werdhaihai
@werdhaihai.bsky.social
Adversary Simulation Consultant @SpecterOps
https://github.com/werdhaihai
https://github.com/werdhaihai
Reposted by werdhaihai
Lateral movement getting blocked by traditional methods?
@werdhaihai.bsky.social just dropped research on a new lateral movement technique using Windows Installer Custom Action Server, complete with working BOF code. ghst.ly/4pN03PG
@werdhaihai.bsky.social just dropped research on a new lateral movement technique using Windows Installer Custom Action Server, complete with working BOF code. ghst.ly/4pN03PG
DCOM Again: Installing Trouble - SpecterOps
DCOM lateral movement BOF using Windows Installer (MSI) Custom Action Server - install ODBC drivers to load and execute DLLs
ghst.ly
September 29, 2025 at 7:00 PM
Lateral movement getting blocked by traditional methods?
@werdhaihai.bsky.social just dropped research on a new lateral movement technique using Windows Installer Custom Action Server, complete with working BOF code. ghst.ly/4pN03PG
@werdhaihai.bsky.social just dropped research on a new lateral movement technique using Windows Installer Custom Action Server, complete with working BOF code. ghst.ly/4pN03PG
Reposted by werdhaihai
Finally putting out my research from this spring. "Imitune" coming in soon to support the POC
specterops.io/blog/2025/07...
specterops.io/blog/2025/07...
Entra Connect Attacker Tradecraft: Part 3 - SpecterOps
How Entra Connect and Intune can be abused via userCertificate hijacking to bypass conditional access and compromise hybrid domains
specterops.io
July 30, 2025 at 4:46 PM
Finally putting out my research from this spring. "Imitune" coming in soon to support the POC
specterops.io/blog/2025/07...
specterops.io/blog/2025/07...
Reposted by werdhaihai
Entra Connect sync accounts can be exploited to hijack device userCertificate properties, enabling device impersonation and conditional access bypass.
@hotnops.bsky.social explores cross-domain compromise tradecraft within the same tenant.
Read more: ghst.ly/3ISMGN9
@hotnops.bsky.social explores cross-domain compromise tradecraft within the same tenant.
Read more: ghst.ly/3ISMGN9
Entra Connect Attacker Tradecraft: Part 3 - SpecterOps
How Entra Connect and Intune can be abused via userCertificate hijacking to bypass conditional access and compromise hybrid domains
ghst.ly
July 30, 2025 at 5:01 PM
Entra Connect sync accounts can be exploited to hijack device userCertificate properties, enabling device impersonation and conditional access bypass.
@hotnops.bsky.social explores cross-domain compromise tradecraft within the same tenant.
Read more: ghst.ly/3ISMGN9
@hotnops.bsky.social explores cross-domain compromise tradecraft within the same tenant.
Read more: ghst.ly/3ISMGN9
Reposted by werdhaihai
I publish two blog posts today! 📝🐫
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
Good Fences Make Good Neighbors: New AD Trusts Attack Paths in BloodHound - SpecterOps
The ability of an attacker controlling one domain to compromise another through an Active Directory (AD) trust depends on the trust type and configuration. To better map these relationships and make i...
specterops.io
June 25, 2025 at 10:14 AM
I publish two blog posts today! 📝🐫
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
Reposted by werdhaihai
Think NTLM relay is a solved problem? Think again.
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
April 8, 2025 at 11:00 PM
Think NTLM relay is a solved problem? Think again.
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
Reposted by werdhaihai
Nothing new, but formalized some operator notes on Entra ID/Azure tradecraft I've found to be exceptionally useful on ops. Overlooked this myself for quite some time and thought others in the same boat might find it worth a read! 📖
medium.com/specter-ops-...
medium.com/specter-ops-...
An Operator’s Guide to Device-Joined Hosts and the PRT Cookie
Introduction
medium.com
April 7, 2025 at 4:34 PM
Nothing new, but formalized some operator notes on Entra ID/Azure tradecraft I've found to be exceptionally useful on ops. Overlooked this myself for quite some time and thought others in the same boat might find it worth a read! 📖
medium.com/specter-ops-...
medium.com/specter-ops-...
Super excited to be speaking at SO‑CON 2025 on March 31st with my coworker Lance Cain. We’re diving into an example attack path from real-life red team assessments by Lance Cain, Dan Mayer, myself, and the entire @specterops.bsky.social crew. specterops.io/so-con/ #SOCON2025 #redteam
March 22, 2025 at 5:38 PM
Super excited to be speaking at SO‑CON 2025 on March 31st with my coworker Lance Cain. We’re diving into an example attack path from real-life red team assessments by Lance Cain, Dan Mayer, myself, and the entire @specterops.bsky.social crew. specterops.io/so-con/ #SOCON2025 #redteam
Reposted by werdhaihai
The Mythic family continues to grow! Another cool Windows agent written in C that already has COFF execution! Be sure to check it out and their blog series on it c0rnbread.com/creating-myt...
x.com/0xC0rnbread/...
x.com/0xC0rnbread/...
a man with a surprised look on his face is standing in front of the word awesome
ALT: a man with a surprised look on his face is standing in front of the word awesome
media.tenor.com
March 12, 2025 at 1:35 PM
The Mythic family continues to grow! Another cool Windows agent written in C that already has COFF execution! Be sure to check it out and their blog series on it c0rnbread.com/creating-myt...
x.com/0xC0rnbread/...
x.com/0xC0rnbread/...
