hotnops
@hotnops.bsky.social
Does stuff at @specterops
Cloud security research
Cloud security research
Reposted by hotnops
Introducing PingOneHound! This OpenGraph extension for BloodHound can help you identify, analyze, execute, and remediate attack paths in PingOne organizations. Read the introductory blog post here: specterops.io/blog/2025/10...
PingOne Attack Paths - SpecterOps
You can use PingOneHound in conjunction with BloodHound Community Edition to discover, analyze, execute, and remediate identity-based attack paths in PingOne instances.
specterops.io
October 20, 2025 at 5:43 PM
Introducing PingOneHound! This OpenGraph extension for BloodHound can help you identify, analyze, execute, and remediate attack paths in PingOne organizations. Read the introductory blog post here: specterops.io/blog/2025/10...
Reposted by hotnops
The AD CS security landscape keeps evolving, and so does our tooling. 🛠️
Valdemar Carøe drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements. ghst.ly/45IrBxI
Valdemar Carøe drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements. ghst.ly/45IrBxI
Certify 2.0 - SpecterOps
Certify 2.0 features a suite of new capabilities and usability enhancements. This blogpost introduces changes and features additions.
ghst.ly
August 11, 2025 at 8:38 PM
The AD CS security landscape keeps evolving, and so does our tooling. 🛠️
Valdemar Carøe drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements. ghst.ly/45IrBxI
Valdemar Carøe drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements. ghst.ly/45IrBxI
Reposted by hotnops
Red teamers know the drill: endless file churning, hunting for passwords & tokens. 🔍
Meet DeepPass2, our new secret scanning tool that goes beyond structured tokens to catch those tricky free-form passwords too. Read Neeraj Gupta's blog post for more. ghst.ly/40HLNNA
Meet DeepPass2, our new secret scanning tool that goes beyond structured tokens to catch those tricky free-form passwords too. Read Neeraj Gupta's blog post for more. ghst.ly/40HLNNA
What’s Your Secret?: Secret Scanning by DeepPass2 - SpecterOps
Discover DeepPass2 - a secret scanning tool combining BERT-based model and LLMs to detect free-form passwords, and other structured tokens and secrets with high accuracy.
ghst.ly
July 31, 2025 at 5:36 PM
Red teamers know the drill: endless file churning, hunting for passwords & tokens. 🔍
Meet DeepPass2, our new secret scanning tool that goes beyond structured tokens to catch those tricky free-form passwords too. Read Neeraj Gupta's blog post for more. ghst.ly/40HLNNA
Meet DeepPass2, our new secret scanning tool that goes beyond structured tokens to catch those tricky free-form passwords too. Read Neeraj Gupta's blog post for more. ghst.ly/40HLNNA
The best creds are the ones you simply ask for =)
specterops.io/blog/2025/07...
specterops.io/blog/2025/07...
July 31, 2025 at 4:02 PM
The best creds are the ones you simply ask for =)
specterops.io/blog/2025/07...
specterops.io/blog/2025/07...
Finally putting out my research from this spring. "Imitune" coming in soon to support the POC
specterops.io/blog/2025/07...
specterops.io/blog/2025/07...
Entra Connect Attacker Tradecraft: Part 3 - SpecterOps
How Entra Connect and Intune can be abused via userCertificate hijacking to bypass conditional access and compromise hybrid domains
specterops.io
July 30, 2025 at 4:46 PM
Finally putting out my research from this spring. "Imitune" coming in soon to support the POC
specterops.io/blog/2025/07...
specterops.io/blog/2025/07...
If you're a #bloodhound user, JD's bloodhound operator is invaluable. Now with opengraph cmdlets!
github.com/SadProcessor...
github.com/SadProcessor...
GitHub - SadProcessor/BloodHoundOperator: BloodHound PowerShell client
BloodHound PowerShell client. Contribute to SadProcessor/BloodHoundOperator development by creating an account on GitHub.
github.com
July 30, 2025 at 2:55 PM
If you're a #bloodhound user, JD's bloodhound operator is invaluable. Now with opengraph cmdlets!
github.com/SadProcessor...
github.com/SadProcessor...
