Browse our blogs
We cover it all in The Security Blog. Discover what you’ve been looking for.
LDAP Channel Binding and LDAP Signing
With Microsoft “enforcing” Lightweight Directory Access Protocol (LDAP) Signing by default in Server 2025, it once again seems like a good time to revisit our…
Adventures in Primary Group Behavior, Reporting, and Exploitation
If you’ve administered Active Directory (AD) for any significant time, chances are you’ve come across the primaryGroupID attribute. Originally developed as a…
Limiting Domain Controller Attack Surface: Why Less Services, Less Software, Less Agents = Less Exposure
Before we dive in, let’s get all the TrustedSec Certified Absolutes out of the way:All software presents some level of inherent risk.Only required software…
Holy Shuck! Weaponizing NTLM Hashes as a Wordlist
Password reuse is common in Active Directory (AD). From an attacker’s perspective, it is a reliable path to lateral movement or privilege escalation. Most IT…
WSUS Is SUS: NTLM Relay Attacks in Plain Sight
Windows Server Update Services (WSUS) is a trusted cornerstone of patch management in many environments, but its reliance on HTTP/HTTPS traffic makes it a…
Exploring NTDS.dit – Part 1: Cracking the Surface with DIT Explorer
NTDS.dit is the file housing the data for Windows Active Directory (AD). In this blog post, I’ll be diving into how the file is organized. I’ll also be walking…
A Hitch-Hacker's Guide To DACL-Based Detections - The Addendum
This blog was co-authored by TAC Practice Lead Megan Nilsen and Andrew Schwartz.1 IntroductionLast year, Andrew and I posted a four (4) part blog series…
A Hitch-hacker's Guide to DACL-Based Detections (Part 3)
Configuring a SACL to prevent unauthorized changes to Active Directory attributes, enabling auditing and monitoring for potential attacks, and detecting…
A Hitch-hacker's Guide to DACL-Based Detections (Part 2)
This blog series was co-authored by Security Consultant Megan Nilsen and TAC Practice Lead Andrew Schwartz.1 IntroductionThis is a continuation of A…
A Hitch-hacker's Guide to DACL-Based Detections (Part 1B)
Here is a meta description summarizing the key benefits and value proposition of this webpage, within the 150-160 character limit:
Detecting Windows SACL…
A Hitch-hacker's Guide to DACL-Based Detections (Part 1A)
blue team
Azure AD Kerberos Tickets: Pivoting to the Cloud
Compromising an Azure cloud presence via machine account SSO is possible, allowing attackers to impersonate any account without MFA, using compromised service…
Loading...