Works @ Semperis, Tweets are my own. Blog: managedpriv.com Project: github.com/canix1
Joined September 2011
- Tweets 402
- Following 298
- Followers 377
- Likes 765
35 Photos and videos
Regarding Active Directory permissions, most people assume that a Deny ACE always wins. It doesn't!
Windows stops the access check the moment enough rights are granted — any ACE after that point is never evaluated.
New post: managedpriv.com/blog/acl-can…
1
7
18
1,551
May 22
The .NET ActiveDirectorySecurity API was built for helpdesk scripts, not ACL fidelity.
If you're using it for backup, migration, or exact cloning — you're going to have a bad time. New post: the 9 design problems you need to know. bit.ly/3Rl635L
1
3
18
1,311
Robin Granberg retweeted
Feb 13
A tool you would use when you cant use BH :P
github.com/canix1/ADACLScann…
2
9
47
2,932
Robin Granberg retweeted
24 Oct 2025
Remember the CredMarshalInfo trick? If you hadn’t applied the June 2025 patch, CVE-2025-33073 would have been critical. We know that in NTLM local auth, msg 3 is empty:You can drop sign/seal -> from Domain User to DomainAdmin escalation. 😅
5
62
222
18,695
Robin Granberg retweeted
25 Nov 2024
M'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/KrbRel…
15
227
543
50,827
Robin Granberg retweeted
8 Nov 2024
A short and light post on one of my favorite topics: spotting and exploiting GPO misconfigurations, nothing too technical, just the basics! 😅 decoder.cloud/2024/11/08/gro…
40
135
8,792
Robin Granberg retweeted
4 Oct 2024
Is Kerberos relaying so limited? I'd say no, thanks to @tiraniddo CredMarshalTargetInfo trick. In this case, I'm relaying SMB to HTTP (ADCS) with a modified version of @cube0x0 krbrelay using DFSCoerce and PetitPotam - classic ESC8 attack with Kerberos, no DCOM involved ;)
10
110
344
57,789
Robin Granberg retweeted
6 Aug 2024
🤫 The part I’m most excited about with my #BHUSA talk is secretly teaching everyone about identity components of #Entra multi-tenant applications and service principals. 🤓
If that sounds boring, pretend you didn’t read this.
#BlackHat2024 #infosec #EntraID #foreshadowing
1 Aug 2024
If you are curious how some lesser privileged admins in #Entra could have pivoted to Global Admin in a greenfield tenant, and you're going to be at #BHUSA, the knowledge on my important severity privilege elevation will be dropped 👇
#aad #m365 #azure
blackhat.com/us-24/briefings…
1
1
9
1,103
Robin Granberg retweeted
19 Jul 2024
Are you also on a conf bridge in the middle of the night dealing with Crowdstrike's bullshit?
31
68
317
108,998
Robin Granberg retweeted
6 Jul 2024
Utmärkt inlägg av Staffan Dahllöf (@StaffaniDK) på @SvDDebatt om regeringens massövervakningsförespråkande.
svd.se/a/jQlM4o/staffan-dahl…
#ChatControl #GoingDark #svpol #eupol
5
36
115
3,830
Robin Granberg retweeted
4 Jul 2024
Detecting Lateral Movement in Entra ID 😍
Threat actors can perform tenant-to-tenant lateral movement by abusing Cross Tenant Synchronisation.
Full blog 👇
xintra.org/blog/lateral-move…
You can detect lateral movement from specific logons abusing this feature in Entra ID 😝
This blog covers:
> Attack methodology
> Detection methodology
11
164
503
61,313
Robin Granberg retweeted
30 May 2024
Just published a short blog post on abusing the SeRelabelPrivilege ;) decoder.cloud/2024/05/30/abu…
2
84
201
20,534
19 Apr 2024
I have written a new blog post about Entra ID PIM and how Sensitive Actions are supposed to protect privileged objects. But there is a situation you need to be aware of when working with PIM.
managedpriv.com/blog/breachi…
#EntraID #Cybersecurity #PIM #PrivilegeIdentityManagement
9
27
3,177
11 Apr 2024
There is now a new free tool to get more insight into the security of Entra ID, specifically role management.
github.com/canix1/PIMSCAN
#PIMSCAN #EntraID #CyberSecurity
1
8
34
3,746
11 Apr 2024
This tool generates reports on Entra ID Role assignments and gives you more accurate insight into the number of assignments, otherwise hidden roles, and nested groups.
1
143
Robin Granberg retweeted
12 Mar 2024
I created another variant of our so-loved *potato family, the #FakePotato. But have to wait MSRC response before disclosing, hopefully soon ;)
2
11
57
6,216
1 Mar 2024
Awesome research by @TomerNahum1 and @ericonidentity!
29 Feb 2024
What happens when you add #EntraID #SAML poor or misguided certificate management practices?
You get SAML response forging.
Glad to release the research @TomerNahum1 and I collaborated on.
#identitysecurity #infosec #cloudsecurity
semperis.com/blog/meet-silve…
2
278
Robin Granberg retweeted
25 Jan 2024
Primary Refresh Tokens (#PRT) serve as a cornerstone in Microsoft Entra ID’s authentication and access management framework, enabling users to seamlessly access Microsoft services while maintaining stringent security standards.
By understanding their role, implementing best practices, and aligning with security measures, organizations can harness the convenience of PRTs while safeguarding sensitive data and resources effectively. Read more bellow.👇
cswrld.com/2024/01/understan…
#entraid #tips #cybersecurity #authentication
ALT Primary Refresh Tokens in Microsoft Entra ID
4
13
67
9,293