Since I was bored on a plane I decided to revisit some of the Windows Hello tradecraft and finally implemented browser based FIDO2 auth using WHFB keys in roadtx. Thanks @fabian.bader.cloud and @nathanmcnulty.com for the inspiration!
Next week at WWHF Mile High I'll present a major update to roadrecon, with some awesome features I wanted to add for a while! Friday 9am in track 1 for those attending π
I can't believe Microsoft killed one of my favorite labs in my Entra ID training π. The Azure CLI and Azure PowerShell are no longer FOCI clients. On a serious note: good for security!
Master identity attack & defense with Dirk-jan at the workshop "Offensive Entra ID (Azure AD) & Hybrid AD Security". Hands-on training for identity pentesters & defenders at #INSO2026.
Get your ticket: https://ow.ly/Qzgm50XVAAJ
#InsomniHack #Cybersecurity #Infosec #Cyberworkshops
@_dirkjan and my joint talk at #TROOPERS25 is now available on YouTube.
"Finding Entra ID CA Bypasses - the structured way" @wearetroopers.bsky.social
youtu.be/yYQBeDFEkps
Note: Work related
I do Active Directory stuff for a living. Security research to be more specific. One of my favorite niche AD topics is AdminSDHolder. It's even my vanity domain.
I wrote a 159 pg book about AdminSDHolder. I'm kinda proud of it.
specterops.io/resources/ad...
Seems Microsoft is doing some app and permission cleanups and tenant restrictions lately. RIP Microsoft Planner FOCI client.
Dirk-jan Mollema found one of the most severe vulnerabilities ever discovered in Microsoft Entra ID.
One that could have compromised every tenant in the cloud.
In this episode, we unpack the story, the stress, and the mindset behind responsible disclosure. π₯
Thx Ryan!
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...
π’ New date for my "Offensive Entra ID security" course: December 8-11th 2025. This will be the last event this year. The previous events sold out quite fast so don't wait too long if you want to attend! π events.outsidersecurity.nl/entra-25-12/
It seems there now is a BOF implementation of ADSyncDecrypt to dump Entra ID connect creds π
github.com/Paradoxis/AD...
If you didn't find my Black Hat / Def Con slides yet, they are available on dirkjanm.io/talks . Also includes the demo videos where I use actor tokens from on-prem to access SharePoint online and get Global Admin.
π Exciting news: The Office 365 Exchange Online SP privilege escalation we documented in "I SPy" is no longer possible! We've updated the post to reflect this. Thanks to Eli Guy for the tip on this one:
securitylabs.datadoghq.com/articles/i-s...
The ADSyncCertDump tool is now part of the adconnectdump tools and can be used to extract SP credentials from Entra ID connect hosts. I will cover that during my BH/DC talks today and Friday! Tool is heavily based on Shwmae by @ethicalchaos.bsky.social
Link: github.com/dirkjanm/adc...
It's been almost a year since my last blog... So, here is a new one: Extending AD CS attack surface to the cloud with Intune certificates.
Also includes ESC1 over Intune (in some cases).
dirkjanm.io/extending-ad...
Oh, and a new tool for SCEP: github.com/dirkjanm/sce...
For those like me who prefer to stay in the terminal and want to call REST APIs like the Microsoft Graph without complicated commands or copy/pasting tokens: roadtx now has a graphrequest command to perform simple requests against these APIs and parse the JSON.
Teammate Leonid discovered a leaked credential that allowed anyone unauthorized access to all Microsoft tenants of orgs that use Synology's "Active Backup for Microsoft 365" (ABM), including sensitive data like Teams channel messages. π€
#synology #disclosure #modzero
modzero.com/en/blog/when...
Got word from MSRC that the product team reevaluated their initial duplicate/not-a-vuln decision and will actually be fixing this validation flaw in EAM π
One of the results of the joined research with @dirkjanm.io is entrascopes.com
Basically the yellow pages for Microsoft first party apps.
#TROOPERS25
Thanks for everyone who attended the talk at either x33fcon or OffensiveX. Both were amazing conferences and it was super fun to meet old and new people!
Last two weeks I talked about BYO Identity Providers in Entra ID and backdoors to External Auth Methods to bypass MFA. Only possible because MSFT doesn't implement the mandatory OIDC security measures. Slides with optional dark mode on: dirkjanm.io/talks/
Rerunning my test scenarios for the #TROOPERS25 presentation...
That's awesome, see you there!
Received the news today that my talk "Advanced Active Directory to Entra ID lateral movement techniques" was also accepted for @defcon.bsky.social π hope to see everyone there!
Since we now can use Entra ID connect sync with a service principal, I thought I'd look into the new security measures. On hosts without a TPM, we can dump the cert+key. On hosts with TPM (second picture) we can use the key to create an auth assertion for roadtx to req tokens.
That's awesome, congrats!
Advanced Active Directory to Entra ID Lateral Movement Techniques Dirk-jan Mollema | Security Researcher, Outsider Security Format: 40-Minute Briefings Tracks: Cloud Security, Enterprise Security Is there a security boundary between Active Directory and Entra ID in a hybrid environment? The answer to this question, while still somewhat unclear, has changed over the past few years as there has been more hardening of how much "the cloud" trusts data from on-premises. The reason for this is that many threat actors, including APTs, have been making use of known lateral movement techniques to compromise the cloud. In this talk, we will take a deep dive together into Entra ID and hybrid trust internals. We will introduce several new lateral movement techniques that allow us to bypass authentication, MFA and stealthily exfiltrate data using on-premises AD as a starting point, even in environments where the classical techniques didn't work. All these techniques are new, not really vulnerabilities, but part of the design. Several of them have been remediated with recent hardening efforts by Microsoft. Very few of them leave useful logs behind when abused. As you would expect, none of these "features" are documented. Join me for a wild ride into Entra ID internals, undocumented authentication flows and tenant compromise from on-premises AD.
I'll be returning to #BHUSA @blackhatevents.bsky.social this summer for a brand talk about moving laterally from AD to Entra ID. I don't think I've ever been this excited about a talk, with lots of cool stuff to share π’ π.
Congratulations! New chapter unlocked π
Just pushed a new versions for #AADInternals and AADInternals-Endpoint modules! Some bug fixes plus support for:
1οΈβ£ Microsoft Authentication Library (MSAL)
2οΈβ£ Token Protection
3οΈβ£ Continuous Access Evaluation (CAE)
