While I was reading Elad Shamir recent excellent post about NTLM relay attacks, I decided to contribute a companion piece that dives into the mechanics of Kerberos relays, offering an analysis and …| Decoder's Blog
Why write a post about changing Windows passwords programmatically when so many built-in and third-party tools already let us do it effortlessly? The answer is simple: curiosity. It drives us to un…| Decoder's Blog
Vulnerable Windows drivers remain one of the most exploited methods attackers use to gain access to the Windows kernel. The list of known vulnerable drivers seems almost endless, with some not even…| Decoder's Blog
In this second super short post, I want to explore an unusual Group Policy Object (GPO) configuration I recently encountered. The GPO in question used a File Preference policy to copy a custom HOST…| Decoder's Blog
In the realm of IT administration, Group Policies serve as a powerful tool for centrally managing and controlling various aspects of an Active Directory network environment in a Windows-based opera…| Decoder's Blog
While exploring the DCOM objects for the “SilverPotato” abuse, I stumbled upon the “ShellWindows” DCOM application. This, along with “ShellBrowserWindows”, is we…| Decoder's Blog
In a recent assessment, it was found that a specific Group Poilcy granted via “User Right Assignments” the SeRelabelPrivilege to the built-in Users group and was applied on several comp…| Decoder's Blog
TL;DR (really?): Members of Distributed COM Users or Performance Log Users Groups can trigger from remote and relay the authentication of users connected on the target server, including Domain Cont…| Decoder's Blog
In my exploration of all the components and configurations related to the Windows Active Directory Certification Services (ADCS), after the “deep dive” in Cert Publishers group, I decid…| Decoder's Blog
Sometimes I think that starting with a hypothetical scenario can be better than immediately diving into the details of a vulnerability. This approach, in my opinion, provides crucial context for a …| Decoder's Blog
Windows service accounts are one of the preferred attack surface for privilege escalation. If you are able to compromise such an account, it is quite easy to get the highest privileges, mainly due …| Decoder's Blog
While writing my latest post, my attention was also drawn to the Cert Publishers group, which is associated with the Certificate service (ADCS) in an Active Directory Domain. I was wondering about …| Decoder's Blog
In a recent assessment, I found that a user without special privileges had the ability to make changes to the NTAuthCertificates object. This misconfiguration piqued my curiosity, as I wanted to un…| Decoder's Blog