Garrett's Avatar

Garrett

@unsignedsh0rt.bsky.social

AdSim @ SpecterOps

120 Followers  |  62 Following  |  10 Posts  |  Joined: 12.11.2024  |  1.4538

Latest posts by unsignedsh0rt.bsky.social on Bluesky

Decrypting PDQ credentials | unsigned_sh0rt's blog Walkthrough of how PDQ credentials encrypts service credentials

Had some fun with PDQ deploy/inventory credential decryption and wrote about it here: unsigned-sh0rt.net/posts/pdq_cr... thanks to
@dru1d.bsky.social for writing a BOF out of the POC

tl;dr get admin on PDQ box, decrypt privileged creds

11.04.2025 21:09 β€” πŸ‘ 9    πŸ” 6    πŸ’¬ 0    πŸ“Œ 0
Preview
Decrypting the Forest From the Trees - SpecterOps TL;DR: SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If the site server is a managed client, service account credentials can be decrypted via ...

#SCCM forest discovery accounts can be decryptedβ€”even those for untrusted forests. If the site server is a managed client, all creds can be decrypted via Administration Service API.

Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp

06.03.2025 20:34 β€” πŸ‘ 22    πŸ” 15    πŸ’¬ 1    πŸ“Œ 0
Preview
Relaying Kerberos over SMB using krbrelayx

Awesome new addition to krbrelayx by Hugow from Synacktiv: www.synacktiv.com/publications...

20.11.2024 16:02 β€” πŸ‘ 30    πŸ” 14    πŸ’¬ 0    πŸ“Œ 0
Preview
Claude Talk with Claude, an AI assistant from Anthropic

Claude.ai is so sick. I might actually fool people into believing I know how to code with this

21.11.2024 05:33 β€” πŸ‘ 6    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Post image 15.11.2024 05:42 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image 15.11.2024 05:42 β€” πŸ‘ 4    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

It's not limited to just ADCLI either...ManageEngine is probably the most familiar or recognizable tool that does this. It's true microsoft fixed creating them in ADUC but hardly fixed things where third party tools are involved.

15.11.2024 05:33 β€” πŸ‘ 4    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Post image

So what's happening? The tool before would create the computer object without a password and then set it to a default after the fact. Now, that password setting is blocked and the object persists...with no password.

15.11.2024 05:30 β€” πŸ‘ 4    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Post image

But now, you get a failure as you cannot change the accounts password. However, it STILL creates the object.

15.11.2024 05:29 β€” πŸ‘ 4    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

I had a hunch though that behavior might not be true for third party tools and third-party tools were arguably the biggest cause of their existence across all the enviroments I've tested over the years. An example of this is the adcli command line tool. Before it would set with a default password.

15.11.2024 05:28 β€” πŸ‘ 4    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Was doing some digging "What's New" in Server2025 learn.microsoft.com/en-us/window... specifically the changes to pre-2k machines. Oddvar and I had spoken previously about the changes being solid and demonstrated pre-created machines in ADUC could no longer be set with a default password.

15.11.2024 05:25 β€” πŸ‘ 10    πŸ” 5    πŸ’¬ 1    πŸ“Œ 0

Guess this is the place to be then

12.11.2024 04:04 β€” πŸ‘ 7    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

@unsignedsh0rt is following 20 prominent accounts