Will Schroeder
@harmj0y
Followers
47K
Following
1K
Media
150
Statuses
6K
Researcher @SpecterOps. Coding towards chaotic good while living on the decision boundary.
Joined August 2012
Active Directory forests are no longer a security boundary thanks to @tifkin_'s printer bug. Check out for weaponization and mitigation details and @Cyb3rWard0g's post for detection guidance
19
787
1K
So excited - here's my updated "Guide to Attacking Domain Trusts" ! Was a blast to write.
12
597
949
Y’all knew it was just a matter of time : ) PowerShell is definitely a "gateway drug" to C# - GhostPack is a collection of new security tools (currently C#) details at , code live at
27
377
649
If you're interested in Kerberos or Active Directory and haven't read @elad_shamir's "Wagging the Dog" post, do yourself a favor and dive in. You won't regret it.
5
244
542
Hey, do you like tokens? Have you always wanted to "harvest" tokens for offensive purposes? If so check out my new post where I show I can (finally) write a technical post without memes, and then check out the Koh toolset at
14
260
551
"Operational Guidance for Offensive User DPAPI Abuse" documenting some of the ways to use Mimikatz to play with DPAPI. Thanks @gentilkiwi for all the awesome features! :).
4
338
496
The offensive security community means a lot to me. Following @Antonlovesdnb's great thread that injected some much needed infosec positivity, I wanted to highlight a few (offensive-ish) posts/talks that my team and myself enjoyed over the last year or so.
4
206
480
Finally the end of a very fun ride- I've merged Dev to Master for PowerSploit and marked the project as no longer supported. Offensive PowerShell was how I started my career, and I owe @obscuresec and @mattifestation a debt of gratitude for bringing me in. [1/3].
9
93
452
Have a big post dropping tomorrow, probably one of the more important things I’ve written so far in my career. Should be fun :).
27
50
396
I promise I'm not dead! New blog: "Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy"
9
277
369
Hey, I heard you like creds! You might like this adaptation of some of @gentilkiwi's DPAPI Mimikatz work: ("Troopers Edition"). Unfamiliar with DPAPI? Check out . Also, @gentilkiwi was right:
1
176
352
Thanks for everyone for coming to @tifkin_, @enigma0x3, and my @DerbyCon talk "The Unintended Risks of Trusting Active Directory"! The slides are up at and the printer bug code is live at
5
158
334
Finally finished drafting my "Guide to Attacking Domain Trusts" post. At 8000+ words, not sure if anyone will read it, but out next week :).
21
42
318
Nothing revolutionary, but revisiting one of our favorite TTPs in depth, explaining some of the "weird" behavior we've seen in the last few years. Includes details on recent Rubeus kerberoasting enhancements!
4
154
310
[Blog] "Hunting With Active Directory Replication Metadata" hunting for malicious attack primitives w/ repl metadata.
3
228
306
[blog/tool] "From Kekeo to Rubeus" - my journey in reimplementing various aspects of @gentilkiwi's #kekeo project. Code is live at !.
6
222
299
Good news everyone! Rubeus 2.0 is coming _very_ soon, with massive improvements and new features from @exploitph and @_EthicalChaos_ . They've worked hard to bring us all some new fun :)
4
71
292
Nothing fancy but found in my notes- some Cobalt Strike situational awareness commands using native CS builtins
4
128
288
The code that @tifkin_ , @enigma0x3, and I built for our ‘The Unintended Risks of Trusting Active Directory’ talk is now up at !.
5
140
288
Just released SharpDPAPI v 1.6.0. Landed @lefterispan's PR to incorporate /password:X for masterkey decryption, and integrated the new Chrome v80+ AES key stuff from @djhohnstein's SharpChrome project. Chrome triage is back on the table!
2
125
290
I've been working on machine learning for a while now. After two years, I think I'm finally starting to (maybe) emerge from the "Valley of Despair". Should have some fun stuff coming out soon!
