Clément Notin [Tenable]inTenable TechBlogStealthy Persistence with “Directory Synchronization Accounts” Role in Entra ID“Directory Synchronization Accounts” Entra role is very powerful while being hidden to admins, making it a perfect stealthy backdoor 🙈8 min read·Jun 3, 2024----
Clément Notin [Tenable]inTenable TechBlogStealthy Persistence & PrivEsc in Entra ID by using the Federated Auth Secondary Token-signing Cert.How attackers can add a 2nd token-signing certificate to an Entra ID federated authentication config for stealthy persistence & privesc 🙈10 min read·Jan 31, 2024----
Clément Notin [Tenable]inTenable TechBlogEntra Roles Allowing To Abuse Entra ID Federation for Persistence and Privilege EscalationWhich Entra ID (ex-Azure AD) roles allow configuring federated authentication, thus allowing persistence and privilege escalation 💥17 min read·Jan 9, 2024--2--2
Clément Notin [Tenable]inTenable TechBlogCode for Reading Windows Serialized CertificatesWhat are Windows “serialized certificates” found on disk? Which CryptoAPI function to open them? Why can’t we enumerate them sometimes?5 min read·Jul 5, 2023----
Clément Notin [Tenable]inTenable TechBlogSMB “Access is denied” Caused by Anti-NTLM Relay ProtectionExplanations of the “Microsoft network server: Server SPN target name validation level” hardening policy: what it does, how to…7 min read·Jan 11, 2023--1--1
Clément Notin [Tenable]inTenable TechBlogDecrypt Kerberos/NTLM “encrypted stub data” in WiresharkI often use Wireshark to analyze Windows and Active Directory network protocols, especially those juicy RPC 😉 But I’m often interrupted in…7 min read·Sep 28, 2022----
Clément Notin [Tenable]inTenable TechBlogDon’t make your SOC blind to Active Directory attacks: 5 surprising behaviors of Windows audit…Tenable.ad can detect Active Directory attacks. To do this, the solution needs to collect security events from the monitored Domain…9 min read·Jul 6, 2021----