Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Lars Karlslund - mucking around with your AD Profile picture
Lars Karlslund - mucking around with your AD
@lkarlslund
Curious security octopus | Adalanche | Sarcasm level 11 | Fond of LEGO | 8.7B hashes https://t.co/NMqgC4BfQ7 | All thoughts, no leadership | I'm here for Justin
Jan 4 5 tweets 2 min read
This is why your NVidia driver download is 670MB: they silently fix a *ton* of problems in games, so customers are happy. It's the same in Windows - here's the system wide shim db from Windows 11 23H2 with workarounds for "After Dark 4.0" with flying toasters released in 1996. Image You should definitely not download the maybe-abandonware After Dark 4.0 ISO from the internet and install it on your Windows 11 PC. On the other hand, if you *do*, it will really mess up the app usage metrics that your computer ships to Microsoft.
winworldpc.com/download/45c38…
Sep 19, 2022 11 tweets 4 min read
You can harden your Active Directory against wrong owners and permissions on Computer objects, which is a typical scenario with devastating results if it's a Domain Controller object. I've written about this problem earlier here. 1/11
Hardening against computer ownership requires your Domain Controllers to be running at least Windows 2008, and if they're not just stop reading this and get upgrading, you have bigger problems. Anyway, the nitty gritty is described here 2/11 learn.microsoft.com/en-us/openspec…
Jul 15, 2022 7 tweets 3 min read
Deploy GOAD (the wonderful vulnerable Active Directory experimental lab from Orange Cyberdefense) - a quick guide. You'll need a spare PC with at least 4 cores, 16GB RAM and 256GB SSD. Script included, so it's easy even if you're not Linux savvy! 1/🧵 github.com/lkarlslund/dep… It needs Linux because of vagrant and ansible. It might work directly on Windows, but it's not easy. I tried running Linux under Windows using VirtualBox with nested virtualization, but after spending *way* too much time on this, I've concluded that this will not work. 2/🧵
May 20, 2022 12 tweets 6 min read
Don't lose trust! "The trust relationship between this workstation and the primary domain failed." Have this ever happened to you? I'll show you how to fix it, and (more interestingly) how it works behind the scenes 1/🧵 First some basics: when you join a computer to an Active Directory, it gets a machine account in the AD. This is like a user account, but with objectClass value 'computer' (and others) and some userAccountControl flags indicating it to be a computer (0x1000). But ... 2/🧵
Apr 11, 2022 6 tweets 3 min read
Fellow Active Directory infosec researchers here in Denmark have figured out how to cross domains in the same direction as a trust - yes, the opposite of what is normal 1/🧵
improsec.com/tech-blog/sid-… They explain it much better in their 7-part series (linked above is the last part, but it comes down to the fact that the two domains have to talk to each other, as part of exchanging data. They do this with a special type of account - the SAM_TRUST_ACCOUNT. 2/🧵
Feb 17, 2022 12 tweets 4 min read
The Active Directory group "Account Operators" is a bastard, and should be kept empty. Why? Because it undermines your *entire* delegation structure in the AD. Here are the details, and it shows why you should stay clear of this group 1/n Many of you probably know that this group shouldn't be used, but not all know the details of WHY. Here's the description from Microsoft. Just by reading this it becomes fairly evident what the issue is ... 2/n
Feb 14, 2022 4 tweets 2 min read
Cool adalanche trick: do supply chain attack analysis. If you're using the local collector to grab data from domain member computers, you can used the installedSoftware attribute to select machines. Here's ~10% random selection of machines with "Microsoft SQL server". Nifty, eh? Image Here are my settings for the search - it's reverse because we're investigating "what can my selection pwn of the rest of the infrastructure" Image
Jan 8, 2022 5 tweets 2 min read
Did you know that you can mass upgrade a lot of Windows 10/11 3rd party software with a free tool from Microsoft? It's like Linux's "apt" or "yum" ... Patching some of your vulnerable software is now free and easy, as I'll show you here 1/5 If you're running Windows 11, it's preloaded onto the system, so you can skip this part. On Windows 10, go to the Microsoft Store and search for "app installer". Here is my laptop which hasn't been powered on for quite a while - ironically it has a winget update available :-) 2/5
Jan 4, 2022 5 tweets 2 min read
Find DCs with wrong object owners using adalanche, and see the impact it's having to your security. If you're doing multi forest analysis, you can get really interesting results, as it will expose forest-to-forest takeover scenarios (names anonymized to protect the innocent) 1/5 Image The screenshot shows a foreign security principal impacting a DC. Pwning that foreign AD or just that user will cost you the domain with the outgoing trust. Whooops! 2/5
Sep 27, 2021 20 tweets 5 min read
So today I started looking at Azure AD, which spawned an interesting thread with my thoughts, and lots of input and corrections from others. It also spawned need for a refresher on AD attribute security ... You see, I probably should have been able to figure this out in 2 minutes. After all I've spent uncountable hours creating github.com/lkarlslund/ada…, which dumps an entire Active Directory and maps how ACLs can be misused to jump from tier to tier.
Sep 27, 2021 10 tweets 3 min read
So I'm diving head first into Azure AD, and I think it's a f*cking can of worms. Most large orgs do a TWO WAY sync of their on prem AD with AAD (users, groups, passwords). The attack surface is just horrible. So you're moving to the cloud. Someone needs to be able to reset passwords, so lets give them the "Password Admin" role. No worries, this doesn't apply to admin accounts. Or does it?