active directory azure bloodhound cloud defender for identity defender_for_cloud entraid microsoft powershell process injection ropc security sharepoint tool webauthn whfb windows windows defender wmi
-
Evading EntraID Conditional Access Policies via Cross-Tenant ROPC
3–5 minutesWe show a Cross-Tenant ROPC issue that evades Conditional Access Policies. Attackers can successfully authenticate and generate “Success” logs without triggering MFA, though the resulting… Read more…
-
New Process Injection Class: The CONTEXT-Only Attack Surface
25–37 minutesWhat happens when you skip memory allocation, skip writing, and weaponize thread context alone? This post explores a new class of process injection that lives… Read more…
-
Breaking Down SharePoint Walls: Hunting for Sensitive Files
8–11 minutesShareFiltrator is a Python tool designed for enumerating and bulk downloading sensitive files from SharePoint and OneDrive using authenticated cookies. It leverages SharePoint’s search API… Read more…
-
ShadowHound: A SharpHound Alternative Using Native PowerShell
6–10 minutesShadowHound is a PowerShell tool designed for mapping Active Directory environments without using known malicious binaries. It utilizes legitimate PowerShell modules for data collection through… Read more…
-
Peeking Behind the Curtain: Finding Defender’s Exclusions
3–4 minutesIn this blog, we reveal a new method for unprivileged users to identify Microsoft Defender exclusion paths using MpCmdRun.exe, without relying on event logs. We… Read more…
-
WMI Research and Lateral Movement
15–23 minutesIn this article, we will go over the WMI technology, the potential attack vectors it opens, some detection pitfalls (from an attacker’s perspective), and how… Read more…
-
Hook, Line and Sinker: Phishing Windows Hello for Business
11–17 minutesLong story short — it is possible to phish the phishing resistant authentication method: Windows Hello for Business by downgrading the authentication, here’s how you can defend… Read more…
-
Not the Access You Asked For: How Azure Storage Account Read/Write Permissions Can Be Abused for Privilege Escalation and Lateral Movement
9–14 minutesIn this blog we will dive into some unexpected techniques that allow an Azure user with Storage Account permissions to abuse them for privilege escalation… Read more…
-
Understanding The TFS Vulnerability Cortex EDR
3–4 minutesWe found that it was possible to access sensitive log files before they were encrypted. This situation points to a potential security gap, allowing critical… Read more…
-
Lateral Movement via Internet Explorer DCOM & ActiveX: Leveraging StdRegProv
6–9 minutesIn this blog, we will examine what DCOM and ActiveX are, how they work, and the potential security risks associated with using them to run… Read more…
Subscribe to get the latest posts sent to your email.
Security Friends' Research Blog 