Investigating Certificate Template Enrollment Attacks – (ADCS)

Active Directory Certificate Services (ADSCS) is Microsoft’s Public Key Infrastructure (PKI) for typical Windows environments. There has been lots of blog posts on how to compromise an entire ADCS infrastructure, so I don’t want to repeat the same stuff over and over again. However, since ADCS is now a clear target with all the POCs

How one misconfiguration in ADCS can lead to full AD Forest compromise

Active Directory Certificate Services (ADCS) has become more popular with all the recent attacks that has been shared publicly. The folks from SpecterOps shared a whitepaper with all the possible attacks that can lead to compromising an ADCS server. This blog post is not meant to cover all the attacks again, since there are already

Investigating Ransomware Deployments that happened via Group Policy

Group Policy is a powerful tool that attackers are using to deploy their ransomware across a network. This blog post will cover some tips on how we can hunt for this type of activity in the event logs, and so on. We will be relying on the default Windows event logs that are straight out

Hunting and Responding to ProxyShell Attacks

ProxyShell is an attack chain that exploits three known vulnerabilities in On-Premises Exchange servers: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. ProxyShell allows a remote unauthenticated attacker to execute arbitrary commands on an unpatched Exchange Server through port 443. The bug relies in the Client Access Service (CAS) component in Exchange and was discovered by a security researcher

Investigating ProxyLogon Attacks and how to mitigate it

On-Premises Exchange servers are valuable targets for attackers, since it contains critical data and often has wide permissions within AD. Over the years, we have seen different exploits for Microsoft Exchange that could lead to a full compromise on the Exchange farm, as well as a full compromise on Active Directory. Today I would like

History of Exchange with having wide permissions in AD

On-Premises Exchange servers have always been a different beast when we compare it to other Microsoft products like SQL, SharePoint, and others. Exchange in general has been notorious for having wide permissions within AD. In the past, this has been described as ‘design’. Providing Exchange administrators, the flexibility to manage attributes on Exchange Server objects

How to implement the Exchange Split Permissions Model?

This blog post will be targeted for organizations that are still operating with On-Premises Exchange servers. Exchange has always been an interesting piece, since it’s so tightened within AD. This can introduce security challenges as well. In this blog post, we will cover how we can implement the Exchange Split Permission Model to reduce the

Hunting Webshell Activity

A Webshell is a malicious script that an attacker can drop on a webserver to launch additional attacks and establish persistence. Before a Webshell is dropped, it is usually the case that an attacker has successfully obtained SYSTEM level access on the targeted server in order to upload the Webshell. A Webshell may provide a

Hunting in On-Premises Exchange Server logs

This will be a high-level summary of the different logs that can be found on an On-Premises Exchange server, which can be useful during an IR. For each log, I’ll try to explain what we can achieve with it. Not all logs are useful, so I’ve only picked the one’s that I’m aware of and


Something went wrong. Please refresh the page and/or try again.

Follow My Blog

Get new content delivered directly to your inbox.