maeru
@m8r1us.bsky.social
Offensive & Defensive Security Consultant | @scipag | #RedTeam | @m8r1us on most other platforms
Reposted by maeru
Patching one technique doesn't close the entire attack vector.
dMSA abuse is still a problem, and @logangoins.bsky.social
just dropped a reality check with new tooling to prove it.
Learn more about the issue & the new BadTakeover BOF. ghst.ly/42POg9L
dMSA abuse is still a problem, and @logangoins.bsky.social
just dropped a reality check with new tooling to prove it.
Learn more about the issue & the new BadTakeover BOF. ghst.ly/42POg9L
The (Near) Return of the King: Account Takeover Using the BadSuccessor Technique - SpecterOps
After Microsoft patched Yuval Gordon’s BadSuccessor privilege escalation technique, BadSuccessor returned with another blog from Yuval, briefly mentioning to the community that attackers can still abu...
ghst.ly
October 20, 2025 at 4:54 PM
Patching one technique doesn't close the entire attack vector.
dMSA abuse is still a problem, and @logangoins.bsky.social
just dropped a reality check with new tooling to prove it.
Learn more about the issue & the new BadTakeover BOF. ghst.ly/42POg9L
dMSA abuse is still a problem, and @logangoins.bsky.social
just dropped a reality check with new tooling to prove it.
Learn more about the issue & the new BadTakeover BOF. ghst.ly/42POg9L
Reposted by maeru
Introducing PingOneHound! This OpenGraph extension for BloodHound can help you identify, analyze, execute, and remediate attack paths in PingOne organizations. Read the introductory blog post here: specterops.io/blog/2025/10...
PingOne Attack Paths - SpecterOps
You can use PingOneHound in conjunction with BloodHound Community Edition to discover, analyze, execute, and remediate identity-based attack paths in PingOne instances.
specterops.io
October 20, 2025 at 5:43 PM
Introducing PingOneHound! This OpenGraph extension for BloodHound can help you identify, analyze, execute, and remediate attack paths in PingOne organizations. Read the introductory blog post here: specterops.io/blog/2025/10...
Reposted by maeru
Cookie theft has evolved. 🍪
Over the last year, stealing cookies on Windows devices has changed significantly for Chromium browsers like Chrome and Edge. Andrew Gomez dives into these changes, how threat actors adapt, & new detection opportunities. ghst.ly/45S1ZgW
Over the last year, stealing cookies on Windows devices has changed significantly for Chromium browsers like Chrome and Edge. Andrew Gomez dives into these changes, how threat actors adapt, & new detection opportunities. ghst.ly/45S1ZgW
Dough No! Revisiting Cookie Theft - SpecterOps
Explore how cookie theft has evolved in Chromium browsers with the shift from DPAPI to App-Bound encryption. This post breaks down modern cookie stealing techniques via COM, remote debugging, and exte...
ghst.ly
August 27, 2025 at 4:55 PM
Cookie theft has evolved. 🍪
Over the last year, stealing cookies on Windows devices has changed significantly for Chromium browsers like Chrome and Edge. Andrew Gomez dives into these changes, how threat actors adapt, & new detection opportunities. ghst.ly/45S1ZgW
Over the last year, stealing cookies on Windows devices has changed significantly for Chromium browsers like Chrome and Edge. Andrew Gomez dives into these changes, how threat actors adapt, & new detection opportunities. ghst.ly/45S1ZgW
Reposted by maeru
Check out my new blog on nested app authentication.
Why should Microsoft's Nested App Authentication (NAA) should be on your security team's radar? @1cemoon.bsky.social breaks down NAA and shows how attackers can pivot between Azure resources using brokered authentication. ghst.ly/45h2Zw3
Going for Broke(ring) – Offensive Walkthrough for Nested App Authentication - SpecterOps
In depth walkthrough for using nested app authentication (NAA), or BroCI, for offensive engagements to access information and resources.
ghst.ly
August 13, 2025 at 4:43 PM
Check out my new blog on nested app authentication.
Reposted by maeru
During my #BHUSA talk I've released many ETW research tools, of which the most notable is BamboozlEDR. This tool allows you to inject events into ETW, allowing you to generate fake alerts and blind EDRs.
github.com/olafhartong/...
