Okta for Red Teamers

In this blog post, I'll discuss some of the post-exploitation techniques that I've found to be useful against Okta. Specifically, this post will look at how to use delegated authentication to our advantage, silver tickets, Okta AD agent spoofing, and finally how to deploy a fake SAML provider.... Read More »

LAPS 2.0 Internals

This year, LAPS 2.0 was released by Microsoft, and thankfully it now comes built-in to Windows. This time it comes ready for use with Active Directory, as well as being supported in Azure AD aka Entra ID. In this post, we’ll look at how LAPS 2.0 for Active Directory works under the hood, so you can make those fresh recommendations to your clients, and prepare yourself for the inevitable question... “But we just deployed LAPS.. what does LAPS 2.0 do differently?!”.... Read More »

PNG Steganography from First Principles

Steganography is experiencing a revival as a wrapper for delivering payloads. In this post we'll go back to basics and show just how steganography can be applied to a PNG image using the common least significant bit (LSB) encoding technique. No magic... just raw information... and a little C++.... Read More »

Building a Custom Mach-O Memory Loader for macOS - Part 1

In this blog we'll look at what it takes to construct an in-memory loader for Mach-O bundles within MacOS Ventura without using dyld. We'll walk though the lower-level details of what makes up a Mach-O file, how dyld processes load commands to map areas into memory, and how we can emulate this to avoid writing payloads to disk.... Read More »

Restoring Dyld Memory Loading

Up until recently, we've enjoyed in-memory loading of Mach-O bundles courtesy of dyld and its NSCreateObjectFileImageFromMemory/NSLinkModule API methods. And while these methods still exist today, there is a key difference.. memory modules are now persisted to disk. So in this post we'll take a look at just what was changed in dyld, and see what we can do to restore this functionality... hopefully keeping our warez in memory for a little longer.... Read More »