@_dirkjan profile picture
Dirk-jan @_dirkjan

Hacker at @OutsiderSec. Researches AD and Azure (AD) security. Likes to play around with Python and write tools that make work easier.

Joined December 2017
  • Tweets 2,508
  • Following 206
  • Followers 29,864
183 Photos and videos
Pinned Tweet
Dirk-jan@_dirkjan
17 Sep 2025
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-global…

One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens

While preparing for my Black Hat and DEF CON talks in July of this year, I found the most impactful Entra ID vulnerability that I will probably ever find. One that could have allowed me to compromise...

dirkjanm.io
138
903
3,185
475,260
Dirk-jan retweeted
ar0x
@_ar0x4
Jun 13
Releasing Tunnel Vision Toolkit, part of my @x33fcon talk on Microsoft Global Secure Access. Includes BOFs to assist in engagements where you face GSA, plus a rogue client that lets you connect to internal resources from unmanaged devices. github.com/ar0x4/tunnel-visi…

GitHub - ar0x4/tunnel-vision-toolkit

Contribute to ar0x4/tunnel-vision-toolkit development by creating an account on GitHub.

github.com
2
36
85
9,620
Dirk-jan retweeted
lazzslayer
@lazzslayer
Jun 11
just wrapped up @OutsiderSec’s Offensive Entra ID training with @_dirkjan. He is in fact #thegoat 🐐 it was literally the best Entra ID training going into the nitty gritty details including agent identity blueprints 🔥
1
12
1,428
Dirk-jan retweeted
📔 Michael Grafnetter@MGrafnetter
Jun 5
Implementing a 22-step WebAuthn validation flow is hard — even for co-authors of the spec. At #BHUSA, I'll be presenting "Pass-the-Passkey": a new family of attacks bypassing phishing-resistant MFA. Replay. Relay. Tamper. Spoof. 3 new vulns. 20 attacks. 5 OSS tools.
SpecterOps@SpecterOps
Jun 4
#BHUSA will be here before we know it. This year our team will share the tradecraft, research, & attack path insights shaping modern offensive & defensive security. 🎓 5 hands-on trainings 🎤 3 technical briefings 🛠️ 5 Arsenal sessions Learn more: specterops.io/black-hat/
4
16
2,818
Kicking off conference season with Experts Live Netherlands!
3
69
3,510
Dirk-jan retweeted
Olaf Hartong@olafhartong
May 31
NSEC 2026, Montreal, Canada
1
2
14
3,134
Dirk-jan retweeted
Olaf Hartong@olafhartong
May 14
Replying to @sannemaasakkers
@sannemaasakkers and @_dirkjan on stage together at @NorthSec_io talking about threat actors using researcher knowledge in cloud attacks
1
26
3,128
And now you don't 🙃
Fabian Bader@fabian_bader
May 6
Now I see you @_dirkjan 😁 Blog post including ROADrecon detection based on AADGraphActivityLogs is coming very soon(tm)
8
35
260
30,398
Dirk-jan retweeted
Adam Chester 🏴‍☠️@_xpn_
May 6
If you came to SOCON, you may have seen the fireside chat on Ouroboros (if you weren't too busy counting my "urm"s 😝). The blog post is now live, detailing how we can use Dev-Tunnels for lateral movement, and allow pivoting from GitHub/Entra ID access. specterops.io/blog/2026/05/0…

The Accidental C2: Exploring Dev Tunnels for Remote Access

Peel back the layers of Microsoft Dev Tunnels and you'll find embedded protocols, RPC message exchanges, and a full command-and-control architecture hiding in plain sight.

specterops.io
6
49
188
27,622
Dirk-jan retweeted
Andrea P@decoder_it
May 8
I published a new "security research" post, and for once, it’s not about Windows 😅 This time I took a look at the myAudi connected vehicle platform and its APIs..🤓 Curiosity drives security research, no matter the target Read it here 👇 decoder.cloud/2026/05/08/oh-…

Oh MyAudi!

This is quite a different post as it is not related as usual to Windows vulnerabilities 😉. In the past period, I have been looking into the myAudi connected vehicle platform “Audi Connect and…

decoder.cloud
2
11
29
4,043
One month to go until the next public edition of my Entra ID course in The Hague. Working on some roadrecon and roadtx updates from my backlog, and new content on agent identities! Tickets are still available via events.outsidersecurity.nl/e…

Training: Offensive Entra ID (Azure AD) and Hybrid AD security

June 8 – 11, 2026

events.outsidersecurity.nl
2
10
52
4,321
Dirk-jan retweeted
Bert-Jan 🛡️@BertJanCyber
May 4
Today is a good day! #AADGraphActivityLogs are finally there! @_dirkjan: We finally get the opportunity to hunt you down 🛡️ Schema: learn.microsoft.com/en-us/az…
4
28
142
14,097
Dirk-jan retweeted
Area41 Security Con@a41con
Apr 30
🛸 👽 We have published this year's agenda with the talks for the AREA41 security conference 2026 🛸 👽 We are excited - hope you too! ➡️ Check them out at: a41con.ch/#schedule 📅 June 18-19. 2026, Zürich 🎫 Ticket sale May 5th @ 13:00 pretix.eu/DC4131tickets/A41-…
9
14
2,031
Dirk-jan retweeted
DirectoryRanger@DirectoryRanger
Apr 24
More talks for the @WEareTROOPERS #TROOPERS26 AD & Entra ID Security Track accepted, featuring @kidtronnix, @LeGuideDuSecOps, @_dirkjan, @DrAzureAD, @al3x_n3ff & others linkedin.com/feed/update/urn…

#troopers26 | TROOPERS Conference & Workshops

More talks accepted for the #TROOPERS26 AD & Entra ID Security Track: --- Simon Maxwell-Stewart: Popping Microsoft's Sandbox. What Falls Out of a Dataverse Container Microsoft Dataverse lets you...

linkedin.com
7
39
14,225
Me trying to figure out Agent Identities in Entra ID. I really wonder who decided apps and service principals weren't already difficult enough to understand and went with a design that is even wayyy more complicated 😅.
16
6
140
9,703
Looks like the conference agenda for the next few months is filled in! First up will be @NorthSec_io in Montreal, where I'll talk with @sannemaasakkers about cloud research versus real-world attacks.
1
1
20
3,062
more replies
After that I'm excited to return to @a41con in Zürich and hang out with the Swiss cybersecurity community!
1
908
Last but not least I'll also be back at @WEareTROOPERS at the end of June. Especially excited for that one as it's kind of full circle from my first real conference talk ever in 2019 to this one in 2026. Looking forward to seeing everyone at one of these conferences 😀.
1
4
909
Dirk-jan retweeted
Fabian Bader@fabian_bader
Apr 7
📢 You already know FOCI, BroCI, and all the OAuth2.0 flows? But do you already know the secret token providers of Entra ID? In my latest research post I explore how you can, hidden from the Defenders, request new access token. cloudbrothers.info/en/avoid-… #EntraID #DefenderXDR

Avoid Entra Conditional Access using alternative token broker

In Entra ID, Conditional Access acts as the gatekeeper to any token material. Regardless of whether you want a bearer token or a refresh token, Entra ID will be the entity creating and signing them....

cloudbrothers.info
3
60
196
44,598
Load more