hotnops's Avatar

hotnops

@hotnops.bsky.social

Does stuff at @specterops Cloud security research

153 Followers  |  76 Following  |  13 Posts  |  Joined: 04.02.2024  |  1.8386

Latest posts by hotnops.bsky.social on Bluesky

Preview
PingOne Attack Paths - SpecterOps You can use PingOneHound in conjunction with BloodHound Community Edition to discover, analyze, execute, and remediate identity-based attack paths in PingOne instances.

Introducing PingOneHound! This OpenGraph extension for BloodHound can help you identify, analyze, execute, and remediate attack paths in PingOne organizations. Read the introductory blog post here: specterops.io/blog/2025/10...

20.10.2025 17:43 β€” πŸ‘ 9    πŸ” 10    πŸ’¬ 0    πŸ“Œ 0
Preview
Certify 2.0 - SpecterOps Certify 2.0 features a suite of new capabilities and usability enhancements. This blogpost introduces changes and features additions.

The AD CS security landscape keeps evolving, and so does our tooling. πŸ› οΈ

Valdemar CarΓΈe drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements. ghst.ly/45IrBxI

11.08.2025 20:38 β€” πŸ‘ 11    πŸ” 8    πŸ’¬ 0    πŸ“Œ 0
Preview
What’s Your Secret?: Secret Scanning by DeepPass2Β  - SpecterOps Discover DeepPass2 - a secret scanning tool combining BERT-based model and LLMs to detect free-form passwords, and other structured tokens and secrets with high accuracy.

Red teamers know the drill: endless file churning, hunting for passwords & tokens. πŸ”

Meet DeepPass2, our new secret scanning tool that goes beyond structured tokens to catch those tricky free-form passwords too. Read Neeraj Gupta's blog post for more. ghst.ly/40HLNNA

31.07.2025 17:36 β€” πŸ‘ 12    πŸ” 4    πŸ’¬ 0    πŸ“Œ 1
Video thumbnail

The best creds are the ones you simply ask for =)
specterops.io/blog/2025/07...

31.07.2025 16:02 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Entra Connect Attacker Tradecraft: PartΒ 3 - SpecterOps How Entra Connect and Intune can be abused via userCertificate hijacking to bypass conditional access and compromise hybrid domains

Finally putting out my research from this spring. "Imitune" coming in soon to support the POC
specterops.io/blog/2025/07...

30.07.2025 16:46 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Preview
GitHub - SadProcessor/BloodHoundOperator: BloodHound PowerShell client BloodHound PowerShell client. Contribute to SadProcessor/BloodHoundOperator development by creating an account on GitHub.

If you're a #bloodhound user, JD's bloodhound operator is invaluable. Now with opengraph cmdlets!
github.com/SadProcessor...

30.07.2025 14:55 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

Looks like the Entra QR code authentication method is going GA πŸ₯³

They've also added some great guidance on suppressing the camera permission prompt for iOS :)

learn.microsoft.com/...

24.07.2025 23:30 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Overview of NTLM auditing enhancements in Windows 11, version 24H2 and Windows Server 2025 - Microsoft Support Summary of new auditing features and deployment details

Part 8053 of eleventy billion on our path to killing NTLM: way way way way way better auditing.

support.microsoft.com/en-us/topic/...

13.07.2025 16:35 β€” πŸ‘ 46    πŸ” 12    πŸ’¬ 3    πŸ“Œ 0
Preview
Good Fences Make Good Neighbors: New AD Trusts Attack Paths in BloodHound - SpecterOps The ability of an attacker controlling one domain to compromise another through an Active Directory (AD) trust depends on the trust type and configuration. To better map these relationships and make i...

I publish two blog posts today! πŸ“πŸ«

First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...

Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...

Hope you enjoy the read πŸ₯³

25.06.2025 10:14 β€” πŸ‘ 18    πŸ” 11    πŸ’¬ 0    πŸ“Œ 1

My second post for the month is now live πŸŽ‰

18.06.2025 18:54 β€” πŸ‘ 13    πŸ” 2    πŸ’¬ 2    πŸ“Œ 0
Preview
Update: Dumping Entra Connect Sync Credentials Recently, Microsoft changed the way the Entra Connect Connect Sync agent authenticates to Entra ID. These changes affect attacker tradecraft, as we can no longer export the sync account credentials…

New tricks, same impact
posts.specterops.io/update-dumpi...

09.06.2025 18:21 β€” πŸ‘ 6    πŸ” 7    πŸ’¬ 0    πŸ“Œ 0
Post image

A little over a year ago I published research on how you could leverage non-production AWS API endpoints to enumerate permissions without logging to CloudTrail. A year later...I'm still finding them. Red Teamers, these can be super useful and really up your game!

02.06.2025 13:35 β€” πŸ‘ 5    πŸ” 2    πŸ’¬ 1    πŸ“Œ 0
A command line interface

A command line interface

Some c# code

Some c# code

We’re about to take C# to the next level!

#dotnet #csharp

22.05.2025 00:31 β€” πŸ‘ 228    πŸ” 35    πŸ’¬ 27    πŸ“Œ 13
Video thumbnail

Did you miss #SOCON2025? Did you have a favorite talk you'd like to rewatch?

πŸŽ₯ All presentations from SO-CON 2025 are now live at ghst.ly/socon25-talks.

πŸ’» Slides for each talk are available at ghst.ly/socon25-slides.

19.05.2025 16:34 β€” πŸ‘ 5    πŸ” 5    πŸ’¬ 0    πŸ“Œ 0
Post image

Application Based Authentication on Microsoft Entra Connect Sync is near. With this change you will be able to use a TPM backed certificate in Entra Connect Sync for authentication.

