Hacker at @OutsiderSec. Researches AD and Azure (AD) security. Likes to play around with Python and write tools that make work easier.

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-global…
138
903
3,185
476,211
Fox-IT just open sourced their enterprise forensics tooling dissect. This is a big project that some of the smartest people I know have worked on. It supports many filesystems and file formats, all as Python libraries. Docs: docs.dissect.tools / code: github.com/fox-it/dissect
21
582
1,888
So yes, Zerologon (CVE-2020-1472) is quite easy to exploit. Unauthenticated user to Domain Admin. This is really scary. Run exploit, DCSync with DC account and empty NT hash: you have Domain Admin and a broken DC. Awesome find by Tom Tervoort 🙂. Patch patch patch!
21
832
1,726
It has a few more prerequisites, but I finally managed to get a #Zerologon exploit working that doesn't rely on resetting passwords to exploit. Use the printerbug to make DC1 connect to you, then with lots of magic relay that to DC2 directly to DRSUAPI to DCSync 😁
27
547
1,296
Some big personal news: last year I decided to start my own company. Today I'm making it official and announcing Outsider Security (@OutsiderSec). My focus will be on Azure AD and Active Directory security, converting my research experience into in-depth tests and advice.
102
79
1,187
New blog: A different way of abusing Zerologon. No more password reset needed: using the printer bug with Zerologon to relay to DRSUAPI and DCSync directly with ntlmrelayx: dirkjanm.io/a-different-way-… Code: github.com/dirkjanm/CVE-2020…
22
586
1,072
There seems to be quite some questions and confusion about the impact of exploiting Zerologon (CVE-2020-1472) on the environment. So here's a thread 👇
5
515
994
New blog: Relaying Kerberos over DNS using krbrelayx and mitm6. New method of gaining RCE on AD hosts in the same VLAN without credentials or needing NTLM, by abusing Kerberos, DNS and Active Directory Certificate Services. Blog: dirkjanm.io/relaying-kerbero…
21
483
1,007
I've added the material from my Black Hat US talk yesterday to my blog. If you are interested in Azure AD security, love account hijacks, MFA bypass, persistence techniques and privescs, give it a read: dirkjanm.io/assets/raw/US-22…
13
299
984
Just published: "Getting in the Zone: dumping Active Directory DNS using adidnsdump". Recon tool to dump DNS records in AD as any authenticated user, similar to a zone transfer. Tool: github.com/dirkjanm/adidnsdu… Blog: dirkjanm.io/getting-in-the-z…
12
454
898
Since everyone loves dumping credentials, I've put together a tool for remotely dumping Azure AD Connect credentials for my #TR19 talk. Uses only SMB and RPC calls, no code exec on the target host 😁
7
325
890
What a time to be alive... Install the Microsoft signed Hybrid Connection Manager on victim host, link it up with your Azure app, enjoy persistent access to the on-prem network from your Azure portal. Only needs https outbound to Azure and line of sight from victim to target host
19
322
858
[Blog] Office 365 was vulnerable to network attacks due to a vulnerability in Microsoft Teams. Here's a demo of an attacker obtaining access to all emails and OneDrive/SharePoint files if the victim joins an attacker controlled network. Details: dirkjanm.io/office-365-netwo…
8
452
796
The CVSS score for the CVE has been adjusted to a 10.0 it appears 👀 msrc.microsoft.com/update-gu…
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-global…
31
89
818
66,622
Short blog and POC code for CVE-2019-1040 (patched last Tuesday). Combining this vulnerability with the SpoolService bug and Kerberos delegation means: any AD user to Domain Admin; RCE on unpatched hosts; possible over Forest trusts. dirkjanm.io/exploiting-CVE-2… TL;DR: GO PATCH!