Reposted by hotnops
Looks like the Entra QR code authentication method is going GA 🥳
They've also added some great guidance on suppressing the camera permission prompt for iOS :)
learn.microsoft.com/...
They've also added some great guidance on suppressing the camera permission prompt for iOS :)
learn.microsoft.com/...
July 24, 2025 at 11:30 PM
Looks like the Entra QR code authentication method is going GA 🥳
They've also added some great guidance on suppressing the camera permission prompt for iOS :)
learn.microsoft.com/...
They've also added some great guidance on suppressing the camera permission prompt for iOS :)
learn.microsoft.com/...
Reposted by hotnops
Part 8053 of eleventy billion on our path to killing NTLM: way way way way way better auditing.
support.microsoft.com/en-us/topic/...
support.microsoft.com/en-us/topic/...
Overview of NTLM auditing enhancements in Windows 11, version 24H2 and Windows Server 2025 - Microsoft Support
Summary of new auditing features and deployment details
support.microsoft.com
July 13, 2025 at 4:35 PM
Part 8053 of eleventy billion on our path to killing NTLM: way way way way way better auditing.
support.microsoft.com/en-us/topic/...
support.microsoft.com/en-us/topic/...
Reposted by hotnops
I publish two blog posts today! 📝🐫
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
Good Fences Make Good Neighbors: New AD Trusts Attack Paths in BloodHound - SpecterOps
The ability of an attacker controlling one domain to compromise another through an Active Directory (AD) trust depends on the trust type and configuration. To better map these relationships and make i...
specterops.io
June 25, 2025 at 10:14 AM
I publish two blog posts today! 📝🐫
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
Reposted by hotnops
My second post for the month is now live 🎉
Get the scoop on the incoming Administrator Protection for Windows 11.
@xpnsec.com covers the architecture, access controls, and why some legacy UAC bypass techniques remain effective in his latest blog post. ghst.ly/44mw5JM
@xpnsec.com covers the architecture, access controls, and why some legacy UAC bypass techniques remain effective in his latest blog post. ghst.ly/44mw5JM
Administrator Protection Review - SpecterOps
Microsoft will be introducing Administrator Protection into Windows 11. This post explores security considerations for red teamers.
ghst.ly
June 18, 2025 at 6:54 PM
My second post for the month is now live 🎉
New tricks, same impact
posts.specterops.io/update-dumpi...
posts.specterops.io/update-dumpi...
Update: Dumping Entra Connect Sync Credentials
Recently, Microsoft changed the way the Entra Connect Connect Sync agent authenticates to Entra ID. These changes affect attacker tradecraft, as we can no longer export the sync account credentials…
posts.specterops.io
June 9, 2025 at 6:21 PM
New tricks, same impact
posts.specterops.io/update-dumpi...
posts.specterops.io/update-dumpi...
Reposted by hotnops
A little over a year ago I published research on how you could leverage non-production AWS API endpoints to enumerate permissions without logging to CloudTrail. A year later...I'm still finding them. Red Teamers, these can be super useful and really up your game!
June 2, 2025 at 1:35 PM
A little over a year ago I published research on how you could leverage non-production AWS API endpoints to enumerate permissions without logging to CloudTrail. A year later...I'm still finding them. Red Teamers, these can be super useful and really up your game!
Reposted by hotnops
May 22, 2025 at 12:31 AM
Reposted by hotnops
Did you miss #SOCON2025? Did you have a favorite talk you'd like to rewatch?
🎥 All presentations from SO-CON 2025 are now live at ghst.ly/socon25-talks.
💻 Slides for each talk are available at ghst.ly/socon25-slides.
🎥 All presentations from SO-CON 2025 are now live at ghst.ly/socon25-talks.
💻 Slides for each talk are available at ghst.ly/socon25-slides.
