Matt Creel
@tw1sm.bsky.social
Reposted by Matt Creel
NTLM relays failing because of EPA? 😒
Nick Powers & @tw1sm.bsky.social break down how to enumerate EPA settings across more protocols + drop new tooling (RelayInformer) to make relays predictable.
Check out their blog for more: ghst.ly/4rqwpRs
Nick Powers & @tw1sm.bsky.social break down how to enumerate EPA settings across more protocols + drop new tooling (RelayInformer) to make relays predictable.
Check out their blog for more: ghst.ly/4rqwpRs
Less Praying More Relaying - Enumerating EPA Enforcement for MSSQL and HTTPS - SpecterOps
It's important to know if your NTLM relay will be prevented by integrity protections such as EPA, before setting up for and attempting the attack. In this post, we share how to solve this problem for ...
ghst.ly
November 25, 2025 at 8:12 PM
NTLM relays failing because of EPA? 😒
Nick Powers & @tw1sm.bsky.social break down how to enumerate EPA settings across more protocols + drop new tooling (RelayInformer) to make relays predictable.
Check out their blog for more: ghst.ly/4rqwpRs
Nick Powers & @tw1sm.bsky.social break down how to enumerate EPA settings across more protocols + drop new tooling (RelayInformer) to make relays predictable.
Check out their blog for more: ghst.ly/4rqwpRs
Reposted by Matt Creel
NTLM relay research is evolving!
Join Nick Powers & @tw1sm.bsky.social TOMORROW as they share new methods to enumerate EPA enforcement across MSSQL, HTTP, & more—and intro RelayInformer, expanding attacker-perspective coverage for key protocols.
Grab your spot → ghst.ly/oct-web-bsky
Join Nick Powers & @tw1sm.bsky.social TOMORROW as they share new methods to enumerate EPA enforcement across MSSQL, HTTP, & more—and intro RelayInformer, expanding attacker-perspective coverage for key protocols.
Grab your spot → ghst.ly/oct-web-bsky
October 29, 2025 at 10:25 PM
NTLM relay research is evolving!
Join Nick Powers & @tw1sm.bsky.social TOMORROW as they share new methods to enumerate EPA enforcement across MSSQL, HTTP, & more—and intro RelayInformer, expanding attacker-perspective coverage for key protocols.
Grab your spot → ghst.ly/oct-web-bsky
Join Nick Powers & @tw1sm.bsky.social TOMORROW as they share new methods to enumerate EPA enforcement across MSSQL, HTTP, & more—and intro RelayInformer, expanding attacker-perspective coverage for key protocols.
Grab your spot → ghst.ly/oct-web-bsky
Reposted by Matt Creel
New tricks, same impact
posts.specterops.io/update-dumpi...
posts.specterops.io/update-dumpi...
Update: Dumping Entra Connect Sync Credentials
Recently, Microsoft changed the way the Entra Connect Connect Sync agent authenticates to Entra ID. These changes affect attacker tradecraft, as we can no longer export the sync account credentials…
posts.specterops.io
June 9, 2025 at 6:21 PM
New tricks, same impact
posts.specterops.io/update-dumpi...
posts.specterops.io/update-dumpi...
Reposted by Matt Creel
Had some fun with PDQ deploy/inventory credential decryption and wrote about it here: unsigned-sh0rt.net/posts/pdq_cr... thanks to
@dru1d.bsky.social for writing a BOF out of the POC
tl;dr get admin on PDQ box, decrypt privileged creds
@dru1d.bsky.social for writing a BOF out of the POC
tl;dr get admin on PDQ box, decrypt privileged creds
Decrypting PDQ credentials | unsigned_sh0rt's blog
Walkthrough of how PDQ credentials encrypts service credentials
unsigned-sh0rt.net
April 11, 2025 at 9:09 PM
Had some fun with PDQ deploy/inventory credential decryption and wrote about it here: unsigned-sh0rt.net/posts/pdq_cr... thanks to
@dru1d.bsky.social for writing a BOF out of the POC
tl;dr get admin on PDQ box, decrypt privileged creds
@dru1d.bsky.social for writing a BOF out of the POC
tl;dr get admin on PDQ box, decrypt privileged creds
Reposted by Matt Creel
Celebrating 1 year at SpecterOps, this was the first project I worked on after starting. Looking at SQL Server Transparent Data Encryption, how to bruteforce weak keys, and how ManageEngine's ADSelfService product uses TDE with a suspect key. Enjoy :) specterops.io/blog/2025/04...