20
551
790
New blog: Obtaining Domain Admin from Azure AD by abusing Cloud Kerberos Trust I teased this a bit during my Windows Hello talks, now found some time to write about this interesting technique. Also contains defenses and detection opportunities. dirkjanm.io/obtaining-domain…
8
329
773
90,669
I wrote a small scanner utility to check if systems are vulnerable to CVE-2019-1040, the NTLM Mic vulnerability that allows for Active Directory takeover. Published here: github.com/fox-it/cve-2019-1…
6
383
724
Tool release: adconnectdump. Three approaches to dumping #Azure AD Connect credentials, from executing code on the host to fully over the network. For technical background, see the slides of my #TR19 talk 😃 github.com/fox-it/adconnectd…
9
404
686
It's been long overdue, but my part 2 blog on Active Directory forest trusts is finally here! This blog is about trust transitivity and on the finding on CVE-2020-0665 which was a trust bypass by faking a domain. Enjoy the (long) read: dirkjanm.io/active-directory…
9
285
667
It's been quiet for a while around bloodhound Python, however I'm happy to share that I am now maintaining the project at my personal GitHub. The latest version fixes many bugs/issues, also thanks to the many PRs that were submitted (thanks all!). github.com/dirkjanm/bloodhou…
11
196
624
60,830
New blog: "Abusing forgotten permissions on computer objects in Active Directory". The post is a dive into permissions that are set when you pre-create computer accounts the wrong way, why BloodHound missed those and how to abuse, fix, or monitor for this. dirkjanm.io/abusing-forgotte…
9
255
557
New cool blog by my @FoxIT colleague Rindert: Command and control over LDAP attributes. Running Cobalt strike over LDAP as a control channel to bypass network restrictions. Blog: blog.fox-it.com/2020/03/19/l… Tool: github.com/fox-it/LDAPFragge…
5
298
534
Playing a bit with @harmj0y and @tifkin_ their AD CS research today, this stuff is seriously 🔥🔥🔥. Low priv to DA by default/"design".
9
171
528
New blog up! "Abusing Azure AD SSO with the Primary Refresh Token", digging into Hybrid environments, SSO, Conditional Access policies and other Azure AD fun. New update for ROADtools, introducing ROADtoken which uses SSO to get persistent Azure AD tokens dirkjanm.io/abusing-azure-ad…
10
294
524
Still think machine accounts are useless when relaying? Not when you relay an Exchange server account and get instant Domain Admin :D mitm6 + ntlmrelayx = relay exchange server account -> modify domain ACL -> DCSync with #mimikatz or #impacket
7
260
516
Hey @bookingcom , I'm getting scammed via your official message system on a real booking. Sounds like you're having some security troubles.
39
66
490
144,694
BloodHound 4.1 was just released and I'm happy to share that the BloodHound python ingestor is ready for the new format and edges it introduces! Via GitHub only for now, please test and let me know if there are errors 🙂 github.com/fox-it/BloodHound…
3
169
480
Just found an interesting lateral movement/post-ex technique in Azure AD to move between identities. It's stealthy, non-destructive, bypasses MFA, and can be used to move from cloud to on-prem in several hybrid scenarios. Now moving on to figure out all scenarios and impact😅
14
45
466
secretsdump(.py) slow processing your NTDS.dit? Soon not anymore! With @Schamperr's esedb parser implementation processing time of a 5GB dit file went from 45 minutes down to 1.5 minutes 😲! Code will be released as open source when fully ready 🙂
14
137
464
Content of my #RomHack2021 talk "Breaking Azure AD joined endpoints in Zero Trust environments" is up! Video: piped.video/watch?v=OigKnI68… Slides (pdf): dirkjanm.io/assets/raw/romha… As usual all the links to my talk materials are also on dirkjanm.io/talks
11
211
462
Thanks to @elad_shamir's research, network access once again means RCE against Windows hosts in that (V)LAN. Combining mitm6, ntlmrelayx and RBCD to abuse AD defaults. New blog: The worst of both worlds, Combining NTLM relaying and Kerberos Delegation: dirkjanm.io/worst-of-both-wo…
9
300
440
[New blog] Updating adconnectdump - a journey into DPAPI; In which I describe the process of understanding and decrypting the DPAPI encrypted credentials of Azure AD connect. This again enables dumping these credentials via only network calls (as admin). dirkjanm.io/updating-adconne…
7
239
427
Took me a few days, still don't know exactly how/why it works, but I now have a new-ish on-prem to cloud technique via a Seamless SSO (Kerberos) backdoor key. Some features: - No GA needed to add key - Invisible backdoor (no logs in AAD) 🫣 - 1st factor auth to any synced user
6
114
430
91,023
2 new releases today exploiting default settings in AD! First: Invoke-ACLPwn, a PowerShell script to exploit ACL paths detected by #BloodHound. Second is the ACL attack for ntlmrelayx: relaying machine accounts for DA! Code: github.com/fox-it/Invoke-ACL… Blog: blog.fox-it.com/2018/04/26/e…
279
414
Normally you can't auth to Entra ID connected webapps with bearer tokens. But if Teams can open SharePoint/OneDrive with an access token, I guess so can we. roadtx now supports opening SharePoint with access tokens in the embedded browser 😀
3
117
401
34,528
This patch Tuesday brings patches for some memory corruptions I found in AD integrated DNS which could lead to RCE from Authenticated Users to SYSTEM on a Domain Controller... CVEs assigned are CVE-2020-0644, CVE-2020-761 and CVE-2020-0718. portal.msrc.microsoft.com/en…
12
132
395
Just uploaded the first verion of BloodHound.py, an impacket based BloodHound ingestor in Python. github.com/fox-it/BloodHound… is still in beta and not complete, so testing and feedback is welcome!