Slides available here:
github.com/olafhartong/...
github.com/olafhartong/...
Slides available here:
github.com/olafhartong/...
GitHub - olafhartong/BamboozlEDR: A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes.
A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes. - olafhartong/BamboozlEDR
github.com
August 6, 2025 at 8:49 PM
During my #BHUSA talk I've released many ETW research tools, of which the most notable is BamboozlEDR. This tool allows you to inject events into ETW, allowing you to generate fake alerts and blind EDRs.
github.com/olafhartong/...
Slides available here:
github.com/olafhartong/...
github.com/olafhartong/...
Slides available here:
github.com/olafhartong/...
Reposted by maeru
If you use CIS Benchmarks, I highly advise against this recommendation...
This disables cloud delivered protection which underpins a bunch of capabilities, disables roughly half of your protection
Fortunately, if you enable Tamper Protection, it is forcefully enabled for you :)
This disables cloud delivered protection which underpins a bunch of capabilities, disables roughly half of your protection
Fortunately, if you enable Tamper Protection, it is forcefully enabled for you :)
August 1, 2025 at 8:12 PM
If you use CIS Benchmarks, I highly advise against this recommendation...
This disables cloud delivered protection which underpins a bunch of capabilities, disables roughly half of your protection
Fortunately, if you enable Tamper Protection, it is forcefully enabled for you :)
This disables cloud delivered protection which underpins a bunch of capabilities, disables roughly half of your protection
Fortunately, if you enable Tamper Protection, it is forcefully enabled for you :)
Reposted by maeru
🚀🔎 Track Sensitive Graph API Calls with my new #KQL Function for #MicrosoftDefenderXDR
Microsoft has released the new advanced hunting table "GraphAPIAuditEvents" which offers great opportunities to investigate activities based on #MicrosoftGraph API calls.
Microsoft has released the new advanced hunting table "GraphAPIAuditEvents" which offers great opportunities to investigate activities based on #MicrosoftGraph API calls.
July 17, 2025 at 6:43 AM
🚀🔎 Track Sensitive Graph API Calls with my new #KQL Function for #MicrosoftDefenderXDR
Microsoft has released the new advanced hunting table "GraphAPIAuditEvents" which offers great opportunities to investigate activities based on #MicrosoftGraph API calls.
Microsoft has released the new advanced hunting table "GraphAPIAuditEvents" which offers great opportunities to investigate activities based on #MicrosoftGraph API calls.
Reposted by maeru
Dive into the world of machine learning! ⚙️
Kicking off his blog series, Diego Lomellini uses Micrograd to explain core ML concepts like supervised learning, regression, classification, loss functions, & gradient descent. ghst.ly/44n3IeJ
Kicking off his blog series, Diego Lomellini uses Micrograd to explain core ML concepts like supervised learning, regression, classification, loss functions, & gradient descent. ghst.ly/44n3IeJ
Machine Learning Series Chapter 1 - SpecterOps
This article explores core machine learning concepts through Micrograd, a minimal autograd engine. It covers regression, classification, loss functions, gradients, and backpropagation with examples. W...
ghst.ly
July 2, 2025 at 6:06 PM
Dive into the world of machine learning! ⚙️
Kicking off his blog series, Diego Lomellini uses Micrograd to explain core ML concepts like supervised learning, regression, classification, loss functions, & gradient descent. ghst.ly/44n3IeJ
Kicking off his blog series, Diego Lomellini uses Micrograd to explain core ML concepts like supervised learning, regression, classification, loss functions, & gradient descent. ghst.ly/44n3IeJ
Reposted by maeru
I have a new post out on the @netspi.bsky.social blog today. This one is on extracting sensitive information from the Azure Load Testing service. www.netspi.com/blog/technic...
Extracting Sensitive Information from Azure Load Testing
Learn how Azure Load Testing's JMeter JMX and Locust support enables code execution, metadata queries, reverse shells, and Key Vault secret extraction vulnerabilities.
www.netspi.com
July 1, 2025 at 8:47 PM
I have a new post out on the @netspi.bsky.social blog today. This one is on extracting sensitive information from the Azure Load Testing service. www.netspi.com/blog/technic...
