Check out my latest research "Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory". New attack techniques and live 0days inside. MSRC’s response: "this is not an issue which will be addressed via a security update".

RT @0xthirteen: I wanted to find out if you could start the WebClient service remotely, so I ended up digging into it .

Join millions who have switched to Grok.

RT @SpecterOps: Hosts running the WebClient service are prime targets for NTLM relay attacks, and it may be possible to start the service r….

RT @SpecterOps: The DSInternals PowerShell module just got an upgrade! 🔥. Updates include:.✅ Golden dMSA Attack.✅ Full LAPS support.✅ Trust….

RT @SpecterOps: We are breaking down our State of Attack Path Management report. Join @jaredcatkinson, @AndrewChiles, & @elad_shamir as th….

RT @SpecterOps: The AD CS security landscape keeps evolving, and so does our tooling. 🛠️. @bytewreck drops info on Certify 2.0, including a….

RT @SpecterOps: Entra Connect sync accounts can be exploited to hijack device userCertificate properties, enabling device impersonation and….

RT @_logangoins: I'm super happy to announce an operationally weaponized version of @YuG0rd's BadSuccessor in .NET format! With a minimum o….

NTLM relay is still a major threat and is now even easier to abuse. We just added new NTLM relay edges to BloodHound to help defenders fix and attackers think in graphs. Read my detailed post - the most comprehensive guide on NTLM relay & the new edges:.

RT @SpecterOps: Think NTLM relay is a solved problem? Think again. Relay attacks are more complicated than many people realize. Check out….

RT @__mez0__: Attended this remotely for Identity-Driven Offensive Tradecraft from @elad_shamir. 10/10 course, the @SpecterOps team had ins….

RT @SpecterOps: The CFP for #SOCON2025 is now open! 🙌. If you have an idea for a talk delving into the complexities of identifying, executi….

RT @_Mayyhem: If you liked RTO from @SpecterOps or have attack/defense experience, check out the continuation, Identity-driven Offensive Tr….

RT @SpecterOps: New blog post just dropped! 😎. In this installment of our blog series on Identity-Driven Offensive Tradecraft, @elad_shamir….

RT @jaredcatkinson: Yesterday, I wrote a thread describing the ESXi vulnerability and how you can use BloodHound's Attack Path Management a….

Check out my latest blog post, "The Security Principle Every Attacker Needs to Follow", in which I lay the foundation for a framework for discovering attack paths, including those that BloodHound can't find yet.

RT @SpecterOps: Kicking this week off with a new blog post from @elad_shamir introducing our new Identity-Driven Offensive Tradecraft train….

RT @jaredcatkinson: My On Detection series continues. In part 14 I look at a “special” subset of operations that require a bit more detail….

RT @jaredcatkinson: I've released another post in my On Detection series. This edition builds on the previous post where I introduced "exec….

RT @jaredcatkinson: My On Detection series is back! In this edition I explore how the same behavior (operation chain) can be implemented us….

RT @harmj0y: It's a big day- @tifkin_, @0xdab0, and I are proud to announce that Nemesis 1.0.0 has landed! We have a ton of awesome new fea….