🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

Did you know that CMPivot allows for auth coercion of SCCM/ConfigMgr client hosts? medium.com/@dlomellini/fu…

Found a .NET method on SCCM site servers that can be called to decrypt secrets stored in the site DB a while back with Garrett and Lee Chagolla-Christensen. Another alternative to 🥝🏳️‍🌈 Benjamin Delpy's mimikatz misc::sccm, Adam Chester 🏴‍☠️'s C# gist, and Sanjiv Kawa's SQLRecon. github.com/subat0mik/Misc…

Thanks to @synacktiv's recent posts about Kerberos synacktiv.com/en/publication… and recent PR's Dirk-jan 's krbrelayx.py tool it made me realize ELEVATE-2 is still in play where client push installation is in use.

Along with this blog, I published an update to SCCMHunter that enables credential recovery all from the admin module. NAAs, client push, pxe boot password, discovery accounts, Azure app creds, etc. github.com/garrettfoster1…

I'm excited that my first PRs to BloodHound/SharpHound are now in main! They remove FPs for Owns/WriteOwner edges when implicit owner rights are blocked and add OwnsLimitedRights and WriteOwnerLimitedRights edges when ACEs grant permissions to the OWNER RIGHTS SID. More to come!

Had a great time speaking with Garrett about SCCM attack path prevention at SO-CON yesterday! Our slides with step-by-step instructions for mitigating the most critical SCCM attacks in your environment are at github.com/subat0mik/Misc…

New blog post just dropped! 🙌 Read the latest from Matt Creel on how an operator can perform situational awareness steps prior to making an Entra ID token request and how tokens can be effectively used once obtained. ghst.ly/4lA5Iqu

Think NTLM relay is a solved problem? Think again. Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31

Had some fun with PDQ deploy/inventory credential decryption and wrote about it here: unsigned-sh0rt.net/posts/pdq_cred… thanks to dru1d for write a BOF out of the POC tl;dr get admin on PDQ box, decrypt privileged creds

I jumped heavily into learning about SCCM tradecraft and wrote a detailed write-up with custom examples, covering the most interesting vulnerabilities that combine commonality and impact from low-privilege contexts, and what you can do to prevent them :) logan-goins.com/2025-04-25-scc…

The video of Garrett's and my talk at SpecterOps's SO-CON with step-by-step guidance on how to mitigate SCCM hierarchy takeover and credential theft attacks is up! Video: youtu.be/Rc2J6fmhcJ4 Slides: github.com/subat0mik/Misc… More info: misconfigurationmanager.com

Your #MDT shares might be spilling secrets like a drunk uncle at a wedding. 🍷💬 In my latest post for TrustedSec, I dig into how Red Teamers can extract creds from MDT shares — and why your MDT deployment server might need a security makeover. Read all about it here:

🚀 We just released my research on BadSuccessor - a new unpatched Active Directory privilege escalation vulnerability It allows compromising any user in AD, it works with the default config, and.. Microsoft currently won't fix it 🤷‍♂️ Read Here - akamai.com/blog/security-…

I'm super happy to announce an operationally weaponized version of Yuval Gordon's BadSuccessor in .NET format! With a minimum of "CreateChild" privileges over any OU it allows for automatic escalation to Domain Admin (DA). Enjoy your inline .NET execution! github.com/logangoins/Sha…

BadSuccessor is a new AD attack primitive that abuses dMSAs, allowing an attacker who can modify or create a dMSA to escalate privileges and take over the forest. Check out Jim Sykora's latest blog post to understand how you can mitigate risk. ghst.ly/4kXTLd9