Daniel Heinsen
@hotnops
Followers
1K
Following
626
Media
15
Statuses
266
doin thangs @specterops
San Diego, CA
Joined March 2020
It's alive! Apeman is a graph-based tool to model AWS IAM permissions. This marks the start of a new journey to methodically identify and remediate IAM attack paths, and I look forward to learning together with y'all.
github.com
AWS Attack Path Management Tool - Walking on the Moon - hotnops/apeman
1
68
162
This post goes more into Entra Connect tradecraft and how partially synced objects can be hijacked for cross domain attacks.
3
19
56
i'm on the internet this week. head over to to hear me talk about tokens and conditional access.
advent.cloudsecuritypodcast.tv
Presented by Cloud Security Podcast, Advent of Cloud Security is a 24 day event where we drop new video every single day.
0
6
15
A new fun way to set shadow credentials.
posts.specterops.io
This is part one in a two (maybe three…) part series regarding attacker tradecraft around the syncing mechanics between Active Directory…
0
51
117
RT @_Mayyhem: Want to move laterally from C2 on an Intune admin's workstation to any Intune-enrolled device? Check out Maestro ( https://t.c….
posts.specterops.io
Abusing Intune for Lateral Movement Over C2
0
129
0
RT @SpecterOps: Don't miss our next webinar w/ @hotnops, which will showcase how Apeman can quickly identify Attack Paths by solving AWS CT….
0
2
0
RT @TrustedSec: Let's take a ride in the Wayback machine! In our new #blog, @nyxgeek takes a look at time-based user enumeration in #Azure,….
trustedsec.com
0
14
0
had the opportunity to take the dry run of this class. HFS. it brings the foo.
👻 Enter the haunted halls of Identity-driven Attack Paths, where every host hides a new horror! Join our IDOT course in Oct & learn to identify & execute a wide range of elaborate attacks against both on-prem & cloud technologies. Register today:
0
1
1
Awesome blog post about a career at SpecterOps. Feel free to reach out to me directly if you have any questions at all. You can DM me here or on the Bloodhound slack.
I wrote a blog post about some of the intangible benefits of working as a red team operator and adversary simulation consultant at SpecterOps. It's pretty awesome here. And we're hiring!.
0
2
8
RT @Frichette_n: A new undocumented AWS STS API popped up! "sts:AssumeRoot". It requires you to hit an (AFAIK) undocumented endpoint but th….
0
9
0
Is it just me, or does every Entra application registration client secret have a tilde at the fifth index? Is it always 40 characters? Anyone else notice this?.
1
0
3
PSA: Apeman exposes a Neo4J panel under the hood. Here is a query to detect roles that are vulnerable to the Amplify vulnerabilities that @Frichette_n presented at Blackhat. Gist here:.
gist.github.com
Useful APEMAN Queries. GitHub Gist: instantly share code, notes, and snippets.
0
7
16
RT @_Mayyhem: Just wrapped up DEF CON Demo Labs and published Maestro, a new tool for lateral movement with Intune from C2. Thanks to every….
github.com
Abusing Azure services over C2. Contribute to Mayyhem/Maestro development by creating an account on GitHub.
0
148
0
RT @SpecterOps: Join us at #SOCON2025, happening March 31-April 1, for two days all about Attack Path Management. Register today to get 50….
0
10
0