16
24
266
For anyone interested, SharpDPAPI/SharpChrome have had some recent mods, including KeePass ProtectedUserKey.bin decryption, a revamp for certificate extraction (including CNG support), and lots of usability updates. Changelog (as always) at
2
109
269
Rubeus 1.6.0 is out! I had pretty much nothing to do with the new functionality- all @exploitph and @_EthicalChaos_'s awesome work. Writeup on changes at . More detail on @exploitph's #opsec changes is at
1
108
267
This is an amazing thread for anyone interested in AD and/or kerberos!.
[thread 🧵] Kerberos basics & (ab)use of Certificates within Active Directory (i.e. AD CS and PKINIT). - Kerberos 101.- Pass-the-Certificate.- UnPAC-the-Hash.- Shadow Credentials.- AD CS escalation (ESC1 to ESC8). (Links and credits at the end)
2
78
254
Here's first post on my journey into security-focused machine learning, "Learning Machine Learning Part 1: Introduction and Revoke-Obfuscation" Huge shoutout to @danielhbohannon and @Lee_Holmes on blazing the way on this problem set!.
10
101
246
Nothing fancy, but dug this out of the archives in case anyone else needs to PTH to RDP . tl;dr uses the StdRegProv WMI class to enable Restricted Admin Mode on a remote system you have admin on. The code isn't great but it's functional 👍.
3
77
242
"Command and Control Using Active Directory" with PoC code at
4
199
232
"Another Word on Delegation" - abusing resource-based constrained delegation to take over computer objects. Thanks to @elad_shamir for the idea and Rubeus addition!.
1
166
237
The detailed breakdown of the remote reg DACL modification work from @tifkin_, @enigma0x3, and myself - "Remote Hash Extraction On Demand Via Host Security Descriptor Modification"
3
159
231
"The Most Dangerous User Right You (Probably) Have Never Heard Of" a follow on to the constrained delegation post.
5
193
226
Thank you @WEareTROOPERS for another amazing experience! The slides for @tifkin_'s and my "Not a Security Boundary: Breaking Forest Trusts" talk are up at demo video at blog at
0
118
227
Few goodies for everyone today- first a PowerSploit cheat sheet
3
152
226
The third post in my adversarial ML series "Learning Machine Learning Part 3: Attacking Black Box Models" is now up at and the Invoke-Evasion repo has been updated with the associated Jupyter notebooks/samples
3
97
217
[blog] a bit of a niche topic, but here's "A Pentester’s Guide to Group Scoping"
2
153
220
thinking of releasing Azure build scripts to create the reference trust architecture used in my "Guide to Attacking Domain Trusts" post - any interest?.
34
62
227
The second post in my "PowerView PowerUsage" series, mapping computer shortnames with the global catalog
0
126
216
the updated slides for @_wald0's and my @BlackHatEvents/@defcon presentation "An ACE Up the Sleeve" are now up at
2
141
215
The fourth post in my "PowerView PowerUsage" series - covers enumerating cross-trust DACLs/ACEs.
1
160
208
Thanks for the warm welcome @Sp4rkCon ! The slides for @tifkin_ , @enigma0x3, and my presentation "The Unintended Risks of Trusting Active Directory" are now up at
2
118
208
I usually don't share a lot of personal details on Twitter- this past fall my mom died from a rare brain disease and the @ASPCA was one of her favorite causes. Andy/the BH team let me choose them for the charity drive in her honor. Thank you to all who grab a shirt <3.
The #BloodHoundEnterprise team presents: #BloodHound 4.1!. Highlights for this release in this thread 🧵:. With this release, we are selling this limited edition BloodHound shirt. All profits from the sales of this shirt will be donated to the @ASPCA:
21
25
202
"Building an EmPyre with Python" - a Python-based Empire-like agent with a focus on OS X post-exploitation.
9
168
194
Wheels down in Vegas, not sure we brought enough stickers :)
17
18
188
GUYS, THIS IS WHO I GET TO WORK WITH EVERYDAY AND RAPHAEL MUDGE IS MY BOSS, I DON’T KNOW HOW THIS HAPPENED.