Reposted by maeru
Happy Friday! @tifkin.bsky.social and I are happy to announce that we have cut the release for Nemesis 2.0.0 - check out the CHANGELOG for a (brief) summary of changes, and dive into our new docs for more detail! We're extremely proud and excited for this release github.com/SpecterOps/N...
GitHub - SpecterOps/Nemesis: An offensive data enrichment pipeline
An offensive data enrichment pipeline. Contribute to SpecterOps/Nemesis development by creating an account on GitHub.
github.com
June 28, 2025 at 4:14 AM
Happy Friday! @tifkin.bsky.social and I are happy to announce that we have cut the release for Nemesis 2.0.0 - check out the CHANGELOG for a (brief) summary of changes, and dive into our new docs for more detail! We're extremely proud and excited for this release github.com/SpecterOps/N...
Reposted by maeru
How attackers move between AD domains via trusts depends on trust type & config. We're replacing TrustedBy edge in BloodHound with new trust edges for better attack path mapping.
Check out @jonas-bk.bsky.social's blog post to learn more. ghst.ly/4lj9C5T
Check out @jonas-bk.bsky.social's blog post to learn more. ghst.ly/4lj9C5T
Good Fences Make Good Neighbors: New AD Trusts Attack Paths in BloodHound - SpecterOps
The ability of an attacker controlling one domain to compromise another through an Active Directory (AD) trust depends on the trust type and configuration. To better map these relationships and make i...
ghst.ly
June 25, 2025 at 11:30 PM
How attackers move between AD domains via trusts depends on trust type & config. We're replacing TrustedBy edge in BloodHound with new trust edges for better attack path mapping.
Check out @jonas-bk.bsky.social's blog post to learn more. ghst.ly/4lj9C5T
Check out @jonas-bk.bsky.social's blog post to learn more. ghst.ly/4lj9C5T
Reposted by maeru
In the year since Misconfiguration Manager's release, the security community has been actively researching new tradecraft & identifying new attack paths.
@subat0mik.bsky.social & @unsignedsh0rt.bsky.social dive into the research & its impact on the state of SCCM security. Read more: ghst.ly/460vI9d
@subat0mik.bsky.social & @unsignedsh0rt.bsky.social dive into the research & its impact on the state of SCCM security. Read more: ghst.ly/460vI9d
Misconfiguration Manager: Still Overlooked, Still Overprivileged - SpecterOps
It has been one year since Misconfiguration Manager's release and SCCM misconfigurations remain widespread, leading to dangerous attack paths across enterprises. Here we summarize the impact and commu...
ghst.ly
June 26, 2025 at 3:52 PM
In the year since Misconfiguration Manager's release, the security community has been actively researching new tradecraft & identifying new attack paths.
@subat0mik.bsky.social & @unsignedsh0rt.bsky.social dive into the research & its impact on the state of SCCM security. Read more: ghst.ly/460vI9d
@subat0mik.bsky.social & @unsignedsh0rt.bsky.social dive into the research & its impact on the state of SCCM security. Read more: ghst.ly/460vI9d
Reposted by maeru
Last two weeks I talked about BYO Identity Providers in Entra ID and backdoors to External Auth Methods to bypass MFA. Only possible because MSFT doesn't implement the mandatory OIDC security measures. Slides with optional dark mode on: dirkjanm.io/talks/
Presentations and external blogs
Dirk-jan’s personal blog, mostly containing research on topics I find interesting, such as (Azure) Active Directory internals, protocols and vulnerabilities.
dirkjanm.io
June 24, 2025 at 7:12 AM
Last two weeks I talked about BYO Identity Providers in Entra ID and backdoors to External Auth Methods to bypass MFA. Only possible because MSFT doesn't implement the mandatory OIDC security measures. Slides with optional dark mode on: dirkjanm.io/talks/
Reposted by maeru
Get the scoop on the incoming Administrator Protection for Windows 11.
@xpnsec.com covers the architecture, access controls, and why some legacy UAC bypass techniques remain effective in his latest blog post. ghst.ly/44mw5JM
@xpnsec.com covers the architecture, access controls, and why some legacy UAC bypass techniques remain effective in his latest blog post. ghst.ly/44mw5JM
Administrator Protection Review - SpecterOps
Microsoft will be introducing Administrator Protection into Windows 11. This post explores security considerations for red teamers.
ghst.ly
June 18, 2025 at 6:34 PM
Get the scoop on the incoming Administrator Protection for Windows 11.
