Patching one technique doesn't close the entire attack vector.
dMSA abuse is still a problem, and @logangoins.bsky.social
just dropped a reality check with new tooling to prove it.
Learn more about the issue & the new BadTakeover BOF. ghst.ly/42POg9L
Introducing PingOneHound! This OpenGraph extension for BloodHound can help you identify, analyze, execute, and remediate attack paths in PingOne organizations. Read the introductory blog post here: specterops.io/blog/2025/10...
20.10.2025 17:43 β π 9 π 10 π¬ 0 π 0
Cookie theft has evolved. πͺ
Over the last year, stealing cookies on Windows devices has changed significantly for Chromium browsers like Chrome and Edge. Andrew Gomez dives into these changes, how threat actors adapt, & new detection opportunities. ghst.ly/45S1ZgW
Check out my new blog on nested app authentication.
13.08.2025 16:43 β π 6 π 5 π¬ 0 π 0
During my #BHUSA talk I've released many ETW research tools, of which the most notable is BamboozlEDR. This tool allows you to inject events into ETW, allowing you to generate fake alerts and blind EDRs.
github.com/olafhartong/...
Slides available here:
github.com/olafhartong/...
If you use CIS Benchmarks, I highly advise against this recommendation...
This disables cloud delivered protection which underpins a bunch of capabilities, disables roughly half of your protection
Fortunately, if you enable Tamper Protection, it is forcefully enabled for you :)
ππ Track Sensitive Graph API Calls with my new #KQL Function for #MicrosoftDefenderXDR
Microsoft has released the new advanced hunting table "GraphAPIAuditEvents" which offers great opportunities to investigate activities based on #MicrosoftGraph API calls.
Dive into the world of machine learning! βοΈ
Kicking off his blog series, Diego Lomellini uses Micrograd to explain core ML concepts like supervised learning, regression, classification, loss functions, & gradient descent. ghst.ly/44n3IeJ
I have a new post out on the @netspi.bsky.social blog today. This one is on extracting sensitive information from the Azure Load Testing service. www.netspi.com/blog/technic...
01.07.2025 20:47 β π 3 π 2 π¬ 1 π 1Actually, it's very helpful to trigger a LPE on servers by placing the missing wlanapi.dll in a writable %path% location by a non-admin user ;)
28.06.2025 11:31 β π 1 π 0 π¬ 0 π 0
Happy Friday! @tifkin.bsky.social and I are happy to announce that we have cut the release for Nemesis 2.0.0 - check out the CHANGELOG for a (brief) summary of changes, and dive into our new docs for more detail! We're extremely proud and excited for this release github.com/SpecterOps/N...
28.06.2025 04:14 β π 12 π 6 π¬ 0 π 0
How attackers move between AD domains via trusts depends on trust type & config. We're replacing TrustedBy edge in BloodHound with new trust edges for better attack path mapping.
Check out @jonas-bk.bsky.social's blog post to learn more. ghst.ly/4lj9C5T
In the year since Misconfiguration Manager's release, the security community has been actively researching new tradecraft & identifying new attack paths.
@subat0mik.bsky.social & @unsignedsh0rt.bsky.social dive into the research & its impact on the state of SCCM security. Read more: ghst.ly/460vI9d
Last two weeks I talked about BYO Identity Providers in Entra ID and backdoors to External Auth Methods to bypass MFA. Only possible because MSFT doesn't implement the mandatory OIDC security measures. Slides with optional dark mode on: dirkjanm.io/talks/
24.06.2025 07:12 β π 11 π 5 π¬ 1 π 1
Get the scoop on the incoming Administrator Protection for Windows 11.
@xpnsec.com covers the architecture, access controls, and why some legacy UAC bypass techniques remain effective in his latest blog post. ghst.ly/44mw5JM
We are VERY excited to announce that Volatility 3 has now reached feature parity with Volatility 2! With this parity release, Volatility 2 is now deprecated. Full details in the blog post linked below.
16.05.2025 15:08 β π 20 π 11 π¬ 0 π 0
Microsoft hardened the Entra ID synchronization feature last year:
- restricted permissions on Directory Synchronization Accounts role
- new dedicated sync app
Letβs find out how sync still works π
Some old tricks persistβand new ones have emerged π₯
tenable.com/blog/despite... π§΅
Most Microsoft tenants do not have Advanced Auditing configured correctly, and orgs only find out after it is too late :(
I tried really hard to make this as short and simple as possible. Please be nice to your IR folks and set this up, it's important ;)
nathanmcnulty.com/bl...
My new blog for CPR: introducing Waiting Thread Hijacking - a remote process injection technique targeting waiting threads: research.checkpoint.com/2025/waiting... #ProcessInjection
14.04.2025 18:17 β π 15 π 10 π¬ 3 π 0
Celebrating 1 year at SpecterOps, this was the first project I worked on after starting. Looking at SQL Server Transparent Data Encryption, how to bruteforce weak keys, and how ManageEngine's ADSelfService product uses TDE with a suspect key. Enjoy :) specterops.io/blog/2025/04...
08.04.2025 16:03 β π 15 π 3 π¬ 1 π 0
Think NTLM relay is a solved problem? Think again.
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
KrbRelayEx-RPC tool is out! π
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)
github.com/decoder-it/K...
#SCCM forest discovery accounts can be decryptedβeven those for untrusted forests. If the site server is a managed client, all creds can be decrypted via Administration Service API.
Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp
How are defenders leveraging SACLs to detect unauthorized access attempts? Check out our latest blog post from Alexander DeMine which dives into SACLs and introduces a new tool, SACL_Scanner, which allows you to adapt your tradecraft accordingly. ghst.ly/3D3kvbD
20.02.2025 20:39 β π 5 π 3 π¬ 0 π 0Normally you can't auth to Entra ID connected webapps with bearer tokens. But if Teams can open SharePoint/OneDrive with an access token, I guess so can we. roadtx now supports opening SharePoint with access tokens in the embedded browser π
18.02.2025 13:12 β π 19 π 8 π¬ 1 π 0ROADtools update: I just released roadlib v1.0! This version drops the adal dependency, all auth flows are now implemented natively π This was mostly a personal goal, but it helps with adding new features, such as forcing MFA during device code auth independent of CA policies π
07.02.2025 14:50 β π 31 π 11 π¬ 2 π 0New blog post on the abuse of the IDispatch COM interface to get unexpected objects loaded into a process. Demoed by using this to get arbitrary code execution in a PPL process. googleprojectzero.blogspot.com/2025/01/wind...
30.01.2025 18:37 β π 65 π 41 π¬ 2 π 0
In our latest article, @croco_byte proposes an implementation of a trick discovered by James Forshaw in his research regarding Kerberos relaying. Discover how to perform pre-authenticated Kerberos relay over HTTP with our Responder and krbrelayx pull requests!
www.synacktiv.com/publications...
In case if you wonder what broke #ProcessHollowing on Windows 11 24H2, I have something for you: hshrzd.wordpress.com/2025/01/27/p...
26.01.2025 23:55 β π 58 π 38 π¬ 0 π 1