1
225
390
Thanks to everyone who attended the live stream! My Azure AD framework ROADtools is now available. Includes the ROADrecon exploration tool. Blog + stream recording: dirkjanm.io/introducing-road… Code: github.com/dirkjanm/ROADtool…
8
195
389
New blog and tool: Introducing ROADtools Token eXchange (roadtx) - Automating Azure AD authentication, Primary Refresh Token (ab)use and device registration. Blog: dirkjanm.io/introducing-road… Code: github.com/dirkjanm/ROADtool… Some features in screenshot attached.
12
186
365
Few BloodHound python updates: LDAP channel binding is now supported with Kerberos auth (native) or with NTLM (custom ldap3 version). Furthermore, the BH CE collector now has its own pypi package and command. You can have both on the same system with pipx. github.com/dirkjanm/BloodHou…
4
126
356
22,553
Quite a nice post about Azure AD attacks, summarizes a lot of work done in this area and features ROADtools 😃 synacktiv.com/posts/pentest/…
2
167
344
Thanks all for attending my #DEFCON talk! Humbling to see such a full room even on Sunday. Slides and demo videos are online at the media server. Slides: media.defcon.org/DEF%20CON%2… Demo vids: media.defcon.org/DEF%20CON%2…
10
123
334
Want to run roadrecon, but a device compliance policy is getting in your way? You can use the Intune Company Portal client ID, which is a hardcoded and undocumented exclusion in CA for device compliance. It has user_impersonation rights on the AAD Graph 😃
6
119
348
36,171
I am officially announcing my first training offering "Offensive Azure AD and Hybrid AD security". It is an in-depth, hands-on training that teaches the core concepts, protocols and attack techniques of Azure AD and hybrid environments. Check: outsidersecurity.nl/training…
6
64
328
Did you know an Azure AD user can read the bitlocker key for any devices they own? (Provided the bitlocker key is backed up to Azure AD). The latest version of roadrecon shows bitlocker keys in the GUI. You can also see them for all devices in several roles (including read roles)
5
109
331
It's been a while since I posted about BloodHound .py, but lots of things have been added! Now at v0.7.0, with support for ACL collection, loggedon, DCOM/RDP and object properties. Also works with Python 3 now! Check it out on the @foxit GitHub github.com/fox-it/BloodHound…
2
143
319
A few weeks ago I gave a talk at @a41con on how to phish for PRTs and phishing resistant authentication methods 👀. The slides, plus a demo video on how to do this with credential phishing are now on my blog: dirkjanm.io/talks
2
123
325
34,211
Just got the news that my talk about Azure security has been accepted for #DEFCON 😁😁😁 super happy right now and very excited to share my latest research! 😀
13
28
304
Today's patch Tuesday fixes CVE-2020-0665, which is an Active Directory forest trust security bypass using Kerberos magic 🙃 if you use forests as a security boundary you may want to patch this. Advisory (though text is inaccurate): portal.msrc.microsoft.com/en…
5
154
308
At Def Con I presented with @_EthicalChaos_ on new Windows Hello attacks. For ex: how to use the WinHello crypto keys from a low priv session to request a PRT on a different device, bypassing TPM protection of PRTs. Slides: dirkjanm.io/talks/ Poc: github.com/dirkjanm/ROADtool…
5
107
310
21,211
Seems Microsoft is finally taking a stance against NTLM relaying to LDAP, by enforcing LDAP signing and channel binding by default starting January 2020. This is a big and important change to improve AD security, especially from a network point of view!
