Matt Creel's Avatar

Matt Creel

@tw1sm.bsky.social

Adversary Simulation | Wannabe https://twitter.com/tw1sm https://blog.tw1sm.io

102 Followers  |  53 Following  |  4 Posts  |  Joined: 23.05.2024  |  1.4233

Latest posts by tw1sm.bsky.social on Bluesky

Post image

NTLM relay research is evolving!

Join Nick Powers & @tw1sm.bsky.social TOMORROW as they share new methods to enumerate EPA enforcement across MSSQL, HTTP, & moreβ€”and intro RelayInformer, expanding attacker-perspective coverage for key protocols.

Grab your spot β†’ ghst.ly/oct-web-bsky

29.10.2025 22:25 β€” πŸ‘ 8    πŸ” 4    πŸ’¬ 0    πŸ“Œ 0
Preview
Update: Dumping Entra Connect Sync Credentials Recently, Microsoft changed the way the Entra Connect Connect Sync agent authenticates to Entra ID. These changes affect attacker tradecraft, as we can no longer export the sync account credentials…

New tricks, same impact
posts.specterops.io/update-dumpi...

09.06.2025 18:21 β€” πŸ‘ 6    πŸ” 7    πŸ’¬ 0    πŸ“Œ 0
Decrypting PDQ credentials | unsigned_sh0rt's blog Walkthrough of how PDQ credentials encrypts service credentials

Had some fun with PDQ deploy/inventory credential decryption and wrote about it here: unsigned-sh0rt.net/posts/pdq_cr... thanks to
@dru1d.bsky.social for writing a BOF out of the POC

tl;dr get admin on PDQ box, decrypt privileged creds

11.04.2025 21:09 β€” πŸ‘ 9    πŸ” 6    πŸ’¬ 0    πŸ“Œ 0
Preview
The SQL Server Crypto Detour - SpecterOps As part of my role as Service Architect here at SpecterOps, one of the things I’m tasked with is exploring all kinds of technologies to help those on assessments with advancing their engagement. Not l...

Celebrating 1 year at SpecterOps, this was the first project I worked on after starting. Looking at SQL Server Transparent Data Encryption, how to bruteforce weak keys, and how ManageEngine's ADSelfService product uses TDE with a suspect key. Enjoy :) specterops.io/blog/2025/04...

08.04.2025 16:03 β€” πŸ‘ 15    πŸ” 3    πŸ’¬ 1    πŸ“Œ 0
Preview
An Operator’s Guide to Device-Joined Hosts and the PRT Cookie Introduction

Nothing new, but formalized some operator notes on Entra ID/Azure tradecraft I've found to be exceptionally useful on ops. Overlooked this myself for quite some time and thought others in the same boat might find it worth a read! πŸ“–

medium.com/specter-ops-...

07.04.2025 16:34 β€” πŸ‘ 5    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0

Dig through this timeline and you'll figure out what I'm here to do. I spoke to a commercial leader in the offensive security space last year. My words: you're fucking it up.

What I didn't say: I feel compelled, even though I DON'T want the bullshit, to try and fix it.

What does all of this mean?

15.03.2025 03:57 β€” πŸ‘ 23    πŸ” 10    πŸ’¬ 2    πŸ“Œ 4
Preview
Breaching AWS Course Review CloudBreach's OAWSP Certification

Worked through the CloudBreach Breaching AWS course and exam over the last two weeks. Didn't see a ton of info out there on it prior to buying the course so wrote a small review with my thoughts blog.tw1sm.io/p/breaching-...

27.12.2024 16:52 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Cool to see another AD enum method bridge BH compatibility with bofhound! 🦾

26.11.2024 01:53 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Was doing some digging "What's New" in Server2025 learn.microsoft.com/en-us/window... specifically the changes to pre-2k machines. Oddvar and I had spoken previously about the changes being solid and demonstrated pre-created machines in ADUC could no longer be set with a default password.

15.11.2024 05:25 β€” πŸ‘ 10    πŸ” 5    πŸ’¬ 1    πŸ“Œ 0
Preview
a close up of a man 's face with the words " it 's refreshing " on the bottom ALT: a close up of a man 's face with the words " it 's refreshing " on the bottom

And no ads (yet) πŸ˜‚

01.11.2024 19:07 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

@tw1sm is following 19 prominent accounts