🔥Telegram İfşa

I pushed updates to SCCMHunter as part of my Arsenal demo at #BHUSA today! New features include a relay module for TAKEOVER-5 and a community contribution to coerce client push from a *nix host for ELEVATE-2. github.com/garrettfoster1….

WSFC misconfigurations can turn your domain into one big fustercluck. I'm sharing fustercluck today as part of my #BHUSA presentation. The README summarizes the issues and a detailed blog is coming soon. github.com/garrettfoster1…

Thanks for the fun times and absolute schooling in the IDOT training this past week at Black Hat SpecterOps Duane Michael Adam Chester 🏴‍☠️ Daniel Heinsen Chris Thompson

The AD CS security landscape keeps evolving, and so does our tooling. 🛠️ Valdemar Carøe drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements. ghst.ly/45IrBxI

Who doesn't like free creds?

Why should Microsoft's Nested App Authentication (NAA) should be on your security team's radar? Hope Walker breaks down NAA and shows how attackers can pivot between Azure resources using brokered authentication. ghst.ly/45h2Zw3

Check out my new blog on nested app authentication and brokered authentication.

I Just documented a cool way to authenticate proxied tooling to LDAP in an AD environment using C2 payload auth context, without stealing any tickets or hashes! Keep tooling execution off-host and away from EDR on your Red Team assessments! specterops.io/blog/2025/08/2…

There's no one-size-fits-all C2 framework. That's why Cody Thomas spent 7 years building Mythic, & learning lessons along the way. Join Cody at Munich Cyber Tactics, Techniques and Procedures, where he will share the tips & tricks every red teamer needs to hear. Learn more: ghst.ly/4mGUBw2

Added CRED-8 to Misconfiguration Manager, which is Garrett's MP relay to dump machine policy secrets. MM link: github.com/subat0mik/Misc… Blog link: specterops.io/blog/2025/07/1…

Lateral movement getting blocked by traditional methods? werdhaihai just dropped research on a new lateral movement technique using Windows Installer Custom Action Server, complete with working BOF code. ghst.ly/4pN03PG

What happens when the User-Account-Restrictions property gets misconfigured? Spoiler: It's not good. From account compromise to full domain takeover, Garrett breaks down why this permission set is more dangerous than most realize. ghst.ly/4mKgycH

Check out my new blog post diving deeper into BroCI.

SCCM is one of the most relied-on enterprise tools, but that legacy comes with risk. Join Garrett this Friday at #BSidesPDX as he discusses how attackers can abuse #SCCM Entra integrations to gain admin access. ➡️ ghst.ly/3L4nkwG

Don't miss this one. 👀 Nick Powers & Matt Creel are sharing techniques to better inform your NTLM relays and discussing RelayInformer, an open-source project that identifies EPA enforcement across the majority of popular NTLM relay targets. Save your spot 👉 ghst.ly/web-oct-tw

Credential Guard was supposed to end credential dumping. It didn't. Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled. Read for more ⤵️ ghst.ly/4qtl2rm

NTLM relay research is evolving! Join Nick Powers & Matt Creel TOMORROW as they share new methods to enumerate EPA enforcement across MSSQL, HTTP, & more—and intro RelayInformer, expanding attacker-perspective coverage for key protocols. Grab your spot → ghst.ly/web-oct-tw

I have released an OpenGraph collector for network shares and my first blogpost at SpecterOps on the subject! You can now visualize attack paths to network shares in BloodHound 👀 specterops.io/blog/2025/10/3…