This is a welcome change to prevent the compromise of this high privileged account.

#Entra #Certificate

02.05.2025 06:52 β€” πŸ‘ 10    πŸ” 2    πŸ’¬ 0    πŸ“Œ 1
Post image

Did you know you can send LAPS passwords to Entra on Server OS? Neither did @adamgrosstx.bsky.social or I until yesterday! Just need to hybrid join the server(s) and set the GPO to backup to "AAD"! Neat!

30.04.2025 00:33 β€” πŸ‘ 15    πŸ” 4    πŸ’¬ 2    πŸ“Œ 1

Can you use the on-behalf-of flow to bypass conditional access policies? If the middleware app satisfies conditional access, can it exchange an access token to an otherwise blocked backend resource? It turns out... no. No it can't. The CAP will kick in when the middleware app uses the OBO flow.

25.04.2025 04:08 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

A new dedicated resource application to enable Active Directory to Microsoft Entra ID sync using Microsoft Entra Connect Sync or Cloud Sync is coming 😱

In the announcement the mentioned reason is "upcoming security hardening"...

6bf85cfa-ac8a-4be5-b5de-425a0d0dc016

#EntraID

06.01.2025 18:29 β€” πŸ‘ 40    πŸ” 13    πŸ’¬ 3    πŸ“Œ 0
Video thumbnail

🚨 Join the #PeoplesMovement this Saturday #April19 for a National Day of Action!

Yes, people will be in the streets again. Others will be organizing food drives, volunteering at shelters, hosting teach-ins, and more.

Hundreds of events are already listed at www.FiftyFifty.one/events.

16.04.2025 16:56 β€” πŸ‘ 1087    πŸ” 508    πŸ’¬ 60    πŸ“Œ 89
Post image

Understanding Windows access tokens could be your best defense. At @cackalackycon.bsky.social, @atomicchonk.bsky.social will be peeling back the layers on potato exploits that threat actors use for privilege escalation.

Check out the schedule to learn more ➑️ ghst.ly/4jzjlnI

18.04.2025 16:33 β€” πŸ‘ 6    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0
Decrypting PDQ credentials | unsigned_sh0rt's blog Walkthrough of how PDQ credentials encrypts service credentials

Had some fun with PDQ deploy/inventory credential decryption and wrote about it here: unsigned-sh0rt.net/posts/pdq_cr... thanks to
@dru1d.bsky.social for writing a BOF out of the POC

tl;dr get admin on PDQ box, decrypt privileged creds

11.04.2025 21:09 β€” πŸ‘ 9    πŸ” 6    πŸ’¬ 0    πŸ“Œ 0
Preview
Tokenizing the Sandwich Debate: How NLP Models Weigh In on Hot Dogs Get the gist for Natural Language Processing (NLP) and how tokenization plays a factor

Everybody’s using AI assistants and tools these days, but do most of us understand how our text-based input is being interpreted and processed? Check out my latest blog post for a basic intro to text interpretation by AI assistants. www.corgi-Corp.com/post/tokeniz...

07.04.2025 15:04 β€” πŸ‘ 5    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Post image

Think NTLM relay is a solved problem? Think again.

Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31

08.04.2025 23:00 β€” πŸ‘ 27    πŸ” 20    πŸ’¬ 1    πŸ“Œ 2
Preview
An Operator’s Guide to Device-Joined Hosts and the PRT Cookie Introduction

Nothing new, but formalized some operator notes on Entra ID/Azure tradecraft I've found to be exceptionally useful on ops. Overlooked this myself for quite some time and thought others in the same boat might find it worth a read! πŸ“–

medium.com/specter-ops-...

07.04.2025 16:34 β€” πŸ‘ 5    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Post image

1 year anniversary at SpecterOps, so many personal and professional achievements in a short space of time. My advice for anyone getting into this field, try and make sure that you work companies and colleagues that push you beyond your comfort level. \o/

06.04.2025 17:17 β€” πŸ‘ 23    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Post image

We are excited to see everyone at #SOCON2025 tomorrow! πŸ™Œ

Get the details on everything you need to know before arriving at the conference: specterops.io/so-con

30.03.2025 19:04 β€” πŸ‘ 16    πŸ” 4    πŸ’¬ 0    πŸ“Œ 0
Preview
GitHub - atomicchonk/roadrecon_mcp_server: Claude MCP server to perform analysis on ROADrecon data Claude MCP server to perform analysis on ROADrecon data - atomicchonk/roadrecon_mcp_server

Spent the evening deep diving into MCPs and started a new project: roadrecon_mcp_server! This #MCP takes the web GUI output from the awesome ROADtools by @dirkjanm.io and offers tools to Claude (or your #AI agent of choice) to interact with the data:

github.com/atomicchonk/...

29.03.2025 03:17 β€” πŸ‘ 11    πŸ” 5    πŸ’¬ 2    πŸ“Œ 0

What's the purpose of the x-ms-DeviceCredential header if the device id claim is already included in the user access token? It seems redundant

21.03.2025 17:48 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

πŸŽ™οΈ BIG NEWS: I'm launching Entra.Chat - the podcast identity pros have been waiting for!

After years in the identity trenches, I've seen a lot - the midnight calls, the authentication puzzles, and those "how is this even possible?" moments.

10.03.2025 23:01 β€” πŸ‘ 62    πŸ” 15    πŸ’¬ 2    πŸ“Œ 3

Has anyone heard of anyone actually setting up WHFB certificate trust? it's gotta be a MS troll

06.03.2025 23:48 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

@hotnops is following 19 prominent accounts