20
21
177
"A Case Study in Wagging the Dog: Computer Takeover" - another example of @elad_shamir's recent resource-based constrained delegation work!.
1
101
188
note to anyone I chatted with in Vegas- pdfs of cheatsheets for PowerView/PowerUp/PowerSploit/Empire/Beacon are at
2
141
174
Proud to announce that I've been renewed as a Microsoft MVP!.
13
2
181
[Blog] Roasting AS-REPs how to abuse accounts w/o Kerberos preauth enabled, basic toolset at
2
135
173
My second post in my adversarial ML series "Learning Machine Learning Part 2: Attacking White Box Models" is now up at and the Invoke-Evasion repo has been updated with the Jupyter notebooks/samples from the post
3
70
175
I finally landed @exploitph's new `nopac` Rubeus goodness landed in master! Check out his writeup at if you haven't already 👍.
0
59
173
I love working with people smarter than myself who are convinced they are surrounded by people smarter than themselves, keeps ya grounded.
4
52
165
The slides from my @BlueHatIL talk "The Travelling Pentester: Diaries of the Shortest Path to Compromise" are up at
2
132
169
Version 0.2.0 of Seatbelt, summary of changes at . A few fun new goodies!
2
79
159
Pushed a new Rubeus release after getting some additional feedback from our most recent AT:RTO students. The full changes are detailed here . To highlight a few new features- "/nowrap" globally prevents base64 blobs from line-wrapping, (1/4).
2
82
162
Very cool Kerberoasting implementation using LsaCallAuthenticationPackage, all through a macro
3
53
159
[Blog] "Offensive Encrypted Data Storage (DPAPI edition)" nothing too fancy, but might be interesting to some.
2
104
156
I've built out a series of cheat sheets for PowerView, PowerUp, and Empire PDFs at
0
117
154
The demo videos from @tifkin_ , @enigma0x3 , and my #DerbyCon2018 talk "The Unintended Risks of Trusting Active Directory" are up at and , and the video recording is at
0
85
154
Where My Admins At? (GPO Edition) aka enumerating what users have admin rights where with only DC communications.
3
131
150
I missed this post when it first dropped but it's a really neat trick! Why is this useful? Say you're in domain A, and A -external_trust-> B -any_trust-> C. Because external trusts don't have transitivity, you can't query/kerberoast/etc. domain C [1/4].
1
53
155
the next in the "PowerView PowerUsage" series searching for abusable GPOs in a foreign domain.
1
100
148
One more new feature for Rubeus 1.2.0 - MS kpasswd resets a la ArotoPW … Post on all the new fun at … Thanks again for #kekeo @gentilkiwi! <3.
0
92
145
Sidenote for anyone interested, instructions on using Rubeus as a library and/or running Rubeus through PowerShell are now up on the
0
54
135
In case you missed it, @exploitph and @4ndr3w6S just released some _awesome_ work that just landed into Rubeus' master branch- "Diamond Tickets"! Check out more details at Great work Charlie and Andrew!!.
3
62
136
The slides for @tifkin_'s and my #BlackHatEurope 2021 talk "ReCertifying Active Directory" about securing Active Directory Certificate Services are up at . Thanks to everyone who attended!.
1
78
131
@Antonlovesdnb @elad_shamir To continue, @_xpn_'s entire blog. The breadth and depth of Adam's work is truly amazing, but if I had to pick a favorite recent post(s) it would be his articles on Mimikatz internals: and
2
31
130
Finally got des_cbc_md5 and aes128_cts_hmac_sha1 support fully integrated into Rubeus so @gentilkiwi would stop being disappointed in me :) Also have some recent Kerberoasting modifications I'll be blogging about soon!.
1
44
127
The BloodHound slack ( isn't just BloodHound- we have rooms for Aggressor, CrackMapExec, PowerView, and more!.
3
42
123
Just updated Rubeus' README - updated all examples, organized all the commands (+command breakouts), and added a table of contents. Hope people find it useful!
2
42
117
