Profile avatar
dirkjanm.io
Hacker at outsidersecurity.nl. Researches Entra ID, AD and occasionally Windows security. I write open source security tools and do blogs/talks to educate others on these topics. Blog: dirkjanm.io
45 posts 1,762 followers 66 following
Regular Contributor
Active Commenter
Posts 22 Comments 28

It appears Microsoft quietly mitigated most of the risk of the "Intune company portal" device compliance CA bypass by restricting the scope of Azure AD graph tokens issued to this app, making them almost useless for most abuse scenarios. Thx @domchell.bsky.social for the heads up.

submitted 11 days ago • 0 comments

Normally you can't auth to Entra ID connected webapps with bearer tokens. But if Teams can open SharePoint/OneDrive with an access token, I guess so can we. roadtx now supports opening SharePoint with access tokens in the embedded browser 😀

submitted 13 days ago • 1 comment

I don't know who needs to hear this, but there is no such thing as securing BYOD, especially non-mobile OSs You may limit damage your regular users can cause, but you are not keeping out an attacker when you accept a model that allows access from unknown, unmanaged devices

submitted 19 days ago • 2 comments

ROADtools update: I just released roadlib v1.0! This version drops the adal dependency, all auth flows are now implemented natively 🎉 This was mostly a personal goal, but it helps with adding new features, such as forcing MFA during device code auth independent of CA policies 😀

submitted 24 days ago • 2 comments

I'm still not seeing the mandatory Azure portal MFA we were supposed to get in October / 2nd half 2024 (depending on the source you read). Anyone know the timeline when this will *actually* be rolled out?

submitted 33 days ago • 6 comments

Since redirect URLs are tricky, roadtx now includes redirect URLs for many first-party apps and uses them automatically. Demo below shows the interactiveauth module being used for the complaint device CA bypass with the "interactiveauth" module and the "companyportal" client ID alias.

submitted 40 days ago • 1 comment

After some time off to recharge outside, now back to work (and research) this week!

submitted 41 days ago • 2 comments

In Part 1 of my Intune Attack Paths series, I discuss the fundamental components and mechanics of Intune that lead to the emergence of attack paths: posts.specterops.io/intune-attac...

submitted 46 days ago • 2 comments

Today is the last day to submit to #SkiCon2025 Get your submission in if you have anything interesting to share with the community! www.skicon.org/cfp/ Tickets are also on sale : www.skicon.org/tickets/ Please reshare for reach!

submitted 48 days ago • 0 comments

👏 Huge thanks to @dirkjanm.io for an exceptional Azure & Entra security training! The nitty-gritty, and real-world examples resonated strongly among our class of 25 security analysts. Thank you! #microsoft #azure #entra #cyber #security #training #cybersecurity

submitted 52 days ago • 0 comments

Achievement unlocked, my first blog with SpecterOps 🤗 This post looks at ADFS OAuth2 support, Device Registration, Enterprise PRT, and a brain dump of things that I didn’t want to leave sat on Notion. buff.ly/4j41VQU

submitted 55 days ago • 2 comments

Off to a good start in the new year (Part 2). I was awarded the Microsoft MVP status a few days ago for my community contributions in the Microsoft security space. Super grateful for everyone who helped along the way to get me there! ❤️

submitted 55 days ago • 4 comments

So you want to exploit ADCS ESC8 with only netexec and ntlmrelayx ? Fear not my friend, I will show you how to do it 👇 NetExec now supports "Pass-the-Cert" as an authentication method, thanks to @dirkjanm.io original work on PKINITtools ⛱️

submitted 55 days ago • 0 comments

Few BloodHound python updates: LDAP channel binding is now supported with Kerberos auth (native) or with NTLM (custom ldap3 version). Furthermore, the BH CE collector now has its own pypi package and command. You can have both on the same system with pipx. github.com/dirkjanm/Blo...

submitted 60 days ago • 2 comments

Off to a good start in the new year! (Part 1). Thanks @msftsecresponse.bsky.social for the cool swag!

submitted 60 days ago • 0 comments

Sorry folks, I had to remove the Disconnected GPO project from GitHub... but never fear, it has returned as Disconnected RSAT since it now supports the Certificate Authority and Certificate Templates snap-ins in addition to Group Policy support. github.com/CCob/DRSAT

submitted 66 days ago • 0 comments

Want to run roadrecon, but a device compliance policy is getting in your way? You can use the Intune Company Portal client ID, which is a hardcoded and undocumented exclusion in CA for device compliance. It has user_impersonation rights on the AAD Graph 😃

submitted 81 days ago • 3 comments

Awesome work by Lance, clear write-up on the issue, the solution, a PR to ROADtools and more tradecraft!

submitted 82 days ago • 0 comments

New #AADInternals version is finally out now: ▪ Moved endpoint related stuff to new module: AADInternals-Endpoints ▪ Added blue team stuff ▪ Added red team stuff See full change log at: aadinternals.com/aadinternals...

submitted 83 days ago • 1 comment

New platform, who dis? It me, and @johnnyspandex.bsky.social dropping some VPN client exploit freshness! 🌮🔒 Today, we're releasing NachoVPN, our VPN client exploitation tool, as presented at SANS HackFest Hollywood. Get it on the @amberwolfsec.bsky.social blog: blog.amberwolf.com/blog/2024/no...

submitted 97 days ago • 0 comments

I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx A Kerberos relay & forwarder for MiTM attacks! >Relays Kerberos AP-REQ tickets >Manages multiple SMB consoles >Works on Win& Linux with .NET 8.0 >... GitHub: github.com/decoder-it/K...

submitted 97 days ago • 3 comments

Awesome new addition to krbrelayx by Hugow from Synacktiv: www.synacktiv.com/publications...

submitted 103 days ago • 0 comments