Kerberos is the preferred way of authentication in a Windows domain, with NTLM being the alternative. Kerberos authentication is a very complex topic that can easily confuse people, but is sometimes heavily leveraged in red team or penetration testing engagements, as well as in actual attacks carried out by adversaries…

Abstract In my article “Attacking Azure, AzureAD, and Introducing PowerZure”, I provided several tactics, techniques, and procedures (TTPs) on attacking Azure & AzureAD, as well as released PowerZure to automate some of it. I firmly believe that when a new tactic or tool is written, that defensive guidelines should follow to…

Abstract Over the past decade, Azure’s presence in businesses has grown significantly as new features and support were added to Azure. The purpose of this article is to cover three main points: Explain the components of Azure and how they fit into a modern IT environment. Explain how certain things within…

Lateral movement is the process of moving from one compromised host to another. Penetration testers and red teamers alike commonly used to accomplish this by executing powershell.exe to run a base64 encoded command on the remote host, which would return a beacon. The problem with this is that offensive PowerShell…