Want to move laterally from C2 on an Intune admin's workstation to any Intune-enrolled device? Check out Maestro (, a new(ish) tool I wrote for those situations, and this blog post to walk you through how:

RT @subat0mik: Thanks to everyone who attended our (@unsigned_sh0rt) talk at @WEareTROOPERS! Here is the companion blog post: https://t.c….

RT @HackAndDo: I'm not sure everyone realizes it, but as it stands, if you have an Active Directory with default configurations, any machin….

RT @_xpn_: So excited to see this one come out! Awesome post from @n0pe_sled on why IdP's should still be scrutinized! (tl;dr: OneLogin le….

RT @SpecterOps: BadSuccessor is a new AD attack primitive that abuses dMSAs, allowing an attacker who can modify or create a dMSA to escala….

RT @_logangoins: I'm super happy to announce an operationally weaponized version of @YuG0rd's BadSuccessor in .NET format! With a minimum o….

RT @Oddvarmoe: Your #MDT shares might be spilling secrets like a drunk uncle at a wedding. 🍷💬. In my latest post for @TrustedSec, I dig int….

RT @YuG0rd: 🚀 We just released my research on BadSuccessor - a new unpatched Active Directory privilege escalation vulnerability.It allows….

The video of @unsigned_sh0rt's and my talk at @SpecterOps's SO-CON with step-by-step guidance on how to mitigate SCCM hierarchy takeover and credential theft attacks is up!. Video: Slides: More info:

RT @_logangoins: I jumped heavily into learning about SCCM tradecraft and wrote a detailed write-up with custom examples, covering the most….

RT @unsigned_sh0rt: Had some fun with PDQ deploy/inventory credential decryption and wrote about it here: thanks to….

RT @SpecterOps: Think NTLM relay is a solved problem? Think again. Relay attacks are more complicated than many people realize. Check out….

RT @SpecterOps: New blog post just dropped! 🙌. Read the latest from @Tw1sm on how an operator can perform situational awareness steps prior….

Had a great time speaking with @unsigned_sh0rt about SCCM attack path prevention at SO-CON yesterday! Our slides with step-by-step instructions for mitigating the most critical SCCM attacks in your environment are at

I'm excited that my first PRs to BloodHound/SharpHound are now in main! They remove FPs for Owns/WriteOwner edges when implicit owner rights are blocked and add OwnsLimitedRights and WriteOwnerLimitedRights edges when ACEs grant permissions to the OWNER RIGHTS SID. More to come!.

RT @unsigned_sh0rt: Along with this blog, I published an update to SCCMHunter that enables credential recovery all from the admin module. N….

Btw I misread the deadline for the SO-CON raffle (which has passed) earlier🤦‍♂️so deleted the original post but just confirmed that we still have t-shirts!.

Still using FOSS/Legacy BloodHound for a specific use case or feature? This survey is a great opportunity to share feedback and what matters to you most when using BloodHound CE with the dev team and snag a free t-shirt while you're at it!

RT @unsigned_sh0rt: Thanks to @synacktiv's recent posts about Kerberos and recent PR's @_dirkjan 's .

Found a .NET method on SCCM site servers that can be called to decrypt secrets stored in the site DB a while back with @unsigned_sh0rt and @tifkin_. Another alternative to @gentilkiwi's mimikatz misc::sccm, @_xpn_'s C# gist, and @sanjivkawa's SQLRecon.