May 19, 2025 at 4:34 PM
Did you miss #SOCON2025? Did you have a favorite talk you'd like to rewatch?
🎥 All presentations from SO-CON 2025 are now live at ghst.ly/socon25-talks.
💻 Slides for each talk are available at ghst.ly/socon25-slides.
🎥 All presentations from SO-CON 2025 are now live at ghst.ly/socon25-talks.
💻 Slides for each talk are available at ghst.ly/socon25-slides.
Reposted by hotnops
Application Based Authentication on Microsoft Entra Connect Sync is near. With this change you will be able to use a TPM backed certificate in Entra Connect Sync for authentication.
This is a welcome change to prevent the compromise of this high privileged account.
#Entra #Certificate
This is a welcome change to prevent the compromise of this high privileged account.
#Entra #Certificate
May 2, 2025 at 6:52 AM
Application Based Authentication on Microsoft Entra Connect Sync is near. With this change you will be able to use a TPM backed certificate in Entra Connect Sync for authentication.
This is a welcome change to prevent the compromise of this high privileged account.
#Entra #Certificate
This is a welcome change to prevent the compromise of this high privileged account.
#Entra #Certificate
Reposted by hotnops
Did you know you can send LAPS passwords to Entra on Server OS? Neither did @adamgrosstx.bsky.social or I until yesterday! Just need to hybrid join the server(s) and set the GPO to backup to "AAD"! Neat!
April 30, 2025 at 12:33 AM
Did you know you can send LAPS passwords to Entra on Server OS? Neither did @adamgrosstx.bsky.social or I until yesterday! Just need to hybrid join the server(s) and set the GPO to backup to "AAD"! Neat!
Can you use the on-behalf-of flow to bypass conditional access policies? If the middleware app satisfies conditional access, can it exchange an access token to an otherwise blocked backend resource? It turns out... no. No it can't. The CAP will kick in when the middleware app uses the OBO flow.
April 25, 2025 at 4:08 AM
Can you use the on-behalf-of flow to bypass conditional access policies? If the middleware app satisfies conditional access, can it exchange an access token to an otherwise blocked backend resource? It turns out... no. No it can't. The CAP will kick in when the middleware app uses the OBO flow.
Reposted by hotnops
A new dedicated resource application to enable Active Directory to Microsoft Entra ID sync using Microsoft Entra Connect Sync or Cloud Sync is coming 😱
In the announcement the mentioned reason is "upcoming security hardening"...
6bf85cfa-ac8a-4be5-b5de-425a0d0dc016
#EntraID
In the announcement the mentioned reason is "upcoming security hardening"...
6bf85cfa-ac8a-4be5-b5de-425a0d0dc016
#EntraID
January 6, 2025 at 6:29 PM
A new dedicated resource application to enable Active Directory to Microsoft Entra ID sync using Microsoft Entra Connect Sync or Cloud Sync is coming 😱
In the announcement the mentioned reason is "upcoming security hardening"...
6bf85cfa-ac8a-4be5-b5de-425a0d0dc016
#EntraID
In the announcement the mentioned reason is "upcoming security hardening"...
6bf85cfa-ac8a-4be5-b5de-425a0d0dc016
#EntraID
Reposted by hotnops
🚨 Join the #PeoplesMovement this Saturday #April19 for a National Day of Action!
Yes, people will be in the streets again. Others will be organizing food drives, volunteering at shelters, hosting teach-ins, and more.
Hundreds of events are already listed at www.FiftyFifty.one/events.
Yes, people will be in the streets again. Others will be organizing food drives, volunteering at shelters, hosting teach-ins, and more.
Hundreds of events are already listed at www.FiftyFifty.one/events.
April 16, 2025 at 4:56 PM
🚨 Join the #PeoplesMovement this Saturday #April19 for a National Day of Action!
Yes, people will be in the streets again. Others will be organizing food drives, volunteering at shelters, hosting teach-ins, and more.
Hundreds of events are already listed at www.FiftyFifty.one/events.