@xpnsec.com covers the architecture, access controls, and why some legacy UAC bypass techniques remain effective in his latest blog post. ghst.ly/44mw5JM
@xpnsec.com covers the architecture, access controls, and why some legacy UAC bypass techniques remain effective in his latest blog post. ghst.ly/44mw5JM
Reposted by maeru
We are VERY excited to announce that Volatility 3 has now reached feature parity with Volatility 2! With this parity release, Volatility 2 is now deprecated. Full details in the blog post linked below.
We are very excited to announce that Volatility 3 has reached parity with Volatility 2! With this achievement, Volatility 2 is now deprecated. See the full details in our blog post: volatilityfoundation.org/announcing-t...
Announcing the Official Parity Release of Volatility 3!
Visit the post for more.
volatilityfoundation.org
May 16, 2025 at 3:08 PM
We are VERY excited to announce that Volatility 3 has now reached feature parity with Volatility 2! With this parity release, Volatility 2 is now deprecated. Full details in the blog post linked below.
Reposted by maeru
Microsoft hardened the Entra ID synchronization feature last year:
- restricted permissions on Directory Synchronization Accounts role
- new dedicated sync app
Let’s find out how sync still works 🔍
Some old tricks persist—and new ones have emerged 💥
tenable.com/blog/despite... 🧵
- restricted permissions on Directory Synchronization Accounts role
- new dedicated sync app
Let’s find out how sync still works 🔍
Some old tricks persist—and new ones have emerged 💥
tenable.com/blog/despite... 🧵
Despite Recent Security Hardening, Entra ID Synchronization Feature Remains Open for Abuse
Microsoft synchronization capabilities for managing identities in hybrid environments are not without their risks. In this blog, Tenable Research explores how potential weaknesses in these synchroniza...
tenable.com
April 24, 2025 at 1:39 PM
Microsoft hardened the Entra ID synchronization feature last year:
- restricted permissions on Directory Synchronization Accounts role
- new dedicated sync app
Let’s find out how sync still works 🔍
Some old tricks persist—and new ones have emerged 💥
tenable.com/blog/despite... 🧵
- restricted permissions on Directory Synchronization Accounts role
- new dedicated sync app
Let’s find out how sync still works 🔍
Some old tricks persist—and new ones have emerged 💥
tenable.com/blog/despite... 🧵
Reposted by maeru
Most Microsoft tenants do not have Advanced Auditing configured correctly, and orgs only find out after it is too late :(
I tried really hard to make this as short and simple as possible. Please be nice to your IR folks and set this up, it's important ;)
nathanmcnulty.com/bl...
I tried really hard to make this as short and simple as possible. Please be nice to your IR folks and set this up, it's important ;)
nathanmcnulty.com/bl...
Comprehensive Guide to Configuring Advanced Auditing
This post provides everything you need to ensure Advanced Auditing is fully configured and auditing everything we possibly can for both existing and new users. I recently shared guidance for this via social media (see below), and it felt like a perfect time to revisit my previous posts and combine everything into one comprehensive guide :)
You likely aren't collecting all available events to the Unified Audit Log
First, not all events are enabled or retained optimally. Consider creating this policy in the Purview portal (leave users and record types blank to collect everything).
Retention is based on license... pic.twitter.com/IEKKfrkpI8
nathanmcnulty.com
April 16, 2025 at 5:13 AM
Most Microsoft tenants do not have Advanced Auditing configured correctly, and orgs only find out after it is too late :(
I tried really hard to make this as short and simple as possible. Please be nice to your IR folks and set this up, it's important ;)
nathanmcnulty.com/bl...
I tried really hard to make this as short and simple as possible. Please be nice to your IR folks and set this up, it's important ;)
nathanmcnulty.com/bl...
