Threat Research
Categories
- Active Directory Backup & Recovery (64)
- Active Directory Security (225)
- AD Security 101 (17)
- Community Tools (19)
- Directory Modernization (9)
- From the Front Lines (69)
- Hybrid Identity Protection (69)
- Identity Attack Catalog (32)
- Identity Threat Detection & Response (151)
- Our Mission: Be a Force for Good (14)
- Purple Knight (5)
- Semperis University (5)
- The CISO's Perspective (16)
- Threat Research (69)
- Uncategorized (1)
nOAuth Abuse Alert: Full Account Takeover of Entra Cross-Tenant SaaS Applications
- Eric Woodruff
- Jun 25, 2025
Key findings In testing 104 applications, Semperis found 9 (or roughly 9%) that were vulnerable to nOAuth abuse. As the abuse has been already disclosed, the ability to perform nOAuth is low complexity. nOAuth abuse exploits cross-tenant vulnerabilities and can lead to SaaS application data exfiltration, persistence, and lateral movement.…
LDAP Reconnaissance Explained
- Huy Kha | Senior Identity & Security Architect
- Mar 06, 2025
Lightweight Directory Access Protocol (LDAP) reconnaissance is an approach that enables attackers to discover valuable details about an organization, such as user accounts, groups, computers, and privileges. Learn how to detect LDAP reconnaissance and how cyberattackers can use this method as part of an attempt to compromise your environment. What…
Group Policy Abuse Explained
- Huy Kha | Senior Identity & Security Architect
- Feb 27, 2025
Group Policy is a key configuration and access management feature in the Windows ecosystem. The breadth and level of control embodied in Group Policy Objects (GPOs) within Active Directory make Group Policy abuse a popular method for attackers who want to establish or strengthen a foothold in your environment. Here's…
Password Spraying Explained
- Huy Kha | Senior Identity & Security Architect
- Feb 22, 2025
Password spraying is a top cyber threat, named in the recent report from the cybersecurity agencies in the Five Eyes alliance. What is password spraying, how have cyberattackers used it in the past, and how can you detect and defend your hybrid Active Directory environment against password spraying attacks? What…
Golden Ticket Attack Explained
- Huy Kha | Senior Identity & Security Architect
- Feb 02, 2025
A Golden Ticket attack occurs when an attacker forges a Kerberos Ticket Granting Ticket (TGT) to gain full control over an Active Directory environment. By compromising the KRBTGT account, which signs all Kerberos tickets, the attacker can create fake tickets for any user and gain access to any resource within…
How to Defend Against Silver Ticket Attacks
- Daniel Petri | Senior Training Manager
- Feb 02, 2025
In the complex world of cybersecurity, Golden Ticket and Silver Ticket attacks stand out as two crafty methods targeting the Kerberos authentication system. Although both attacks exploit the same system, their approaches, objectives, and implications differ. Here’s what you need to know about Silver Ticket attacks, including how they differ…
Unconstrained Delegation Explained
- Huy Kha | Senior Identity & Security Architect
- Jan 26, 2025
Cybersecurity agencies from the Five Eyes alliance, including CISA and the NSA, have urged organizations to strengthen security around Microsoft Active Directory (AD), a prime target for cyberattackers. The alliance’s recent report highlights more than a dozen tactics that threat actors use to exploit AD. Among these common techniques is…
AS-REP Roasting Explained
- Huy Kha | Senior Identity & Security Architect
- Jan 25, 2025
Authentication Server Response (AS-REP) Roasting enables attackers to request encrypted authentication responses for accounts in Active Directory that have Kerberos pre-authentication disabled. AS-REP Roasting is one of the Active Directory threats that cybersecurity agencies in the Five Eyes alliance warn about in the recent report, Detecting and Mitigating Active Directory…
