Stale Accounts and Old Passwords in Active Directory - Audit and Remediation

1. The Reality of Active Directory Every AD environment accumulates history. Migrations, acquisitions, staff turnover, legacy applications — they all leave traces. The result is almost always the same: enabled accounts that nobody remembers, service accounts with passwords set years ago, and exceptions that were “temporary” and never cleaned up. This is exactly the low-hanging fruit attackers look for first. Why spend time trying to break into a well-protected account with MFA when there is a 20-year-old enabled account sitting next to it — or a service account with a 5-year-old password and access to something critical? ...

July 15, 2026 · 3 min · Tony Merisan

CVE-2026-26128 — Kerberos Reflection Bypass: Detection & Mitigation

1. Overview CVE-2026-26128 is a Kerberos authentication reflection bypass discovered by Synacktiv that completely bypasses the patch introduced for CVE-2025-33073. It allows an attacker to obtain SYSTEM-level access on most Windows builds. CVE CVE-2026-26128 Discovered by Synacktiv Patched March 2026 Patch Tuesday Related CVE-2025-33073, CVE-2025-58726, CVE-2026-24294 Impact Local Privilege Escalation → SYSTEM Affected All Windows versions except Windows 11 24H2 (default config) 2. Background The broader context of this vulnerability sits within a chain of authentication reflection research: ...

July 6, 2026 · 3 min · Tony Merisan

NTLM Coercion in Active Directory — Detection & Mitigation

1. What is NTLM Coercion? NTLM coercion is an attack technique where an adversary with network access forces a Windows machine — typically a Domain Controller — to authenticate against an attacker-controlled host. That authentication travels in NTLM format and can be captured and relayed (NTLM relay) to access other domain resources, or cracked offline. The classic scenario: The attacker runs a coercion tool (Coercer, PetitPotam, PrinterBug) against a DC. The DC automatically attempts to authenticate against the attacker’s IP. The attacker captures the NTLMv2 hash and relays or cracks it. Depending on privileges, this can lead to full domain compromise. 2. Common Coercion Vectors Vector Protocol Notes Print Spooler (MS-RPRN) RPC / SMB Most historically exploited EFS (MS-EFSRPC) RPC Requires EFS to be active DFS (MS-DFSNM) RPC / SMB Common on DCs with DFS enabled WebClient (WebDAV) HTTP Requires the service to be running 3. What Changed in Windows Server 2025 Windows Server 2025 (and Server 2022 23H2 onwards) introduced significant changes that reduce the default attack surface: ...

July 6, 2026 · 3 min · Tony Merisan

Onelogon — Netlogon Vulnerable Channel Bypass

1. Summary A publicly disclosed technique, referred to as “Onelogon”, demonstrates a bypass of the Zerologon (CVE-2020-1472) remediation on Active Directory Domain Controllers. The bypass does not target a new flaw in the Netlogon Remote Protocol (MS-NRPC) itself — it targets legacy compatibility exceptions that administrators may have left enabled after the original Zerologon patch cycle (August 2020 – February 2021). Where these exceptions are present and misconfigured, an attacker can re-establish an unauthenticated or weakly authenticated Netlogon secure channel, impersonate a computer account, and in some documented cases escalate to full domain compromise (credential dumping via DCSync-style replication, extraction of NTDS.dit). ...

July 4, 2026 · 4 min · Tony Merisan