Elad Shamir @elad_shamir
The Woodlands, TX
eladshamir.com
Joined July 2017
  • Tweets 78
  • Following 41
  • Followers 5,170
1 Photos and videos
Check out my latest research "Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory" New attack techniques and live 0days inside. MSRC’s response: "this is not an issue which will be addressed via a security update" shenaniganslabs.io/2019/01/2…

Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory

Back in March 2018, I embarked on an arguably pointless crusade to prove that the TrustedToAuthForDelegation attribute was meaningless, and that “protocol transition” can be achieved without it. I...

shenaniganslabs.io
17
357
11
600
Have you ever wondered how RODCs work and whether compromising one would necessarily allow for privilege escalation? The answers are in my new post: At the Edge of Tier Zero: The Curious Case of the RODC posts.specterops.io/at-the-e…

At the Edge of Tier Zero: The Curious Case of the RODC

The read-only Domain Controller (RODC) is a solution that Microsoft introduced for physical locations that don’t have adequate security to host a Domain Controller but still require directory…

posts.specterops.io
3
191
6
550
GMSA passwords aren’t what you think. Read all about it in @YuG0rd’s post, where he dives into how gMSA passwords are generated and introduces the Golden GMSA attack. semperis.com/blog/golden-gms…

Introducing the Golden GMSA Attack - Semperis

Passwords associated with gMSAs are generated using inputs that cannot be rotated if compromised, allowing attackers with high privileges to dump KDS root keys and generate the passwords of the...

semperis.com
1
80
6
176
I usually avoid this kind of stuff, but I’ll make an exception naming and shaming this time. This is a complete rip off of a presentation I spent a lot of time and effort putting together back in 2019. Shame on you @sensepost and @AwesomeFox7
This tweet is unavailable
4
2
14
The original slide deck is available here: shenaniganslabs.io/media/Con…
1
2
1
21
I published a new post about SPN-jacking - an edge case in WriteSPN abuse (pun intended). Check it out: semperis.com/blog/spn-jackin…

SPN-jacking: An Edge Case in WriteSPN Abuse - Semperis

Attackers can manipulate the SPN of computer/service accounts to redirect preconfigured Constrained Delegation to unintended targets, even without obtaining SeEnableDelegation privileges. Read our...

semperis.com
3
175
5
370
I just published my first @SpecterOps post about Shadow Credentials - an alternative technique for taking over user and computer objects in AD. Check it out: posts.specterops.io/shadow-c…

Shadow Credentials: Abusing Key Trust Account Mapping for Takeover

The techniques for DACL-based attacks against User and Computer objects in Active Directory have been established for years. If we…

posts.specterops.io
5
314
10
675
My teammate Matt Johnson (@breakfix) published a new post about his brilliant Airstrike Attack (CVE-2021-28316), allowing for FDE bypass and EoP on domain-joined Windows workstations. MSRC has just released a patch. Check it out at shenaniganslabs.io/2021/04/1…

Airstrike Attack - FDE bypass and EoP on domain joined Windows workstations (CVE-2021-28316)

By default, domain joined Windows workstations allow access to the network selection UI from the lock screen. An attacker with physical access to a locked device with WiFi capabilities (such as a...

shenaniganslabs.io
Matt Johnson @breakfix
13 Apr 2021
Check out my latest blog post detailing the "Airstrike Attack" allowing for FDE bypass and EoP on domain joined Windows workstations (CVE 2021-28316) shenaniganslabs.io/2021/04/1…
1
6
1
15
Need to traverse security zones? In this new post, I share a trick for establishing peer-to-peer C2 over DNS with ADIDNS. shenaniganslabs.io/2020/04/1…

DNS Peer-to-Peer Command and Control with ADIDNS

When gaining initial access on a host in a secure zone with restricted outbound traffic, establishing a command and control channel for an implant can be a challenge. Using DNS for peer-to-peer...

shenaniganslabs.io
4
134
3
277
As always, amazing work, Chris.
initstring @init_string
12 Feb 2020
After months of research, here's my deep dive into post-exploit tactics and techniques for Google Cloud Platform. I hope you find it helpful!
Very clever attack by @danyaldrew, who managed to bypass the mitigations by exploiting a simple yet elusive design flaw. Good job, Dan!
Danyal Drew @DanyalDrew
12 Nov 2019
NTLM reflection is back to haunt windows. Read about Ghost Potato here (this time with a fixed link): shenaniganslabs.io/2019/11/1…
1
1
8
NTLM reflection is back to haunt Windows. @danyaldrew bypassed the mitigations with a simple yet elusive design flaw. Read all about Ghost Potato in our latest post: shenaniganslabs.io/2019/11/1…

