Non-infosec post this time. I try to stray away from talking about my personal life here as much as I can especially when it comes to my family. In November 2023 my son Oliver was diagnosed with level 3 Autism Spectrum Disorder.

The Azure AD Broker plays a key role in Entra ID sign-in & token handling, but how well do we really understand it? @winternl_t unpacks its on-disk cache, how to decode it, & the security implications. 🔐

Thank you all for helping her make this happen

AdminSDHolder is kinda my jam. I wrote the e-book on it. If you work with Activity Directory, I highly recommend you give this a skim, or at least check the spoilers in the blog.

https://t.co/XtlFmMQgZf

Microsoft (kinda) deprecated DES in SCCM which caused some of the policy related tradecraft to break. The HTTP module in SCCMHunter and mssqlkaren have been updated to support AES-256. Thanks to @Blurbdust for helping get the fix into pxethief (which I stole from, ofc).

I have released an OpenGraph collector for network shares and my first blogpost at @SpecterOps on the subject! You can now visualize attack paths to network shares in BloodHound 👀 https://t.co/2e2DBIndcU

I can never get anything finished

We have a AMA from @anyrun_app currently talking malware in /r/redteamsec if you want to join the conversation -

https://t.co/VrbSbH3HmB

This is so sick @bytewreck

Credential Guard was supposed to end credential dumping. It didn't. @bytewreck just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled. Read for more ⤵️

workin on slides for @BSidesPDX on Friday

Ludus is so useful and makes it easy to just deploy infra for whatever random shower thought I have. But it's gotten to the point that I need asset management for my lab environments.

I feel like @YuG0rd's briefly mentioned new dMSA account takeover mechanism in his last blog didn't get enough attention. A new account takeover mechanism is on the horizon. I wrote a blog detailing it, releasing with a new BOF I wrote called BadTakeover https://t.co/fyUkDYKAeP

Check out my new blog post diving deeper into BroCI.

"Work with kind people who are clever"

Ever been on an SCCM site server and *this* close to a DA pw that you couldn't decrypt for some reason? Check out my new blog looking at encryption in use within SCCM sites configured for High Availability and accompanying tooling to recover passwords:

i'm gonna crash out, DHCP messages are so annoying

We'll be in London in December to teach Adversary Tactics: Identity-Driven Offensive Tradecraft at @BlackHatEvents Europe. This course will teach you to identify new attack paths and learn the internals of and how to execute modern tradecraft.

watching everyone having fun at the OAI con