Reposted by werdhaihai
#SCCM forest discovery accounts can be decrypted—even those for untrusted forests. If the site server is a managed client, all creds can be decrypted via Administration Service API.
Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp
Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp
Decrypting the Forest From the Trees - SpecterOps
TL;DR: SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If the site server is a managed client, service account credentials can be decrypted via ...
ghst.ly
March 6, 2025 at 8:34 PM
#SCCM forest discovery accounts can be decrypted—even those for untrusted forests. If the site server is a managed client, all creds can be decrypted via Administration Service API.
Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp
Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp
Reposted by werdhaihai
BIG NEWS: SpecterOps raises $75M Series B to strengthen identity security! Led by Insight Partners with Ansa Capital, M12, Ballistic Ventures, Decibel, and Cisco Investments. ghst.ly/seriesb
#IdentitySecurity #CyberSecurity
(1/6)
#IdentitySecurity #CyberSecurity
(1/6)
March 5, 2025 at 5:33 PM
BIG NEWS: SpecterOps raises $75M Series B to strengthen identity security! Led by Insight Partners with Ansa Capital, M12, Ballistic Ventures, Decibel, and Cisco Investments. ghst.ly/seriesb
#IdentitySecurity #CyberSecurity
(1/6)
#IdentitySecurity #CyberSecurity
(1/6)
Reposted by werdhaihai
Many in the Mythic Community have asked for a way to standardize BOF/.NET execution within Mythic Agents. Today I'm releasing Forge, a new Mythic container to do just that: posts.specterops.io/forging-a-be...
We're starting off with default support for Apollo and Athena. Check it out! :)
We're starting off with default support for Apollo and Athena. Check it out! :)
dwight schrute from the office is holding a business card in his hand .
ALT: dwight schrute from the office is holding a business card in his hand .
media.tenor.com
February 5, 2025 at 3:10 PM
Many in the Mythic Community have asked for a way to standardize BOF/.NET execution within Mythic Agents. Today I'm releasing Forge, a new Mythic container to do just that: posts.specterops.io/forging-a-be...
We're starting off with default support for Apollo and Athena. Check it out! :)
We're starting off with default support for Apollo and Athena. Check it out! :)
Reposted by werdhaihai
This post goes more into Entra Connect tradecraft and how partially synced objects can be hijacked for cross domain attacks.
posts.specterops.io/entra-connec...
posts.specterops.io/entra-connec...
Entra Connect Attacker Tradecraft: Part 2
Now that we know how to add credentials to an on-premises user, lets pose a question:
posts.specterops.io
January 22, 2025 at 5:43 PM
This post goes more into Entra Connect tradecraft and how partially synced objects can be hijacked for cross domain attacks.
posts.specterops.io/entra-connec...
posts.specterops.io/entra-connec...
Reposted by werdhaihai
What does the road to becoming a Specter look like? In his latest blog post, @subat0mik.bsky.social provides a high level overview of how we approach recruiting consultants, demystifying the process along the way from application review through interviews. ghst.ly/3PQeuSh
Life at SpecterOps Part II: From Dream to Reality
We’re hiring consultants; Check out this overview of our recruiting process!
ghst.ly
January 21, 2025 at 5:48 PM
What does the road to becoming a Specter look like? In his latest blog post, @subat0mik.bsky.social provides a high level overview of how we approach recruiting consultants, demystifying the process along the way from application review through interviews. ghst.ly/3PQeuSh
Reposted by werdhaihai
Following my prev tweet, my Kerberos MITM relay/forwarder is almost finished! It targets for example insecure DNS updates in AD, allowing DNS name forgery. It intercepts, relays, and forwards traffic, with the client unaware. Currently supporting smb->smb and smb->http (adcs)
November 20, 2024 at 11:21 AM
Following my prev tweet, my Kerberos MITM relay/forwarder is almost finished! It targets for example insecure DNS updates in AD, allowing DNS name forgery. It intercepts, relays, and forwards traffic, with the client unaware. Currently supporting smb->smb and smb->http (adcs)
Reposted by werdhaihai
Was doing some digging "What's New" in Server2025 learn.microsoft.com/en-us/window... specifically the changes to pre-2k machines. Oddvar and I had spoken previously about the changes being solid and demonstrated pre-created machines in ADUC could no longer be set with a default password.
November 15, 2024 at 5:25 AM
Was doing some digging "What's New" in Server2025 learn.microsoft.com/en-us/window... specifically the changes to pre-2k machines. Oddvar and I had spoken previously about the changes being solid and demonstrated pre-created machines in ADUC could no longer be set with a default password.
Reposted by werdhaihai
The CFP for #SOCON2025 closes TOMORROW!
We are accepting talks focused on identity-based security and Attack Paths. Submit yours today!
➡️ ghst.ly/cfp-socon25
We are accepting talks focused on identity-based security and Attack Paths. Submit yours today!
➡️ ghst.ly/cfp-socon25
November 14, 2024 at 10:33 PM
The CFP for #SOCON2025 closes TOMORROW!
We are accepting talks focused on identity-based security and Attack Paths. Submit yours today!
➡️ ghst.ly/cfp-socon25
We are accepting talks focused on identity-based security and Attack Paths. Submit yours today!
➡️ ghst.ly/cfp-socon25
Anyone read Cory Doctorow's Red Team Blues yet? Curious to hear thoughts and opinions on it.
November 7, 2024 at 4:05 PM
Anyone read Cory Doctorow's Red Team Blues yet? Curious to hear thoughts and opinions on it.