Bad successor.

Many missed this on #BadSuccessor: it’s also a credential dumper. I wrote a simple PowerShell script that uses Rubeus to dump Kerberos keys and NTLM hashes for every principal-krbtgt, users, machines. no DCSync required, no code execution on DC.

Extended on Logan Goins work for BadProcessor Fully native PowerShell Domain joined or not doesn't matter Check DCs Check ACLs Nice gridview Create weaponized dmsa The tool now helps in detectin / mitigation and attacking github.com/LuemmelSec/Pen…

BadSuccessor is a new AD attack primitive that abuses dMSAs, allowing an attacker who can modify or create a dMSA to escalate privileges and take over the forest. Check out Jim Sykora's latest blog post to understand how you can mitigate risk. ghst.ly/4kXTLd9

Ready to level up your offensive security career? 📈 Join our Consulting Services team as a Senior Offensive Security Consultant doing what you love: red teaming, penetration testing, capability assessments, and research. Learn more & apply today: ghst.ly/3PBmGFZ

Recently, Microsoft changed the way the Entra Connect Sync agent authenticates to Entra ID. Check out our latest blog post from Daniel Heinsen to learn how the agent works now & how these changes affect attacker tradecraft. ghst.ly/3ZpMc6y

🚨 Our new blog post about Windows CVE-2025-33073 which we discovered is live: 🪞 The Reflective Kerberos Relay Attack - Remote privilege escalation from low-priv user to SYSTEM with RCE by applying a long forgotten NTLM relay technique to Kerberos: blog.redteam-pentesting.de/2025/reflectiv…

Microsoft just released the patch for CVE-2025-33073, a critical vulnerability allowing a standard user to remotely compromise any machine with SMB signing not enforced! Checkout the details in the blogpost by Guillaume André and Wil. synacktiv.com/publications/n…

Thank you so much to /ˈziːf-kɒn/ and its organizers for an awesome experience! Lee Chagolla-Christensen and I had a blast talking about the new Nemesis 2.0 rewrite (code live at github.com/SpecterOps/Nem… !) and hope to be back next year #x33fcon

Introducing the BloodHound Query Library! 📚 Martin Sohn & Joey Dreijer explore the new collection of Cypher queries designed to help BloodHound users to unlock the full potential of the BloodHound platform by creating an open query ecosystem. ghst.ly/4jTgRQQ

I publish two blog posts today! 📝🐫  The first dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06/2…  The second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06/2…

Are you at #TROOPERS25? Don't miss Duane Michael & Garrett's follow-up to their talk last year, providing an update on what’s new in SCCM security and what remains dangerously overlooked. ghst.ly/3FEAHS1

Thanks to everyone who attended our (Garrett) talk at TROOPERS Conference! Here is the companion blog post: specterops.io/blog/2025/06/2…

After today’s talk at #TROOPERS25 I’m releasing BitlockMove, a PoC to execute code on remote systems in the context of a loggedon user session 🔥 github.com/rtecCyberSec/B… No need to steal credentials, no impersonation, no injection needed 👌

So you've compromised a host that isn’t cloud-joined. Antero Guy breaks down how to request OAuth tokens & enumerate an Entra ID tenant by using an SSO cookie from a non cloud-joined device. Read more ⬇️ ghst.ly/445tQKL

Last week we added ELEVATE-4 github.com/subat0mik/Misc… to Misconfiguration Manager. tl;dr If SCCM uses AD CS for PKI, client auth certs are "borrowed" by clients during OSD. This will typically be a distribution point but could be the site server in all-in-one deployments...

Created small tool that joins a device to a Tailscale network and exposes a local SOCKS proxy. It’s built for red team pivots and quick access into (restricted) environments. The underlying tsnet library is currently Go-only, so it's semi-portable for now. github.com/Yeeb1/SockTail

Azure Arc is Microsoft's solution for managing on-premises systems in hybrid environments. My new blog covers how it can it be identified in an enterprise and misconfigurations that could allow it to be used for out-of-band execution and persistence. ibm.com/think/x-force/…