Clément Notin [Tenable]inTenable TechBlogStealthy Persistence with “Directory Synchronization Accounts” Role in Entra ID“Directory Synchronization Accounts” Entra role is very powerful while being hidden to admins, making it a perfect stealthy backdoor 🙈Jun 3Jun 3
Clément Notin [Tenable]inTenable TechBlogStealthy Persistence & PrivEsc in Entra ID by using the Federated Auth Secondary Token-signing Cert.How attackers can add a 2nd token-signing certificate to an Entra ID federated authentication config for stealthy persistence & privesc 🙈Jan 31Jan 31
Clément Notin [Tenable]inTenable TechBlogEntra Roles Allowing To Abuse Entra ID Federation for Persistence and Privilege EscalationWhich Entra ID (ex-Azure AD) roles allow configuring federated authentication, thus allowing persistence and privilege escalation 💥Jan 92Jan 92
Clément Notin [Tenable]inTenable TechBlogCode for Reading Windows Serialized CertificatesWhat are Windows “serialized certificates” found on disk? Which CryptoAPI function to open them? Why can’t we enumerate them sometimes?Jul 5, 2023Jul 5, 2023
Clément Notin [Tenable]inTenable TechBlogSMB “Access is denied” Caused by Anti-NTLM Relay ProtectionExplanations of the “Microsoft network server: Server SPN target name validation level” hardening policy: what it does, how to…Jan 11, 20231Jan 11, 20231
Clément Notin [Tenable]inTenable TechBlogDecrypt Kerberos/NTLM “encrypted stub data” in WiresharkI often use Wireshark to analyze Windows and Active Directory network protocols, especially those juicy RPC 😉 But I’m often interrupted in…Sep 28, 2022Sep 28, 2022
Clément Notin [Tenable]inTenable TechBlogDon’t make your SOC blind to Active Directory attacks: 5 surprising behaviors of Windows audit…Tenable.ad can detect Active Directory attacks. To do this, the solution needs to collect security events from the monitored Domain…Jul 6, 2021Jul 6, 2021