Lee Robinson

I added an SCCM central admin site, child site, passive site server, secondary site, and remote system roles to @synzack21 and @badsectorlabs Ludus lab so you can skip the manual deployment. It's vuln to almost every technique in Misconfiguration Manager. specterops.io/blog/2026/04/0…

Absolutely loved doing this research and I’m beyond excited to share it with you all! You never know what’ll shake out if you try to “con the bot” 🤖 #ai #cyber

Check out GoLinHound: - Discovers Linux & SSH attack paths - Outputs OpenGraph JSON for BloodHound ingestion - Integrates with SharpHound and AzureHound data to unveil cross-technology attack paths github.com/RantaSec/golin…

Adversaries don’t hunt for “passwords.txt.” They abuse what’s already there. @Praga_Prag's latest blog shows how to turn SCCM attack paths into high-signal deception opportunities using BloodHound OpenGraph. ghst.ly/4tuAjJJ

@mattdep_ @SpecterOps I definitely think that’s something that could happened. Especially with OpenGraph. Off the top of my head, it shouldn’t be too hard to map which policies include or exclude users, roles, and groups. Would have to think on handling conditions though.

@SpecterOps @rbnroot Do you plan to add the collection of CAPs to AzureHound and support CAP visualizations in BloodHound?

Every Entra ID assessment ends here: “How do I get a token without triggering Conditional Access controls?” 🤔 @rbnroot built CAPSlock, an offline ROADrecon-based Conditional Access engine that simulates sign-ins & flags gaps without touching the tenant. ghst.ly/4aKIk64

Identity risk isn’t just about who has access. It’s about how access connects. @jaredcatkinson dives into how Attack Path Management reframes modern security strategy in his article for @IdentityWeek_ID. ghst.ly/4txClZI

@mrmichaeljstew @SpecterOps That’s exactly what I was going for! While I could have added the ability to pull down the policies all within the tool, I found that it made more sense to just build on top of ROADrecon since in almost always using it to conduct entra analysis anyways

@SpecterOps @rbnroot The offline simulation angle is the key differentiator here. In environments where you can't do live testing against prod tenants — which is most of higher ed — CAPSlock closes a real gap. The ROADrecon dependency is worth noting for teams still building out their toolchain.