Yes, people will be in the streets again. Others will be organizing food drives, volunteering at shelters, hosting teach-ins, and more.
Hundreds of events are already listed at www.FiftyFifty.one/events.
Reposted by hotnops
Understanding Windows access tokens could be your best defense. At @cackalackycon.bsky.social, @atomicchonk.bsky.social will be peeling back the layers on potato exploits that threat actors use for privilege escalation.
Check out the schedule to learn more ➡️ ghst.ly/4jzjlnI
Check out the schedule to learn more ➡️ ghst.ly/4jzjlnI
April 18, 2025 at 4:33 PM
Understanding Windows access tokens could be your best defense. At @cackalackycon.bsky.social, @atomicchonk.bsky.social will be peeling back the layers on potato exploits that threat actors use for privilege escalation.
Check out the schedule to learn more ➡️ ghst.ly/4jzjlnI
Check out the schedule to learn more ➡️ ghst.ly/4jzjlnI
Reposted by hotnops
Had some fun with PDQ deploy/inventory credential decryption and wrote about it here: unsigned-sh0rt.net/posts/pdq_cr... thanks to
@dru1d.bsky.social for writing a BOF out of the POC
tl;dr get admin on PDQ box, decrypt privileged creds
@dru1d.bsky.social for writing a BOF out of the POC
tl;dr get admin on PDQ box, decrypt privileged creds
Decrypting PDQ credentials | unsigned_sh0rt's blog
Walkthrough of how PDQ credentials encrypts service credentials
unsigned-sh0rt.net
April 11, 2025 at 9:09 PM
Had some fun with PDQ deploy/inventory credential decryption and wrote about it here: unsigned-sh0rt.net/posts/pdq_cr... thanks to
@dru1d.bsky.social for writing a BOF out of the POC
tl;dr get admin on PDQ box, decrypt privileged creds
@dru1d.bsky.social for writing a BOF out of the POC
tl;dr get admin on PDQ box, decrypt privileged creds
Reposted by hotnops
Everybody’s using AI assistants and tools these days, but do most of us understand how our text-based input is being interpreted and processed? Check out my latest blog post for a basic intro to text interpretation by AI assistants. www.corgi-Corp.com/post/tokeniz...
Tokenizing the Sandwich Debate: How NLP Models Weigh In on Hot Dogs
Get the gist for Natural Language Processing (NLP) and how tokenization plays a factor
www.corgi-Corp.com
April 7, 2025 at 3:04 PM
Everybody’s using AI assistants and tools these days, but do most of us understand how our text-based input is being interpreted and processed? Check out my latest blog post for a basic intro to text interpretation by AI assistants. www.corgi-Corp.com/post/tokeniz...
Reposted by hotnops
Think NTLM relay is a solved problem? Think again.
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
April 8, 2025 at 11:00 PM
Think NTLM relay is a solved problem? Think again.
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
Reposted by hotnops
Nothing new, but formalized some operator notes on Entra ID/Azure tradecraft I've found to be exceptionally useful on ops. Overlooked this myself for quite some time and thought others in the same boat might find it worth a read! 📖
medium.com/specter-ops-...
medium.com/specter-ops-...
An Operator’s Guide to Device-Joined Hosts and the PRT Cookie
Introduction
medium.com
April 7, 2025 at 4:34 PM
Nothing new, but formalized some operator notes on Entra ID/Azure tradecraft I've found to be exceptionally useful on ops. Overlooked this myself for quite some time and thought others in the same boat might find it worth a read! 📖
medium.com/specter-ops-...
medium.com/specter-ops-...
Reposted by hotnops
1 year anniversary at SpecterOps, so many personal and professional achievements in a short space of time. My advice for anyone getting into this field, try and make sure that you work companies and colleagues that push you beyond your comfort level. \o/
April 6, 2025 at 5:17 PM
1 year anniversary at SpecterOps, so many personal and professional achievements in a short space of time. My advice for anyone getting into this field, try and make sure that you work companies and colleagues that push you beyond your comfort level. \o/