Chris Thompson

My SCCM BloodHound OpenGraph collector, ConfigManBearPig, is finally ready to share! It can enumerate all of the relay TAKEOVERs and a few CRED and ELEVATE techniques from Misconfiguration Manager with just a domain account. Let me know what you find! specterops.io/blog/2026/01/1…

Check out GoLinHound: - Discovers Linux & SSH attack paths - Outputs OpenGraph JSON for BloodHound ingestion - Integrates with SharpHound and AzureHound data to unveil cross-technology attack paths github.com/RantaSec/golin…

Every Entra ID assessment ends here: “How do I get a token without triggering Conditional Access controls?” 🤔 @rbnroot built CAPSlock, an offline ROADrecon-based Conditional Access engine that simulates sign-ins & flags gaps without touching the tenant. ghst.ly/4aKIk64

Introducing BloodHound Scentry: BloodHound Enterprise + SpecterOps experts working alongside your team to eliminate attack paths and accelerate APM. Level 0 → Level 3 maturity in ~6 months. Not theory. Tradecraft. 🎯 Learn more ➡️ ghst.ly/bhscentry-tw

@_subTee reminded me that the Projected File System existed on Windows recently, so I decided to do a deep dive. Turns out - this is probably the best base technology for canary/deception features out there. There is also a splash of offensive use cases😎 @HuntressLabs Blog: huntress.com/blog/windows-p…

I can't believe Microsoft killed one of my favorite labs in my Entra ID training 😭. The Azure CLI and Azure PowerShell are no longer FOCI clients. On a serious note: good for security!

@jannisj If it's breaking due to the new NTLM rejection, there should be a way to force the use of Kerberos by supplying a fully qualified domain name. Looks like there's an issue tracking this that might help: github.com/MSEndpointMgr/…

@_Mayyhem And after you upgrade to 2509, modern driver management breaks :/

RIP SCCM hierarchy TAKEOVER-5: #adminservice-now-rejects-ntlm-authentication" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/intune/c… github.com/subat0mik/Misc… It's a good idea to upgrade to 2509 ASAP, sysadmin friends! There's no other mitigation if you have an SMS Provider hosted remotely from the site server AFAIK.

I found unauthenticated bugs in MDT that can be abuse to coerce authenticaton from the host server or to leak creds stored in the deployment share's rules file. Instead of fixing the issues, Microsoft retired MDT. specterops.io/blog/2026/01/2…

Don't miss this one. 👀 @zyn3rgy & @Tw1sm are sharing techniques to better inform your NTLM relays and discussing RelayInformer, an open-source project that identifies EPA enforcement across the majority of popular NTLM relay targets. Save your spot 👉 ghst.ly/web-oct-tw

Also a good detection opportunity based on that line in AdminService.log @Praga_Prag

@SpecterOps Link to the repo: github.com/SpecterOps/MSS…

New MSSQLHound updates from @_Mayyhem 🔥 Now includes EPA-based NTLM relay scanning, CVE-2025-49758 patch detection, and BloodHound Cypher queries to map + remediate MSSQL attack paths. Check it out! ghst.ly/4pKTgVI

@Tw1sm @zyn3rgy github.com/SpecterOps/MSS…

I added a few things to MSSQLHound, including remote EPA (NTLM relay mitigation) checks based on RelayInformer by @Tw1sm and @zyn3rgy and some Cypher queries you can import into BloodHound to identify issues in MSSQL without writing them from scratch.

📞 Microsoft fixed an authenticated RCE in Windows Telephony Service (CVE-2026-20931), discovered by our researcher Sergey Bliznyuk @justbronzebee Read the write-up: swarm.ptsecurity.com/whos-on-the-li…

SCCM admins: review your roles. MSSQL admins: review ALTER ANY LOGIN exposure. @_Mayyhem details CVE-2025-47179 & CVE-2025-49758 and how these escalations can be identified through graph analysis. Check out his blog post for more! ghst.ly/49Fj4fM

This talk introduces two new OpenGraph collectors that expose lesser-known SCCM and MSSQL attack chains starting with initial access to gaining administrative control of the environment. @_Mayyhem walks through collection and visualization of these attack paths in the BloodHound graph and shows how to operationalize this tooling in real operations. #ITDefense

Wrote a C# tool for extracting information from SCCM PXE boot media. Runs from unprivileged context. Based on the work of @_xpn_ / @_Mayyhem and @Raiona_ZA github.com/leftp/SharpPXE

Just released a new @SpecterOps blog! I discovered that during client push in SCCM env's it's possible to remotely start WebClient and coerce HTTP from site servers for a relay to LDAP resulting in hierarchy takeover when WebClient is installed! 🫠 specterops.io/blog/2026/01/1…

@SpecterOps Here's a link to the tool repo as well! github.com/SpecterOps/Con…

SCCM attack paths are messy until you can see them. 👀 ConfigManBearPig from @_Mayyhem extends BloodHound with SCCM nodes + edges using OpenGraph, plus queries to surface hierarchy takeovers and escalation paths. Check it out! ghst.ly/4svbcWO