1. X
  2. Dirk-jan
Log inSign up
Dirk-jan
2,523 posts
Image
user avatar
Dirk-jan
@_dirkjan
Hacker at @OutsiderSec. Researches AD and Azure (AD) security. Likes to play around with Python and write tools that make work easier.
dirkjanm.io
Joined December 2017
207
Following
29.9K
Followers
RepliesRepliesMediaMedia

New to X?

Sign up now to get your own personalized timeline!

Create account

By signing up, you agree to the Terms of Service and Privacy Policy, including Cookie Use.

Terms·Privacy·Cookies·Accessibility·Ads Info·© 2026 X Corp.
Don't miss what's happening
People on X are the first to know.
Log inSign up
  • Pinned
    user avatar
    Dirk-jan
    @_dirkjan
    Sep 17, 2025
    I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog:
    dirkjanm.io
    One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens
    While preparing for my Black Hat and DEF CON talks in July of this year, I found the most impactful Entra ID vulnerability that I will probably ever find. One that could have allowed me to compromise...
    477K
  • user avatar
    Dirk-jan
    @_dirkjan
    Oct 4, 2022
    Fox-IT just open sourced their enterprise forensics tooling dissect. This is a big project that some of the smartest people I know have worked on. It supports many filesystems and file formats, all as Python libraries. Docs: docs.dissect.tools / code: github.com/fox-it/dissect
    Image
  • user avatar
    Dirk-jan
    @_dirkjan
    Sep 14, 2020
    So yes, Zerologon (CVE-2020-1472) is quite easy to exploit. Unauthenticated user to Domain Admin. This is really scary. Run exploit, DCSync with DC account and empty NT hash: you have Domain Admin and a broken DC. Awesome find by Tom Tervoort 🙂. Patch patch patch!
    Image
  • user avatar
    Dirk-jan
    @_dirkjan
    Sep 20, 2020
    It has a few more prerequisites, but I finally managed to get a #Zerologon exploit working that doesn't rely on resetting passwords to exploit. Use the printerbug to make DC1 connect to you, then with lots of magic relay that to DC2 directly to DRSUAPI to DCSync 😁
    Image
  • user avatar
    Dirk-jan
    @_dirkjan
    Jan 12, 2022
    Some big personal news: last year I decided to start my own company. Today I'm making it official and announcing Outsider Security (@OutsiderSec). My focus will be on Azure AD and Active Directory security, converting my research experience into in-depth tests and advice.
  • user avatar
    Dirk-jan
    @_dirkjan
    Sep 24, 2020
    New blog: A different way of abusing Zerologon. No more password reset needed: using the printer bug with Zerologon to relay to DRSUAPI and DCSync directly with ntlmrelayx: dirkjanm.io/a-different-wa… Code: github.com/dirkjanm/CVE-2…
    Image
  • user avatar
    Dirk-jan
    @_dirkjan
    Sep 16, 2020
    There seems to be quite some questions and confusion about the impact of exploiting Zerologon (CVE-2020-1472) on the environment. So here's a thread 👇
  • user avatar
    Dirk-jan
    @_dirkjan
    Feb 22, 2022
    New blog: Relaying Kerberos over DNS using krbrelayx and mitm6. New method of gaining RCE on AD hosts in the same VLAN without credentials or needing NTLM, by abusing Kerberos, DNS and Active Directory Certificate Services. Blog:
    dirkjanm.io
    Relaying Kerberos over DNS using krbrelayx and mitm6
    One thing I love is when I think I understand a topic well, and then someone proves me quite wrong. That was more or less what happened when James Forshaw published a blog on Kerberos relaying, which...
  • user avatar
    Dirk-jan
    @_dirkjan
    Aug 11, 2022
    I've added the material from my Black Hat US talk yesterday to my blog. If you are interested in Azure AD security, love account hijacks, MFA bypass, persistence techniques and privescs, give it a read: dirkjanm.io/assets/raw/US-…
  • user avatar
    Dirk-jan
    @_dirkjan
    Jan 21, 2019
    New blog! Abusing Exchange: One API call away from Domain Admin. From any user with a mailbox to Domain Admin. Probably affects the majority of orgs using AD and Exchange.
    dirkjanm.io
    Abusing Exchange: One API call away from Domain Admin
    In most organisations using Active Directory and Exchange, Exchange servers have such high privileges that being an Administrator on an Exchange server is enough to escalate to Domain Admin. Recently...
  • user avatar
    Dirk-jan
    @_dirkjan
    Apr 25, 2019
    Just published: "Getting in the Zone: dumping Active Directory DNS using adidnsdump". Recon tool to dump DNS records in AD as any authenticated user, similar to a zone transfer. Tool: github.com/dirkjanm/adidn… Blog: dirkjanm.io/getting-in-the…
    Image
  • user avatar
    Dirk-jan
    @_dirkjan
    Mar 17, 2019
    Since everyone loves dumping credentials, I've put together a tool for remotely dumping Azure AD Connect credentials for my #TR19 talk. Uses only SMB and RPC calls, no code exec on the target host 😁
    Image
  • user avatar
    Dirk-jan
    @_dirkjan
    Apr 12, 2021
    What a time to be alive... Install the Microsoft signed Hybrid Connection Manager on victim host, link it up with your Azure app, enjoy persistent access to the on-prem network from your Azure portal. Only needs https outbound to Azure and line of sight from victim to target host
    Image
    Image
  • user avatar
    Dirk-jan
    @_dirkjan
    Oct 14, 2019
    [Blog] Office 365 was vulnerable to network attacks due to a vulnerability in Microsoft Teams. Here's a demo of an attacker obtaining access to all emails and OneDrive/SharePoint files if the victim joins an attacker controlled network. Details: dirkjanm.io/office-365-net…
    Image
    00:00
Advertisement
Advertisement