The SQL Server Crypto Detour - SpecterOps
As part of my role as Service Architect here at SpecterOps, one of the things I’m tasked with is exploring all kinds of technologies to help those on assessments with advancing their engagement. Not l...
specterops.io
April 8, 2025 at 4:03 PM
Celebrating 1 year at SpecterOps, this was the first project I worked on after starting. Looking at SQL Server Transparent Data Encryption, how to bruteforce weak keys, and how ManageEngine's ADSelfService product uses TDE with a suspect key. Enjoy :) specterops.io/blog/2025/04...
Nothing new, but formalized some operator notes on Entra ID/Azure tradecraft I've found to be exceptionally useful on ops. Overlooked this myself for quite some time and thought others in the same boat might find it worth a read! 📖
medium.com/specter-ops-...
medium.com/specter-ops-...
An Operator’s Guide to Device-Joined Hosts and the PRT Cookie
Introduction
medium.com
April 7, 2025 at 4:34 PM
Nothing new, but formalized some operator notes on Entra ID/Azure tradecraft I've found to be exceptionally useful on ops. Overlooked this myself for quite some time and thought others in the same boat might find it worth a read! 📖
medium.com/specter-ops-...
medium.com/specter-ops-...
Reposted by Matt Creel
Dig through this timeline and you'll figure out what I'm here to do. I spoke to a commercial leader in the offensive security space last year. My words: you're fucking it up.
What I didn't say: I feel compelled, even though I DON'T want the bullshit, to try and fix it.
What does all of this mean?
What I didn't say: I feel compelled, even though I DON'T want the bullshit, to try and fix it.
What does all of this mean?
March 15, 2025 at 3:57 AM
Dig through this timeline and you'll figure out what I'm here to do. I spoke to a commercial leader in the offensive security space last year. My words: you're fucking it up.
What I didn't say: I feel compelled, even though I DON'T want the bullshit, to try and fix it.
What does all of this mean?
What I didn't say: I feel compelled, even though I DON'T want the bullshit, to try and fix it.
What does all of this mean?
Worked through the CloudBreach Breaching AWS course and exam over the last two weeks. Didn't see a ton of info out there on it prior to buying the course so wrote a small review with my thoughts blog.tw1sm.io/p/breaching-...
Breaching AWS Course Review
CloudBreach's OAWSP Certification
blog.tw1sm.io
December 27, 2024 at 4:52 PM
Worked through the CloudBreach Breaching AWS course and exam over the last two weeks. Didn't see a ton of info out there on it prior to buying the course so wrote a small review with my thoughts blog.tw1sm.io/p/breaching-...
Cool to see another AD enum method bridge BH compatibility with bofhound! 🦾
Excited to share a tool I've been working on - ShadowHound.
ShadowHound is a PowerShell alternative to SharpHound for Active Directory enumeration, using native PowerShell or ADModule (ADWS). As a bonus I also talk about some MDI detections and how to avoid them.
blog.fndsec.net/2024/11/25/s...
ShadowHound is a PowerShell alternative to SharpHound for Active Directory enumeration, using native PowerShell or ADModule (ADWS). As a bonus I also talk about some MDI detections and how to avoid them.
blog.fndsec.net/2024/11/25/s...
November 26, 2024 at 1:53 AM
Cool to see another AD enum method bridge BH compatibility with bofhound! 🦾
Reposted by Matt Creel
Was doing some digging "What's New" in Server2025 learn.microsoft.com/en-us/window... specifically the changes to pre-2k machines. Oddvar and I had spoken previously about the changes being solid and demonstrated pre-created machines in ADUC could no longer be set with a default password.
November 15, 2024 at 5:25 AM
Was doing some digging "What's New" in Server2025 learn.microsoft.com/en-us/window... specifically the changes to pre-2k machines. Oddvar and I had spoken previously about the changes being solid and demonstrated pre-created machines in ADUC could no longer be set with a default password.