Chris Thompson

Want to move laterally from C2 on an Intune admin's workstation to any Intune-enrolled device? Check out Maestro (github.com/Mayyhem/Maestro), a new(ish) tool I wrote for those situations, and this blog post to walk you through how: posts.specterops.io/maestro-9ed71d…

Wrote a BOF that extracts access tokens from .tbres files by decrypting DPAPI blobs in the current user context, this tool can be used as an alternate to office_tokens BOF github.com/grayhatkiller/…

To trigger local SYSTEM authentication for relaying to ADCS or LDAP for LPE you would usually need the printer service or EFS service to be enabled (printerbug/petitpotam). Here is an alternative without this requirement 🤠 github.com/rtecCyberSec/R…

SCCM’s Management Points can leak more than you’d expect. @unsigned_sh0rt shows how Network Access Accounts, Task Sequences, and Collection Settings can be stolen by relaying a remote Management Point to the site database. Check it out ⬇️ ghst.ly/4eNLaHU

Ludushound shows the power of community driven innovation in cybersecurity. @bagelByt3s created an awesome tool to convert bloodhound data into a working lab in 🏟️ Ludus. Replicate complex live environments with automation - and get back to the fun stuff! specterops.io/blog/2025/07/1…

Azure Arc is Microsoft's solution for managing on-premises systems in hybrid environments. My new blog covers how it can it be identified in an enterprise and misconfigurations that could allow it to be used for out-of-band execution and persistence. ibm.com/think/x-force/…

Thanks to everyone who attended our (@unsigned_sh0rt) talk at @WEareTROOPERS! Here is the companion blog post: specterops.io/blog/2025/06/2…

I'm not sure everyone realizes it, but as it stands, if you have an Active Directory with default configurations, any machine (except DCs) that hasn't applied the June 10 patch can be compromised by any domain user.

So excited to see this one come out! Awesome post from @n0pe_sled on why IdP's should still be scrutinized! (tl;dr: OneLogin leaked random customer logs with info valid to generate JWT's) 👀 specterops.io/blog/2025/06/1…

BadSuccessor is a new AD attack primitive that abuses dMSAs, allowing an attacker who can modify or create a dMSA to escalate privileges and take over the forest. Check out @JimSycurity's latest blog post to understand how you can mitigate risk. ghst.ly/4kXTLd9

I'm super happy to announce an operationally weaponized version of @YuG0rd's BadSuccessor in .NET format! With a minimum of "CreateChild" privileges over any OU it allows for automatic escalation to Domain Admin (DA). Enjoy your inline .NET execution! github.com/logangoins/Sha…

Your #MDT shares might be spilling secrets like a drunk uncle at a wedding. 🍷💬 In my latest post for @TrustedSec, I dig into how Red Teamers can extract creds from MDT shares — and why your MDT deployment server might need a security makeover. Read all about it here:…

🚀 We just released my research on BadSuccessor - a new unpatched Active Directory privilege escalation vulnerability It allows compromising any user in AD, it works with the default config, and.. Microsoft currently won't fix it 🤷‍♂️ Read Here - akamai.com/blog/security-…

The video of @unsigned_sh0rt's and my talk at @SpecterOps's SO-CON with step-by-step guidance on how to mitigate SCCM hierarchy takeover and credential theft attacks is up! Video: youtu.be/Rc2J6fmhcJ4 Slides: github.com/subat0mik/Misc… More info: misconfigurationmanager.com

I jumped heavily into learning about SCCM tradecraft and wrote a detailed write-up with custom examples, covering the most interesting vulnerabilities that combine commonality and impact from low-privilege contexts, and what you can do to prevent them :) logan-goins.com/2025-04-25-scc…

Had some fun with PDQ deploy/inventory credential decryption and wrote about it here: unsigned-sh0rt.net/posts/pdq_cred… thanks to @_dru1d for write a BOF out of the POC tl;dr get admin on PDQ box, decrypt privileged creds

Think NTLM relay is a solved problem? Think again. Relay attacks are more complicated than many people realize. Check out this deep dive from @elad_shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31

New blog post just dropped! 🙌 Read the latest from @Tw1sm on how an operator can perform situational awareness steps prior to making an Entra ID token request and how tokens can be effectively used once obtained. ghst.ly/4lA5Iqu

Had a great time speaking with @unsigned_sh0rt about SCCM attack path prevention at SO-CON yesterday! Our slides with step-by-step instructions for mitigating the most critical SCCM attacks in your environment are at github.com/subat0mik/Misc…

I'm excited that my first PRs to BloodHound/SharpHound are now in main! They remove FPs for Owns/WriteOwner edges when implicit owner rights are blocked and add OwnsLimitedRights and WriteOwnerLimitedRights edges when ACEs grant permissions to the OWNER RIGHTS SID. More to come!

Along with this blog, I published an update to SCCMHunter that enables credential recovery all from the admin module. NAAs, client push, pxe boot password, discovery accounts, Azure app creds, etc. github.com/garrettfoster1…