Ghost Potato

Halloween has come and gone, and yet NTLM reflection is back from the dead to haunt MSRC once again. This post describes a deceptively simple bug that has existed in Windows for 15 years. NTLM...

shenaniganslabs.io
1
133
7
247
We just finished delivering our @defcon workshop about Kerberos delegation attacks. As promised, here's the slide deck for those that couldn't attend: shenaniganslabs.io/2019/08/0…

DEF CON 27 Workshop Slide Deck

Now that we finished our workshop “Constructing Kerberos Attacks with Delegation Primitives” at DEF CON 27, we can share the slide deck: Constructing Kerberos Attacks with Delegation Primitives.pdf...

shenaniganslabs.io
5
150
6
322
Just in time for our @defcon workshop about Kerberos delegation, MSRC failed to meet the disclosure deadline, and we publicly disclose another primitive to achieve LPE on domain-joined Windows hosts. shenaniganslabs.io/2019/08/0…

Gone to the Dogs

Just in time for our DEF CON workshop “Constructing Kerberos Attacks with Delegation Primitives”, Microsoft failed to meet the disclosure deadline, and so we publish another primitive that can be...

shenaniganslabs.io
4
216
7
356
Myself and @3xocyte will be teaching a workshop on Kerberos delegation at @defcon. We will cover everything from Kerberos 101, through the classic delegation attacks, to the latest attack chains. Join us for an entertaining presentation and hands-on labs. eventbrite.com/e/constructin…

Constructing Kerberos Attacks with Delegation Primitives - Red Rock VII

Title: Constructing Kerberos Attacks with Delegation Primitives Instructor: Elad Shamir & Matt Bush Abstract:   Kerberos delegation is a dangerously powerful feature that allows services to imperso...

eventbrite.com
1
6
2
29
My teammate Chris Moberly (@init_string) strikes again with another Linux LPE, a very clever exploit, and an awesome write-up. shenaniganslabs.io/2019/05/2… Brilliant work, Chris!

Linux Privilege Escalation via LXD & Hijacked UNIX Socket Credentials

Linux systems running LXD are vulnerable to privilege escalation via multiple attack paths, two of which are published in my “lxd_root” GitHub repository. This blog will go into the details of what I...

shenaniganslabs.io
initstring @init_string
21 May 2019
A new way to exploit LXD for Linux privilege escalation: relaying UNIX socket credentials to speak directly to systemd. Hope you enjoy! shenaniganslabs.io/2019/05/2…
8
16
The @SpecterOps Adversary Tactics: Detection course in Brisbane was a blast. I learned a lot, had great discussions about detection, evasion and ideas for new techniques. Meeting @robwinchester3, @Cyb3rWard0g, and @rrcyrus was a pleasure. I hope to see you again soon. Thank you!
1
4
25
My teammate Chris Moberly (@init_string) just dropped a beautiful LPE on stock Ubuntu and derivatives - “dirty_sock” shenaniganslabs.io/2019/02/1… Nice work, Chris!

Privilege Escalation in Ubuntu Linux (dirty_sock exploit)

In January 2019, I discovered a privilege escalation vulnerability in default installations of Ubuntu Linux. This was due to a bug in the snapd API, a default service. Any local user could exploit...

shenaniganslabs.io
2
218
7
380
For those that missed it, resource-based constrained delegation can be abused for LPE on Windows 10 with default configuration and on Windows 2016/2019 with WebDAV Redirector. Details: shenaniganslabs.io/2019/01/2… Short demo: inv.warpnine.de/741uz0ILxCA

Windows 10/2016/2019 LPE via NTLM relay to configure RBCD

youtube.com
2
57
111
Check out my latest research "Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory" New attack techniques and live 0days inside. MSRC’s response: "this is not an issue which will be addressed via a security update" shenaniganslabs.io/2019/01/2…

Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory

Back in March 2018, I embarked on an arguably pointless crusade to prove that the TrustedToAuthForDelegation attribute was meaningless, and that “protocol transition” can be achieved without it. I...

shenaniganslabs.io
17
357
11
600
Thanks to @harmj0y @bluscreenofjeff @brian_psu @001SPARTaN for awesome training, and upskilling @TML_au's red team.
3
14
Show this thread
Load more