Reposted by maeru
My new blog for CPR: introducing Waiting Thread Hijacking - a remote process injection technique targeting waiting threads: research.checkpoint.com/2025/waiting... #ProcessInjection
Waiting Thread Hijacking: A Stealthier Version of Thread Execution Hijacking - Check Point Research
Research by: hasherezade Key Points Introduction Process injection is one of the important techniques used by attackers. We can find its variants implemented in almost every malware. It serves purpose...
research.checkpoint.com
April 14, 2025 at 6:17 PM
My new blog for CPR: introducing Waiting Thread Hijacking - a remote process injection technique targeting waiting threads: research.checkpoint.com/2025/waiting... #ProcessInjection
Reposted by maeru
Celebrating 1 year at SpecterOps, this was the first project I worked on after starting. Looking at SQL Server Transparent Data Encryption, how to bruteforce weak keys, and how ManageEngine's ADSelfService product uses TDE with a suspect key. Enjoy :) specterops.io/blog/2025/04...
The SQL Server Crypto Detour - SpecterOps
As part of my role as Service Architect here at SpecterOps, one of the things I’m tasked with is exploring all kinds of technologies to help those on assessments with advancing their engagement. Not l...
specterops.io
April 8, 2025 at 4:03 PM
Celebrating 1 year at SpecterOps, this was the first project I worked on after starting. Looking at SQL Server Transparent Data Encryption, how to bruteforce weak keys, and how ManageEngine's ADSelfService product uses TDE with a suspect key. Enjoy :) specterops.io/blog/2025/04...
Reposted by maeru
Think NTLM relay is a solved problem? Think again.
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
April 8, 2025 at 11:00 PM
Think NTLM relay is a solved problem? Think again.
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
Reposted by maeru
KrbRelayEx-RPC tool is out! 🎉
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)
github.com/decoder-it/K...
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)
github.com/decoder-it/K...
GitHub - decoder-it/KrbRelayEx-RPC
Contribute to decoder-it/KrbRelayEx-RPC development by creating an account on GitHub.
github.com
March 14, 2025 at 10:18 AM
KrbRelayEx-RPC tool is out! 🎉
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)
github.com/decoder-it/K...
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)
github.com/decoder-it/K...
Reposted by maeru
#SCCM forest discovery accounts can be decrypted—even those for untrusted forests. If the site server is a managed client, all creds can be decrypted via Administration Service API.
Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp
Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp
Decrypting the Forest From the Trees - SpecterOps
TL;DR: SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If the site server is a managed client, service account credentials can be decrypted via ...
ghst.ly
March 6, 2025 at 8:34 PM
#SCCM forest discovery accounts can be decrypted—even those for untrusted forests. If the site server is a managed client, all creds can be decrypted via Administration Service API.
Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp
Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp
Reposted by maeru
How are defenders leveraging SACLs to detect unauthorized access attempts? Check out our latest blog post from Alexander DeMine which dives into SACLs and introduces a new tool, SACL_Scanner, which allows you to adapt your tradecraft accordingly. ghst.ly/3D3kvbD
Don’t Touch That Object! Finding SACL Tripwires During Red Team Ops - SpecterOps
During red team operations, stealth is a critical component. We spend a great deal of time ensuring our payloads will evade any endpoint detection and response (EDR) solution, our traffic is obfuscate...
ghst.ly
February 20, 2025 at 8:39 PM
How are defenders leveraging SACLs to detect unauthorized access attempts? Check out our latest blog post from Alexander DeMine which dives into SACLs and introduces a new tool, SACL_Scanner, which allows you to adapt your tradecraft accordingly. ghst.ly/3D3kvbD
Reposted by maeru
Normally you can't auth to Entra ID connected webapps with bearer tokens. But if Teams can open SharePoint/OneDrive with an access token, I guess so can we. roadtx now supports opening SharePoint with access tokens in the embedded browser 😀
February 18, 2025 at 1:12 PM
Normally you can't auth to Entra ID connected webapps with bearer tokens. But if Teams can open SharePoint/OneDrive with an access token, I guess so can we. roadtx now supports opening SharePoint with access tokens in the embedded browser 😀
Reposted by maeru
ROADtools update: I just released roadlib v1.0! This version drops the adal dependency, all auth flows are now implemented natively 🎉 This was mostly a personal goal, but it helps with adding new features, such as forcing MFA during device code auth independent of CA policies 😀
February 7, 2025 at 2:50 PM
ROADtools update: I just released roadlib v1.0! This version drops the adal dependency, all auth flows are now implemented natively 🎉 This was mostly a personal goal, but it helps with adding new features, such as forcing MFA during device code auth independent of CA policies 😀