Logan Goins

Just released a new @SpecterOps blog! I discovered that during client push in SCCM env's it's possible to remotely start WebClient and coerce HTTP from site servers for a relay to LDAP resulting in hierarchy takeover when WebClient is installed! 🫠 specterops.io/blog/2026/01/1…

Bloodhound OpenGraph x.com/i/broadcasts/1…

Have you got SCCM in your environment? Want to catch adversaries attempting to abuse it for malicious purposes? Check out my newest blog to setup deceptions within existing SCCM infra specterops.io/blog/2026/02/1…

Every Entra ID assessment ends here: “How do I get a token without triggering Conditional Access controls?” 🤔 @rbnroot built CAPSlock, an offline ROADrecon-based Conditional Access engine that simulates sign-ins & flags gaps without touching the tenant. ghst.ly/4aKIk64

Introducing BloodHound Scentry: BloodHound Enterprise + SpecterOps experts working alongside your team to eliminate attack paths and accelerate APM. Level 0 → Level 3 maturity in ~6 months. Not theory. Tradecraft. 🎯 Learn more ➡️ ghst.ly/bhscentry-tw

I ended up quickly modifying ntlmrelayx to support these changes so that relays to LDAP are possible again, thanks y'all for your hard work on figuring this out! You can find the changes here: github.com/logangoins/imp…

🚨Introducing EventHorizon!🚨 A framework built to arm researchers with customizable ETW telemetry and sigma-like detection and response rules! It allows you to easily retrieve ETWTI telemetry, all with a simple msi installer and included wiki. github.com/HullaBrian/Eve…

SpecterOps has a really good line up for SO-CON'26. #agenda" target="_blank" rel="nofollow noopener">specterops.io/so-con/#agenda

Still running MDT? As of Jan 6, 2025, it’s unsupported and unpatched. In this post, @unsigned_sh0rt shows how attackers can locate MDT/WDS (even unauthenticated) and chain issues into credential risk. Defenses included. Read more ⤵️ ghst.ly/49UHoeW

I found unauthenticated bugs in MDT that can be abuse to coerce authenticaton from the host server or to leak creds stored in the deployment share's rules file. Instead of fixing the issues, Microsoft retired MDT. specterops.io/blog/2026/01/2…

RIP SCCM hierarchy TAKEOVER-5: #adminservice-now-rejects-ntlm-authentication" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/intune/c… github.com/subat0mik/Misc… It's a good idea to upgrade to 2509 ASAP, sysadmin friends! There's no other mitigation if you have an SMS Provider hosted remotely from the site server AFAIK.

New MSSQLHound updates from @_Mayyhem 🔥 Now includes EPA-based NTLM relay scanning, CVE-2025-49758 patch detection, and BloodHound Cypher queries to map + remediate MSSQL attack paths. Check it out! ghst.ly/4pKTgVI

I added a few things to MSSQLHound, including remote EPA (NTLM relay mitigation) checks based on RelayInformer by @Tw1sm and @zyn3rgy and some Cypher queries you can import into BloodHound to identify issues in MSSQL without writing them from scratch.

Krueger. Proof of Concept (PoC) .NET post-exploitation tool for remotely killing Endpoint Detection and Response (EDR) as apart of lateral movement procedures, by @_logangoins github.com/logangoins/Kru…

WSL2 is a powerful attacker hideout because it runs as a separate Hyper-V VM, and defenders rarely monitor it. Daniel Mayer explains how attackers pivot into WSL2 and what it took to build tooling that works across WSL2 versions. Read more ⤵️ ghst.ly/45fPUma

SCCM admins: review your roles. MSSQL admins: review ALTER ANY LOGIN exposure. @_Mayyhem details CVE-2025-47179 & CVE-2025-49758 and how these escalations can be identified through graph analysis. Check out his blog post for more! ghst.ly/49Fj4fM

SCCM client push strikes again for hierarchy takeover! @_logangoins just dropped a new blog showing how WebClient doesn't need to be already running on site servers to coerce HTTP (WebDav) auth & enable NTLM relay to LDAP for SCCM takeover Read more ⤵️ ghst.ly/3NkEF5J

@Janrdzz @sekurlsa_pw In addition to that, setting LDAPS channel binding to "When supported" could give you a lot more flexibility in your environment. The Windows SMB client always adds the CBT, meaning that your custom infra would still be able to connect to LDAPS without binding AND prevent relays

@Janrdzz @sekurlsa_pw You're all good! It's a good question, no need to apologize! You would need to have LDAP signing and channel binding enforced for all domain controllers, which is easily possible with GPOs iirc. Just make sure in your environment you audit the changes before full deployment.