Joined July 2021
- Tweets 483
- Following 168
- Followers 60
- Likes 894
2 Photos and videos
Lukas Klein | @rantasec.bsky.social retweeted
Jun 11
We are releasing tracebit @x33fcon - a POC sensor aiming to fingerprint implants in memory using only lowlevel runtime telemetry. No signatures, no scanning. Only pagefaults.
github.com/threathunters-io/…
2
3
291
Lukas Klein | @rantasec.bsky.social retweeted
Jun 8
This is big 🔥🔥 techcommunity.microsoft.com/…
2
59
225
17,261
Lukas Klein | @rantasec.bsky.social retweeted
Mar 19
Who knew a really long string could make an Entra ID login disappear from the logs entirely? In our #blog, @nyxgeek breaks down how overflowing #Azure's sign-in logging mechanism allowed access tokens to be issued without a single log entry. Read it now! hubs.la/Q047xTVc0
5
112
456
159,503
Check out GoLinHound:
- Discovers Linux & SSH attack paths
- Outputs OpenGraph JSON for BloodHound ingestion
- Integrates with SharpHound and AzureHound data to unveil cross-technology attack paths
github.com/RantaSec/golinhou…
2
34
76
4,149
SpecterOps released "DumpGuard" along with a detailed article on how they were able to bypass Windows Credential Guard in both privileged and unprivileged contexts. I learned a ton about Isolated LSA and friends: specterops.io/blog/2025/10/2…
2
60
218
12,844
Lukas Klein | @rantasec.bsky.social retweeted
29 Sep 2025
Fact: Remote service and scheduled task creation bypass firewalls on DCs and Win file servers because of SMB tunnelling.
Solution: Create RPC filters that block MS-SCMR and MS-TSCH over named pipes. The latter has 3 UUIDs, so blocking the atsvc pipe is more elegant. #DSInternals
ALT Screenshot of RPC filters being created using the DSInternals.RpcFilters PowerShell module.
ALT Screenshot of RPC filters being displayed using the DSInternals.RpcFilters PowerShell module.
1
35
192
14,135
Lukas Klein | @rantasec.bsky.social retweeted
26 Sep 2025
Check out Titanis, my new C#-based protocol library! It features implementations of SMB and various Windows RPC protocols along with Kerberos and NTLM.
github.com/trustedsec/Titani…
14
183
549
92,470
Lukas Klein | @rantasec.bsky.social retweeted
25 Sep 2025
The DSInternals.RpcFilters PowerShell module for Windows RPC filter management is out! Includes support for the new OpNum matching capability of Windows Server 2025. Looking forward to community feedback.
github.com/MichaelGrafnetter…
2
3
18
1,269
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-global…
138
903
3,186
475,264
Lukas Klein | @rantasec.bsky.social retweeted
14 Apr 2025
Can't kill sysmon.exe anymore? Cut it off from its own log by stopping ETW logger!
LocalSystem required, of course.
2
17
98
7,534
Lukas Klein | @rantasec.bsky.social retweeted
14 Apr 2025
Check out @elad_shamir's recent blog post to learn more about NTLM relay attacks. ⬇️ ghst.ly/4lv3E31
6
6
1,694
Lukas Klein | @rantasec.bsky.social retweeted
15 Apr 2025
Catch @IzySec's recent podcast discussing Rogue Remote Desktop Protocol: open.spotify.com/episode/5AG…
6
7
968
Lukas Klein | @rantasec.bsky.social retweeted
15 Jan 2025
Check out this new blog post from @_wald0 discussing the fundamental components & mechanics that enable the emergence of critical Attack Paths in Microsoft's increasingly popular Intune product. ⬇️ ghst.ly/3Cd5cwH
1
48
118
10,531
Lukas Klein | @rantasec.bsky.social retweeted
7 Jan 2025
Now available in my tenant
ADSynchronization.ReadWrite.All
1
3
9
1,177
Lukas Klein | @rantasec.bsky.social retweeted
19 Dec 2024
The Chinese threat intelligence report is here:
mp.weixin.qq.com/s/3bmehaRuv…
It’s always nice to see reports from other parts of the world because they can give a different perspective.
That said, the translation I read was super confusing so I’m sure I missed some details
19 Dec 2024
The Chinese Computer Emergency Response Center announced that a U.S. intelligence agency hacked an advanced materials unit and an energy-focused company, stealing important trade secrets and intellectual property via trojans. globaltimes.cn/page/202412/1…
12
96
349
70,533
Lukas Klein | @rantasec.bsky.social retweeted
11 Dec 2024
I finished my talk at BHEU! The attack methods and techniques shared in the talk are not a great deal, but I hope this serves as an opportunity to draw attention to the importance of security measures for Intune. Here is the tool released for the talk.
github.com/secureworks/pytun…
5
54
137
26,295
Lukas Klein | @rantasec.bsky.social retweeted
12 Dec 2024
Unauthenticated Remote Code Execution (RCE) on Domain Controllers (DC).
It does not get worse than that. Probably will be included in #ransomware campaigns.
Any technical analysis of CVE-2024-49112 published?
CC: @gentilkiwi @harmj0y @_wald0
16
177
638
146,942
Lukas Klein | @rantasec.bsky.social retweeted
12 Dec 2024
How many audits or IR engagements do you think pull the UAL without checking if any accounts have Audit Bypass enabled?
12 Dec 2024
even if Audit Logging is enabled tenant wide, it can still be disabled on individual accounts.
To find out if it has been disabled run this in EXO:
Get-MailboxAuditBypassAssociation -ResultSize unlimited | Format-Table Name,AuditBypassEnabled
Source: learn.microsoft.com/en-us/po…
2
8
31
5,109
Want to run roadrecon, but a device compliance policy is getting in your way? You can use the Intune Company Portal client ID, which is a hardcoded and undocumented exclusion in CA for device compliance. It has user_impersonation rights on the AAD Graph 😃
6
119
348
36,157