Ellis Springe

CredMaster 2.0 passspray tool release! New features like notification alerts, advanced SOC evasion techniques, 8 new plugins and an easy config file. S/O to @ZephrFish for all his contributions in the rewrite B: whynotsecurity.com/blog/credmaste… G: github.com/knavesec/CredM…

See you all next week...excited to present with @breakfix at #BHEU! 💣

@_nextjenn Re reads Rewrites Sends Typo immediately 🫠

*writes email* *rereads it 50 times* *hovers over send button* *rereads it another 5 times* *rewrites email*

Come join the team! Long-term operations with some of the best in the world with guaranteed development time. This kind of opportunity doesn't come around often 😀

Ending an insane 6 weeks with a celebration. I’m deeply honored to receive the Trailblazer Award from the Society of Women Engineers. Thank you @SWEtalk! Grateful to my mgmt, team, husband, family, and friends. Their support has made every one of my accomplishments possible.

Ever been on an SCCM site server and *this* close to a DA pw that you couldn't decrypt for some reason? Check out my new blog looking at encryption in use within SCCM sites configured for High Availability and accompanying tooling to recover passwords: ibm.com/think/x-force/…

What happens when the User-Account-Restrictions property gets misconfigured? Spoiler: It's not good. From account compromise to full domain takeover, @unsigned_sh0rt breaks down why this permission set is more dangerous than most realize. ghst.ly/4mKgycH

kernel hackers go serverless ring0 → cloud 9 ☁️ ?? brb pwning yr gpu nodes ✨

Judging the @sec_defcon vishing competition on Friday, moving to London on Tuesday. Hell of a week

So much fun judging with @_sn0ww and @_nextjenn, great calls and a tight race all the way to the end! Hats off to all the contestants, it’s make those calls in front of a huge crowd (@JC_SoCal is ok too I guess)

Thank you again to the #SECVC judges and MC! @_nextjenn @knavesec @_sn0ww @jc_socal

Search 15M+ Microsoft 365 tenants by org name or domain and discover all known domains in the same tenant: micahvandeusen.com/tools/tenant-d…. Legacy methods like Autodiscover/GetFederationInfo no longer work (mc.merill.net/message/MC1081…).

More on BH OpenGraph: Ran into some issues when attempting to map objects collected with partial info back to existing BH objects. Built out a small tool that allows for connecting objects in a more flexible manner: github.com/G0ldenGunSec/O…

Azure Arc is Microsoft's solution for managing on-premises systems in hybrid environments. My new blog covers how it can it be identified in an enterprise and misconfigurations that could allow it to be used for out-of-band execution and persistence. ibm.com/think/x-force/…

Last week we added ELEVATE-4 github.com/subat0mik/Misc… to Misconfiguration Manager. tl;dr If SCCM uses AD CS for PKI, client auth certs are "borrowed" by clients during OSD. This will typically be a distribution point but could be the site server in all-in-one deployments...

New research just dropped I'll be presenting at @WEareTROOPERS next week - Attacking ML Training Infrastructure 💥 Model poisoning for code execution ⚠️ Abusing ML workflows ⚙️ MLOKit updates and new threat hunting rules ibm.com/think/x-force/…

Me and the homies are dropping browser exploits on the red team engagement 😎. Find out how to bypass WDAC + execute native shellcode using this one weird trick -- exploiting the V8 engine of a vulnerable trusted application. ibm.com/think/x-force/…

The deadline is approaching fast for the first wave of OAIC tickets: May 16. Purchase your ticket by THIS Friday to secure your spot! Check your inbox for details. Next round of invitations coming soon. Request an invite: #request-invite" target="_blank" rel="nofollow noopener">offensiveaicon.com/#request-invite

I am thrilled to be presenting new research on attacking ML training infrastructure at @WEareTROOPERS this summer. Stay tuned for a blog post and lots of updates to MLOKit closer to the conference!

New blog from me about a bug in Power Apps that allows execution of arbitrary SQL queries on hosts connected through on-prem data gateways. This can turn external O365 access into compromised on-prem SQL servers. ibm.com/think/x-force/…

Had some fun with PDQ deploy/inventory credential decryption and wrote about it here: unsigned-sh0rt.net/posts/pdq_cred… thanks to @_dru1d for write a BOF out of the POC tl;dr get admin on PDQ box, decrypt privileged creds