I feel like @YuG0rd's briefly mentioned new dMSA account takeover mechanism in his last blog didn't get enough attention. A new account takeover mechanism is on the horizon. I wrote a blog detailing it, releasing with a new BOF I wrote called BadTakeover https://t.co/fyUkDYKAeP

Blogs are up!

Wanting more from today's #BHEU talk on SCOM? Check out this two part blog series! 1️⃣ @unsigned_sh0rt maps SCOM’s roles, accounts, & trust boundaries, then shows how attackers can chain insecure defaults into full management group compromise. https://t.co/Ai4TqTtc4O 🧵: 1/2

Amazing talk by ⁦@unsigned_sh0rt⁩ and ⁦@breakfix on SCOM⁩… Welcome to your new DA attack primitive 🤘

🔥Introducing a new Red Team tool - SessionHop: https://t.co/hChhDXzhiE SessionHop utilizes the IHxHelpPaneServer COM object to hijack specified user sessions. This session hijacking technique is an alternative to remote process injection or dumping LSASS. Kudos to @tiraniddo

Happening soon! @unsigned_sh0rt & @breakfix's talk at #BHEU will show how to abuse SCOM for credential theft, lateral movement, and domain escalation, plus how to defend it. You don't want to miss this one. https://t.co/bxW5PYyhyl

SCOM is one of the most deployed, but least researched, System Center products. @synzack21 breaks down how it works + how to build a lab to test new tradecraft.

Generic AD labs don’t cut it. Stop by @bagelByt3s' #BHEU Arsenal session and hear about LudusHound, a tool that rebuilds real-world AD environments using actual BloodHound data. Learn more 👉 https://t.co/HyDGactVVq

SCOM monitors critical systems, but insecure defaults make it a powerful attack vector. At #BHEU, @unsigned_sh0rt & @breakfix show how to abuse SCOM for credential theft, lateral movement, and domain escalation, plus how to defend it. https://t.co/bxW5PYyhyl

See you all next week...excited to present with @breakfix at #BHEU! 💣

Just in time for the holidays, I wanted to share something that a lot of people have asked for: https://t.co/DfXyf2TTBp Short videos about Mythic development and customizations. This is just the start - I'll release a survey soon that'll get feedback for the next batch :)

@Tw1sm and I did some Extended Protection for Authentication (EPA) research to enumerate when this protection will prevent your NTLM relay attacks, across multiple protocols. We are also releasing RelayInformer - python and BOF implementations of these techniques. 🔗🧵

AI tooling and MCP servers are entering enterprises fast, often faster than security teams can assess the risks. During a recent engagement, @_xpn_ found a new Claude Code vuln (CVE-2025-64755) while exploring MCP abuse paths. 👀 Read the details ↓

Forgot to put the repo in the blog, my bad https://t.co/QD5eX4wqzP

SCCM’s AdminService uses Entra tokens without confirming the UPN exists in AD. A crafted synced UPN can let an attacker impersonate the site server. Microsoft now requires on-prem SID matching (CVE-2025-59501). Great deep dive by @unsigned_sh0rt! https://t.co/FGAHfaXHsY

Released my first blog post today: https://t.co/fQDVp2XKyn And released SecretHound, a BloodHound OpenGraph extension for secrets: https://t.co/tFZQOOPFBM

AdminSDHolder is kinda my jam. I wrote the e-book on it. If you work with Activity Directory, I highly recommend you give this a skim, or at least check the spoilers in the blog.

AdminSDHolder: the AD security feature everyone thinks they understand but probably don't. 😬 @JimSycurity went to the source code to debunk decades of misconceptions — including ones in Microsoft's own docs. Read more ⤵️ https://t.co/Vo9XksEfmn

I have released an OpenGraph collector for network shares and my first blogpost at @SpecterOps on the subject! You can now visualize attack paths to network shares in BloodHound 👀 https://t.co/2e2DBIndcU

Just like chocolate and peanut butter, runZero and BloodHound are an amazing combination. Today we are introducing runZeroHound - an open source toolkit for bringing runZero Asset Inventory data into BloodHound attack graphs: https://t.co/YIbFZiSb6A

Beacon Object File (BOF) for Using the BadSuccessor Technique for Account Takeover