Intro Some time ago, I was in the role of a consultant on how to enable Device Guard in an enterprise in a step-by-step manner. That was the Windows 10 OS, and enabling Credential Guard is another layer of protection against various types of attacks that aim to steal your credentials, such as NTLM hashes, typically with tools… Read More »
One of the popular techniques is based on the usage of a pair of functions: KeStackAttachProcess attaches the current thread to the address space of the target process. This function is used by both Antiviruses and Rootkits. Also, I found some of my old screenshots of disassembled ProcessXP that also uses this approach The final snippet code could… Read More »
OpenFGA and Keycloak configuration Some time ago, we integrated OpenFGA with Keycloak for our AuthN/AuthZ implementation. OpenFGA can interpret the token’s “aud” claim when making authentication/authorization decisions. The “aud” claim specifies the intended recipient(s) of the token: The “aud” (audience) claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT must… Read More »
Intro Many articles have references to SSO capabilities of Keycloak, but they often don’t explain how it works under the hood. In this article we have simple environment in form of Docker Compose with Keycloak and two Angular applications that will help you to understand how cookies based authentication works with Keycloak. We will dive deep into this… Read More »
If you’re working with Keycloak and wondering how to handle multi-tenancy, then this article is for you. I’ve seen a lot of confusion around realms – what they are, how they behave, and whether they’re the right building blocks for tenant separation. Let’s break it down. What is a Realm in Keycloak? At its core, a realm in… Read More »
Keycloak Admin REST API performance limitations Previously, we have dealt with some limitations related to Keycloak that might be useful to know before actively using Keycloak Admin REST API in your projects. These are the following: The problem with Keycloak Admin REST API can be mitigated from an architectural perspective by just replacing local Keycloak users with a… Read More »
Latency degradation due to JVM GC This story is about choosing the correct garbage collector and its potential impact on performance. Performance is typically divided into two main areas of interest: Of course, I mentioned these two areas as a matter of interest in this article, but you may have your own perspective. So, what is JVM ergonomics?… Read More »
We basically need a Windows Server for various experiments, such as studying Keycloak federation with AD, exploring different types of attacks like Kerberoasting, learning the Kerberos protocol, and ADFS and SAML integration with Keycloak and etc. It’s not a supported installation of Windows Server on ARM architecture so a simple way is to have separate laptop with installed… Read More »
Intro Imagine, that you know that attackers are on a particular host but you have no idea whether they are persisted on another ones, servers, domain controllers. Detecting fileless artifacts, such as beacons in the case of Cobalt Strike, is not as easy as it may seem. Two interesting techniques that can be used here are: Below are… Read More »
Intro Some time ago, I was involved in defending against a cyber attack (or perhaps an attack simulation) at Company X. I believe this example will be particularly interesting for those who want to deepen their understanding of how attackers operate and what defense approaches can help companies protect themselves. This story is a real-world example of an… Read More »