Showing Articles About
microsoft
-
Calum Elrick Max Toper 
Leonidas Tsaousis - 15 Oct 2025
Entra Connect Exploitation in 2025: An Overview
Entra Connect is the bridge between Microsoft's on-prem and cloud worlds, synchronising Active Directory and Entra ID identities. As such, it has traditionally served as a high-value target for threat actors. Conversely, continuous imrpovements by Microsoft have drastically changed the attack surface, leading to confusion about which exploitation techniques are still relevant and which aren't. This post will aim to clarify and document the Entra Connect exploitation landscape in 2025, and what defenders need to know to stay ahead.
-
Christian Philipov - 3 Sep 2025
Staying Sneaky in the Office (365)
SharePoint APIs provide a default functionality which can be used to download files outside of trusted devices and IP addresses. Thus, bypassing assumptions regarding where sensitive documents can be accessed from and providing an avenue for an attacker to exfiltrate information
- 15 May 2020
Internet Exploiter: Understanding vulnerabilities in Internet Explorer
This article provides a deep technical analysis of CVE-2020-0674, a use-after-free vulnerability in Internet Explorer's legacy JScript engine. The analysis explores the internal mechanics of the JScript interpreter, garbage collection process, and demonstrates complex exploitation techniques to bypass security mitigations. The research reveals how an attacker could potentially execute arbitrary code by manipulating memory management in the legacy JavaScript engine.
- 6 Nov 2019
OU having a laugh?
A novel attack technique exploits Group Policy Object (GPO) processing in Active Directory by manipulating the gpLink attribute. An attacker with OU modification rights can redirect GPO resolution to a rogue domain controller, potentially compromising computers and users within that OU. The attack leverages default Active Directory configurations and can be executed with minimal domain user permissions.
- 31 Oct 2018
Undisable Restricted Admin
Restricted Admin mode is a Windows feature that prevents credential caching during RDP sessions by using network logons instead of interactive logons. The mode offers protection against lateral movement in network environments, though it introduces a minor pass-the-hash attack vector. Organizations can enable this control by modifying registry settings and group policy to enhance network security.
- Yong Chuan Koh
- 12 Oct 2016
Fuzzing the Windows kernel
A presentation by Yong Chuan Koh at HITB GSEC 2016 introduced a Python-based fuzzing framework for testing Windows kernel security. The framework is designed to be scalable and extensible for comprehensive kernel vulnerability detection. Presentation slides are available for download from the original source.
-
Ben Campbell Jon Cave - 16 Dec 2014
Digging into MS14-068, Exploitation and Defence
MS14-068 is a critical Windows vulnerability in Kerberos authentication that allows any authenticated domain user to forge a Privilege Attribute Certificate (PAC) and escalate privileges to domain administrator. The vulnerability enables an attacker to manipulate PAC signatures and bypass authentication controls on domain controllers running Windows 2008 and earlier. Exploitation requires only a standard domain user account and can be performed using tools like PyKEK and Impacket.
- 15 Aug 2014
Windows 8 Kernel Memory Protections Bypass
A technique for bypassing Windows 8 kernel memory protections like SMEP and DEP is demonstrated by manipulating paging structures. The method allows modification of memory page flags to enable user-mode code execution in kernel-mode. By targeting isolated paging structures, an attacker can corrupt page table entries to circumvent kernel memory safeguards on 64-bit Windows systems.