Yuval Gordon

🚀 We just released my research on BadSuccessor - a new unpatched Active Directory privilege escalation vulnerability It allows compromising any user in AD, it works with the default config, and.. Microsoft currently won't fix it 🤷‍♂️ Read Here - akamai.com/blog/security-…

In collaboration w/ @abstractshield, we analysed TukTuk, a sophisticated .NET RAT disguised as Apache log4net.dll, and what we found goes well beyond the malware itself. After pivoting onto the threat actor's own dev machine, we recovered their entire AI-assisted development history: 7,016 messages, 17 projects, 48 days of offensive tooling built almost entirely with Claude. Two C2 frameworks. A terabyte-scale exfiltration utility. EDR evasion tooling tested against @CrowdStrike, @SentinelOne, @Sophos & @Bitdefender. A BYOVD process killer. Custom AD recon tools. A tunneling kit. A malware distribution platform. All of it AI-generated. All of it operational. The actors used persistent fake personas, "university professor", "senior pentester", to bypass safety guardrails. We're flagging this to @Anthropic, @Fortinet and affected vendors. The OPSEC failure that exposed all of this? .claude/ session directory on the dev machine. Full IOCs, hashes, operator IPs, C2 infrastructure, and verbatim AI session excerpts in the report. Link below. 🧵🧵🧵🧵🧵🧵🧵🧵

@4ndr3w6S pulled me into this rabbit hole, and it was a fun one.

@IHM49 Yes they have. The patch did fix the privilege escalation, but it is still possible to use BadSuccessor as an account takeover, or as a credential dumper.

@YuG0rd Has Microsoft released a patch addressing this, or are we still waiting?

🚀 We just released my research on BadSuccessor - a new unpatched Active Directory privilege escalation vulnerability It allows compromising any user in AD, it works with the default config, and.. Microsoft currently won't fix it 🤷‍♂️ Read Here - akamai.com/blog/security-…

@ptswarm @justbronzebee Great writeup! Do you see telephony servers being used much in real environments?

📞 Microsoft fixed an authenticated RCE in Windows Telephony Service (CVE-2026-20931), discovered by our researcher Sergey Bliznyuk @justbronzebee Read the write-up: swarm.ptsecurity.com/whos-on-the-li…

I found unauthenticated bugs in MDT that can be abuse to coerce authenticaton from the host server or to leak creds stored in the deployment share's rules file. Instead of fixing the issues, Microsoft retired MDT. specterops.io/blog/2026/01/2…

Just released a new @SpecterOps blog! I discovered that during client push in SCCM env's it's possible to remotely start WebClient and coerce HTTP from site servers for a relay to LDAP resulting in hierarchy takeover when WebClient is installed! 🫠 specterops.io/blog/2026/01/1…

@unsigned_sh0rt Loved it! I usually find it hard to concentrate on talks, this one felt almost like watching a movie.

Also, I tried to do something unique with the presentation style so if you have any thoughts or feedback on it I'd love to hear it

My BHUSA talk Clustered Points of Failure - Attacking Windows Server Failover Clusters is up on YouTube! youtube.com/watch?app=desk…

Blogs are up!

My gift for Thanksgiving 💜 I wrote for you the blog post I always wanted to read! Happy holiday!🦃 PLEASE READ IT!!! wiz.io/blog/recent-oa…

Amazing write-up of how BadSuccessor post-patch can be used for account takeover. Worth the read.

@_logangoins @enigma0x3 Thanks for the write-up Logan. You describe it perfectly and I appreciate the feedback about my second blog, I guess it should have been clearer😅

I feel like @YuG0rd's briefly mentioned new dMSA account takeover mechanism in his last blog didn't get enough attention. A new account takeover mechanism is on the horizon. I wrote a blog detailing it, releasing with a new BOF I wrote called BadTakeover specterops.io/blog/2025/10/2…

What happens when the User-Account-Restrictions property gets misconfigured? Spoiler: It's not good. From account compromise to full domain takeover, @unsigned_sh0rt breaks down why this permission set is more dangerous than most realize. ghst.ly/4mKgycH

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-glob…

We found a new strain of Docker-targeting malware, with improved capabilities over the previous version and some interesting upcoming features. Check it out!

@DrEntraID @IAMERICAbooted @acjuelich DFL is not a must for BadSuccessor, just need the updated schema and to make the authentication against the Windows Server 2025 DC

@IAMERICAbooted @acjuelich There is, schema version 88. Only difference from 2016 -> 2019 was one additional attribute: msDS-preferredDataLocation. Note that BadSuccessor only works if domain functional level is 2025 and you have at least 1 domain controller with Windows Server 2025.

If the Active Directory Schema version is 2019, is it still possible to be vulnerable to badsuccessor post-patch attack flows?

Happy to release SAMLSmith together with @ericonidentity - Generate forged SAML responses - Simulate Silver SAML & Golden SAML attacks - Extract usable certificate files from AD FS encrypted materials. The tool is written in C# Check it out here - github.com/Semperis/SAMLS…

@IAMERICAbooted The minimum requirement is to have WriteProperty on both msDS-SupersededManagedAccountLink and msDS-SupersededServiceAccountState on the target object

@IAMERICAbooted Sorry if it wasn’t clear, this is no longer a privilege escalation. You can only “impersonate” or dump the credentials of objects that you can write to their attributes (specifically, the attributes that links a superseded account to the dMSA)

Someone help me understand and tell me if I'm misunderstanding? Post-patch conditions: 1. The directory contains a member server 2025, which means it most likely has an updated 2025 schema in AD 2. I control an OU and can create dMSA which doesn't require a server 2025 in that OU because the schema has already been prepped for 2025 compatability due to a 2025 member server existing in the directory 3. Once dMSA created with mutual link, I can impersonate anyone or any machine in the directory? (i.e. ADFS, CAs, sync and connect servers, backups, domain root, EA/DA, etc). This sounds pretty darn good!

@lowercase_drm @mpgn_x64 You're right, the docs mismatch is super weird. great catch!

@YuG0rd @mpgn_x64 Those names seem to be wrong (even if they are mentioned here learn.microsoft.com/en-us/windows-…). But according to learn.microsoft.com/en-us/openspec… and my tests, it's: msDS-SupersededManagedAccountLink msDS-SupersededServiceAccountState wtf Microsoft🤯😵‍💫, Am I wrong ?

Need more testing but now, the TGS request raises a generic Kerberos error . RIP badsuccessordumper.py 👼 #CVE-2025-53779