Category: Purple Team
-
Bind Link – EDR Tampering
The Bind Link API enables Administrators to create transparent mappings from a virtual path to a backing path (local or remote). The Bind Link feature was introduced in Windows 11 and according to Microsoft it should be used to improve application compatibility by making files stored in a network share…
-
LSASS Dump – Windows Error Reporting
The Windows Error Reporting is a feature that is responsible for the collection of information about system and application crashes and reporting this information to Microsoft. Windows are shipped with the WerFaultSecure binary that is used by the Windows Error Reporting service, and it is signed by Microsoft to collect…
-
Golden dMSA
Delegated Managed Service Account (dMSA) was introduced by Microsoft in Windows Server 2025 to prevent Kerberos related attacks such as Kerberoasting by binding authentication of service accounts to device identity. The BadSuccessor technique abused dMSA objects for lateral movement. However, following the research from Akamai on BadSuccessor, Semperis identified a…
-
Active Directory Enumeration – ADWS
Microsoft introduced Active Directory Web Services (ADWS) in Windows Server 2008 R2 as a method to provide an interface to instances for querying and managing Active Directory over a network. The service runs on domain controllers by default on TCP port 9389 and communication is performed via the Simple Object…
Purple Team 