Threat Research

nOAuth Abuse Update: Potential Pivot into Microsoft 365

nOAuth Abuse Update: Potential Pivot into Microsoft 365

  • Eric Woodruff | Chief Identity Architect

Additional nOAuth research indicates that the risk of nOAuth abuse still exists and that many organizations are still unaware of this vulnerability.

Exploiting Ghost SPNs and Kerberos Reflection for SMB Server Privilege Elevation

Exploiting Ghost SPNs and Kerberos Reflection for SMB Server Privilege Elevation

  • Andrea Pierini

When misconfigured Service Principal Names (SPNs) and default permissions align, attackers can exploit Kerberos reflection to gain SYSTEM-level access remotely. Even with Microsoft’s security update, Ghost SPNs can still haunt you. Learn why.

EntraGoat Scenario 6: Exploiting Certificate-Based Authentication to Impersonate Global Admin in Entra ID

EntraGoat Scenario 6: Exploiting Certificate-Based Authentication to Impersonate Global Admin in Entra ID

  • Jonathan Elkabas and Tomer Nahum

Editor’s note This scenario is part of a series of examples demonstrating the use of EntraGoat, our Entra ID simulation environment. You can read an overview of EntraGoat and its value here. Certificate Bypass Authority–Root Access Granted EntraGoat Scenario 6 details a privilege escalation technique in Microsoft Entra ID where…

EntraGoat Scenario 2: Exploiting App-Only Graph Permissions in Entra ID

EntraGoat Scenario 2: Exploiting App-Only Graph Permissions in Entra ID

  • Jonathan Elkabas and Tomer Nahum

In our second EntraGoat attack scenario, follow the steps from a carelessly leaked certificate to capture the Global Admin password—and full Entra ID compromise.

EntraGoat Scenario 1: Service Principal Ownership Abuse in Entra ID

EntraGoat Scenario 1: Service Principal Ownership Abuse in Entra ID

  • Jonathan Elkabas and Tomer Nahum

How can a compromised low-privileged user account exploit service principal ownership—and complete an Entra ID tenant takeover? Find out when you dive into EntraGoat Scenario 1.

Getting Started with EntraGoat: Breaking Entra ID the Smart Way

Getting Started with EntraGoat: Breaking Entra ID the Smart Way

  • Jonathan Elkabas and Tomer Nahum

Ready to jump in and get your hooves dirty in EntraGoat? Start here. These quick-start steps will get you into your first attack scenario.

What Is EntraGoat? A Deliberately Vulnerable Entra ID Simulation Environment

What Is EntraGoat? A Deliberately Vulnerable Entra ID Simulation Environment

  • Jonathan Elkabas and Tomer Nahum

What’s the best way to build cyber resilience? Practice! Meet EntraGoat, your safe space for hands-on, CTF-style learning. Track attack paths, hunt down identity misconfigurations, and expose access control flaws—while building resilience against real-world threats.

Golden dMSA: What Is dMSA Authentication Bypass?

Golden dMSA: What Is dMSA Authentication Bypass?

  • Adi Malyanker | Security Researcher

Delegated Managed Service Accounts are designed to revolutionize service account management. But Semperis researchers have discovered a critical design flaw that attackers can exploit for persistence and privilege escalation in AD environments with dMSAs. Learn about Golden dMSA and its risks.