Microsoft strongly advises customers... always a warning, especially if it involves DCs and LDAP and MS announces upcoming changes Https://support.microsoft.co…
3
142
297
The recording of my #Azure AD talk at #TR19 is now online! If you want to learn about Azure AD account takeover, AD Sync password extraction, privilege escalations and SSO weaknesses, you can watch the full talk on YT: piped.video/JEIR5oGCwdg
3
135
303
Just published a new tool: aclpwn.py - Active Directory ACL exploitation with #BloodHound, as presented on #HITB2018DXB Armory. Code/Documentation: github.com/fox-it/aclpwn.py Slides: slideshare.net/DirkjanMollem… @HITBSecConf @HITBArmory
2
173
304
Another blog on the Primary Refresh Token! Thx @gentilkiwi for figuring this out with me! Tl;Dr: PRT can be extracted from lsass with #mimikatz 🥝. If with TPM, session key is protected. Still possible to extract derived keys and sign your own PRT cookies. dirkjanm.io/digging-further-…
7
152
303
Been a long day but thanks to @gentilkiwi's awesome new mimikatz CloudAP support we managed to put together tooling that can sign arbitrary PRT cookies! Secrets from lsass + DPAPI + crypto magic + horrible C code = working POC of session key extraction.
4
112
307
Slides and video of my #bluehatseattle talk "A year of hacking Azure AD" are online! Contains my exploration of the unofficial "1.61-internal" version of the Azure AD graph and the resulting vulnerabilities😃 Slides: dirkjanm.io/talks/ Video: piped.video/watch?v=fpUZJxFK…
3
133
290
For those looking into building/testing detection for #PrivExchange, but don't have a lab available, here are a pcap dirkjanm.io/assets/raw/prive… and event log export dirkjanm.io/assets/raw/prive…
5
141
281
Very excited to start a personal blog! Kicking off today with the first part of my research into Active Directory Forest trusts: How does SID filtering work? dirkjanm.io/active-directory… Including techniques to pwn incorrectly configured Forest trusts ;)
10
139
275
Since @_wald0 and @CptJesus just released #BloodHound 3.0 I've merged the v3 branch of the BloodHound python ingestor and pushed the new version to pypi. New version works with v3 syntax and contains many fixes and new features! See github.com/fox-it/BloodHound…
2
124
272
Microsoft released patches for #PrivExchange today! 1) Latest version won't authenticate when sending push notifications 2) Exchange privileges in AD are reduced (!), removing DACL control over the domain root object (+ others). This requires manual rerun of setup.exe /prepareAD
3
184
276
It appears Microsoft quietly mitigated most of the risk of the "Intune company portal" device compliance CA bypass by restricting the scope of Azure AD graph tokens issued to this app, making them almost useless for most abuse scenarios. Thx @domchell for the heads up.
6
71
274
40,984
The video recording of my Black Hat talk this summer "Backdooring and Hijacking Azure AD Accounts by Abusing External Identities" made it to YouTube: piped.video/watch?v=uKDS2t9_…
1
112
263
New blog: Persisting on Entra ID applications and User Managed Identities with Federated Credentials. In this blog we set up our own IdP with roadtools, allowing us to authenticate to apps and user managed identities with federated credentials 😀 dirkjanm.io/persisting-with-…
11
96
263
21,636
The recordings of @a41con are available! If you're interested in credential phishing, device code phishing, applying that to phish for PRTs and Windows Hello keys... Give it a watch! 😁 piped.video/tNh_sYkmurI
6
83
262
22,678
The ADSyncCertDump tool is now part of the adconnectdump tools and can be used to extract SP credentials from Entra ID connect hosts. I will cover that during my BH/DC talks today and Friday! Tool is heavily based on Shwmae by @_EthicalChaos_
Since we now can use Entra ID connect sync with a service principal, I thought I'd look into the new security measures. On hosts without a TPM, we can dump the cert+key. On hosts with TPM (second picture) we can use the key to create an auth assertion for roadtx to req tokens.
2
99
268
19,734
Slides from my @WEareTROOPERS #TR19 talk about hacking Azure AD are now online! Was so much fun presenting here 😀 recording of the talk and tools release will follow! slideshare.net/DirkjanMollem…
1
129
258
Received the news today that my talk "Advanced Active Directory to Entra ID lateral movement techniques" was also accepted for @defcon 🎉 hope to see everyone there!
5
15
258
11,978
Since we now can use Entra ID connect sync with a service principal, I thought I'd look into the new security measures. On hosts without a TPM, we can dump the cert+key. On hosts with TPM (second picture) we can use the key to create an auth assertion for roadtx to req tokens.
8
65
262
42,605
In other news, more than 4 years after I reported this, Microsoft finally removed the ability to modify conditional access policies via the Azure AD Graph. 🎉 Before this change, the AD connect sync account could change/remove all policies, defeating MFA reqs via CA.
