Join us at #SOCON2025, happening March 31-April 1, for two days all about Attack Path Management. Register today to get 50% off and learn about our CFP, opening Oct. 1st! 👉 specterops.io/so-con-2025/

Just wrapped up DEF CON Demo Labs and published Maestro, a new tool for lateral movement with Intune from C2. Thanks to everyone who came to check it out! I'll be posting a blog and wiki with more info soon, but here's the code and link to today's slides: github.com/Mayyhem/Maestro

PSA: Apeman exposes a Neo4J panel under the hood. Here is a query to detect roles that are vulnerable to the Amplify vulnerabilities that Nick Frichette presented at Blackhat. Gist here: gist.github.com/hotnops/a1d4ab…

Is it just me, or does every Entra application registration client secret have a tilde at the fifth index? Is it always 40 characters? Anyone else notice this?

This is the last of my phishing series! It's a recap and reference for the whole thing. Hope it was as fun to read as it was to write:

A new undocumented AWS STS API popped up! "sts:AssumeRoot". It requires you to hit an (AFAIK) undocumented endpoint but they are allow listing accounts so you can't do anything with it. AWS is definitely cooking up something interesting!

Awesome blog post about a career at SpecterOps. Feel free to reach out to me directly if you have any questions at all. You can DM me here or on the Bloodhound slack.

EntraID, in one diagram. (Note, not perfectly updated. Some complexity not shown)

had the opportunity to take the dry run of this class. HFS. it brings the foo.

Let's take a ride in the Wayback machine! In our new #blog, nyxgeek takes a look at time-based user enumeration in #Azure, its origins dating back to 2014, and the release of a new tool called Autodiscover Enumerator. Read it now! hubs.la/Q02S235F0

Don't miss our next webinar w/ Daniel Heinsen, which will showcase how Apeman can quickly identify Attack Paths by solving AWS CTF challenges. Each challenge will highlight a common misconfiguration & how Apeman can help identify them. Register today ▶️ ghst.ly/4dCog48

my workshop tomorrow in a nutshell

Want to move laterally from C2 on an Intune admin's workstation to any Intune-enrolled device? Check out Maestro (github.com/Mayyhem/Maestro), a new(ish) tool I wrote for those situations, and this blog post to walk you through how: posts.specterops.io/maestro-9ed71d…

Want to run roadrecon, but a device compliance policy is getting in your way? You can use the Intune Company Portal client ID, which is a hardcoded and undocumented exclusion in CA for device compliance. It has user_impersonation rights on the AAD Graph 😃

A new fun way to set shadow credentials posts.specterops.io/attacking-entr…

i'm on the internet this week. head over to advent.cloudsecuritypodcast.tv to hear me talk about tokens and conditional access

This post goes more into Entra Connect tradecraft and how partially synced objects can be hijacked for cross domain attacks. posts.specterops.io/entra-connect-…

The best creds are the ones you simply ask for =) specterops.io/blog/2025/07/3…

MSSQLHound leverages BloodHound's OpenGraph to visualize MSSQL attack paths with 7 new nodes & 37 new edges, all without touching the SharpHound & BloodHound codebases. Chris Thompson unpacks this new feature in his blog post. 👇 ghst.ly/4leRFFn

WSFC misconfigurations can turn your domain into one big fustercluck. I'm sharing fustercluck today as part of my #BHUSA presentation. The README summarizes the issues and a detailed blog is coming soon. github.com/garrettfoster1…