ESTSAUTH cookies, export Intune certificate, invoke PS scripts as system or other users See full change log at: #version-info" target="_blank" rel="nofollow noopener">aadinternals.com/aadinternals/#…

The systems used to intercept those calls were designed, built and installed specifically for the FBI to intercept calls. These systems were working exactly as intended, except being operated by “the bad guys.” A scenario always raised as a reason for strong encryption.

Microsoft's Threat-Intelligence ETW provider now supports events to identify token impersonation attacks. I wrote a blog on these events and how Microsoft is surfacing them: jsecurity101.medium.com/behind-the-mas…