6
45
249
33,604
Off to a good start in the new year (Part 2). I was awarded the Microsoft MVP status a few days ago for my community contributions in the Microsoft security space. Super grateful for everyone who helped along the way to get me there! ❤️
27
8
249
7,226
The python BloodHound ingestor was updated to support GPO/OU/container collection. Thanks to @_zblurx for the PR. The python version is now functionally equivalent to the official C# version for DCOnly collection. Also thanks to @itm4n who added registry based session enum 🔥
9
55
242
In other training news, I've been notified that my Azure AD security training has been accepted for Black Hat USA in Las Vegas this summer 🥳 Looking forward to see everyone in Vegas again! 😁
14
8
236
29,016
Last two weeks I talked about BYO Identity Providers in Entra ID and backdoors to External Auth Methods to bypass MFA. Only possible because MSFT doesn't implement the mandatory OIDC security measures. Slides with optional dark mode on: dirkjanm.io/talks/
6
69
246
27,298
As promised, here is @donnymaasland's blog about bypassing McAfee's password and admin check which lets you export and import the configuration. This allows viewing exclusions, adding your own or changing the protection password. dmaasland.github.io/posts/mc…
5
141
232
🥳 super excited that I'll be back in Vegas this summer, presenting for the first time at Black Hat US #BHUSA! I'll give a talk about my latest research on hijacking and backdooring accounts via external identities in Azure AD 😁. blackhat.com/us-22/briefings…
17
14
223
👀 looks like Microsoft started with rolling out the Conditional Access features for controlling device code flow auth that I mentioned in my last blog dirkjanm.io/phishing-for-mic…. Seems to be in preview, not in all tenants yet.
5
73
222
61,044
New #powershell tool to phish for user credentials using existing applications as a (realistic) cover: blog.fox-it.com/2018/08/14/p… Includes Cobalt Strike script 😀
5
146
220
Relaying Kerberos, for real this time 😁 (teaser, needs some more work)
2
43
223
Since several people already asked: the slides from @fabian_bader and myself for @WEareTROOPERS are available! "Finding Entra ID CA bypasses-the structured way". We talked about FOCI, BroCI, CA bypasses, scopes and getting tons of tokens. Check it at dirkjanm.io/talks/
1
86
226
20,860
Pretty proud of this one, took a lot of work. And no, this device does not exist 😎
15
27
220
39,764
v0.4.0 of BloodHound.py is now up! Major rewrite and cross domain support now make it support all of SharpHounds default collection. Also removed the beta labels since it has been tested without issues on several networks. Get it at github.com/fox-it/BloodHound… or PyPi.
1
143
221
Because Microsoft quietly removed the possibility to sign in using the Primary Refresh Token (Azure AD SSO) without a nonce, I've slightly altered the flow with ROADrecon and ROADtoken to request a nonce first. Blog also updated: dirkjanm.io/abusing-azure-ad…
5
79
215
This is bad for AD big time 🤯... Don't understand why they decided not to service this immediately. Awesome research!
🚀 We just released my research on BadSuccessor - a new unpatched Active Directory privilege escalation vulnerability It allows compromising any user in AD, it works with the default config, and.. Microsoft currently won't fix it 🤷‍♂️ Read Here - akamai.com/blog/security-res…
6
41
222
15,363
New BloodHound version 4.2 means new BloodHound[.]py version 😀 BloodHound python v1.4.0 is now live, compatible with the latest BloodHound version. It includes the research from my last blog as a new edge "WriteAccountRestrictions", which also got added to SharpHound ❤️
2
54
208
I've been putting this off for a long time, but finally decided to give it a go: AD FS and federated domains in Azure AD. With some results, mostly thanks to @doughsec. Coming soon to ROADtools: SAML token crafting and AD FS spoofing😁
6
36
210
16,565
New blog post up with @FSDominguez: Listening on port 445 on Windows and remote NTLM relaying through tunnels with ntlmrelayx and meterpreter. diablohorn.com/2018/08/25/re…
1
120
208
Small update to roadtx, with thanks to @Flangvik for the idea: you can now do the interactive authentication with a "borrowed" ESTSAUTHPERSISTENT cookie from a browser, to get tokens or have an authenticated browser session.
7
63
207
36,478
There's a lot going around about analyzing Azure AD environments for compromise and risky/rogue permissions lately. Most focus on logs, but if there are no (more) logs or you just want to review AAD as a blue teamer, here is how ROADrecon (github.com/dirkjanm/ROADtool…) can help:
1
75
197
I've made some major improvements to data gathering with ROADrecon in larger tenants. Data collection is now much faster, uses automatic throttling and retries requests when throttled by AAD Graph. Would love if people can give it a try in larger tenants. github.com/dirkjanm/ROADtool…
3
66
195