https://zyn3rgy.io/posts/Recent content in Posts on zyn3rgy.ioHugoen-USTue, 25 Nov 2025 00:00:00 +0000https://zyn3rgy.io/posts/less-praying-more-relaying-enumerating-epa-enforcement-for-mssql-and-https/Tue, 25 Nov 2025 00:00:00 +0000https://zyn3rgy.io/posts/less-praying-more-relaying-enumerating-epa-enforcement-for-mssql-and-https/<p><em><strong>TL;DR</strong></em> – <em>It&rsquo;s important to know if your NTLM relay will be prevented by integrity protections such as EPA, before setting up for and attempting the attack. In this post, we share how to solve this problem for additional protocols (MSSQL and HTTP), as well as publish <a href="https://github.com/zyn3rgy/relayinformer">RelayInformer tools</a> to automate the solution.</em></p> <h2 id="problem-statement">Problem Statement</h2> <p>NTLM relays can be challenging and time consuming to conduct, especially when the relay is taking place over command and control (C2). There are plenty of variables to worry about between setup, coercion, tunnels, and traffic redirection. All that setup and headache could be for naught if Extended Protection for Authentication (EPA) is configured to protect the target service.</p>https://zyn3rgy.io/posts/relay-your-heart-away-an-opsec-conscious-approach-to-445-takeover/Thu, 01 Aug 2024 00:00:00 +0000https://zyn3rgy.io/posts/relay-your-heart-away-an-opsec-conscious-approach-to-445-takeover/<p>Even within organizations that have achieved a mature security posture, targeted NTLM relay attacks are still incredibly effective after all these years of abuse. Leveraging several of these NTLM relay primitives, specifically ones that require coercing SMB-based authentication, come with additional challenges to overcome while operating over command and control (C2). This technique will ease the abuse of several popular NTLM relay primitives by allowing attackers to control inbound 445/tcp traffic without loading a driver, loading a module into LSASS, or requiring a reboot of the target Windows machine.</p>https://zyn3rgy.io/posts/less-smartscreen-more-caffeine-abusing-clickonce-for-trusted-code-execution/Wed, 07 Jun 2023 00:00:00 +0000https://zyn3rgy.io/posts/less-smartscreen-more-caffeine-abusing-clickonce-for-trusted-code-execution/<p>The contents of this post were written by Nick Powers (<a href="https://twitter.com/zyn3rgy">@zyn3rgy</a>) and Steven Flores (<a href="https://twitter.com/0xthirteen">@0xthirteen</a>), and is a written version of the content <a href="https://www.youtube.com/watch?v=cyHxoKvD8Ck">presented at Defcon30</a>.</p> <p>With the barrier to entry for initial access ever increasing, we spent some time digging into potentially lesser-known weaponization options for ClickOnce deployments. A few of the hurdles we&rsquo;d like to overcome by implementing these weaponization options include:</p> <ul> <li>Install / execute application without administrative privileges</li> <li>Reputable, known-good file(s) used during execution</li> <li>Streamlined, minimal user interaction required</li> <li>Ease of rerolling execution implementations</li> </ul> <p>Ultimately, we want to take a relatively common initial access technique known as ClickOnce and extend its value for the offensive use case by abusing the trust of third-party applications.</p>https://zyn3rgy.io/posts/proxy-windows-tooling-via-socks/Thu, 10 Jun 2021 00:00:00 +0000https://zyn3rgy.io/posts/proxy-windows-tooling-via-socks/<p>Leveraging SOCKS to proxy tools from a Windows attacker machine through a compromised host is a topic that contains some nuance and room for confusion. This nuance stems from protocol requirements of common network traffic being proxied into a target network, as well as the tools (or lack thereof) available for Windows to facilitate proxying network traffic via SOCKS. However, there is significant value in the ability to proxy existing Windows tools and native utilities into a network from an offensive perspective. To that end, this post aims to step through:</p>