Will Schroeder
@harmj0y
Researcher @SpecterOps. Coding towards chaotic good while living on the decision boundary.
5 months ago @tifkin_ and I started looking into the security of Active Directory Certificate Services. Today we're releasing the results of that research- a blog post posts.specterops.io/certified-pre-… + a 140-page whitepaper and defensive audit tool (links at the top of the post) [1/6]
There's probably never been a better time in recent memory than now to get into appsec. Go poke at AI powered apps. People still don't understand the attack surface offered by LLMs (and other AI components) which makes it a target-rich environment.
Maybe its time to slow down shipping AI apps at high speed with little to no security reviews? 90 day responsible disclosure window is way too long for new AI apps and agents. There is basically zero legacy code or back compat impact... fyi @mbrg0
My first @SpecterOps blog! Ever wanted to collect Active Directory information from LDAP for a Red Team? Using LDAP's more OPSEC-considerate cousin: ADWS can be used to improve upon the already present advantages of using smaller-scaling LDAP queries. specterops.io/blog/2025/07/2…
#x33fcon 2025 talks: @tifkin_ & @harmj0y - Nemesis 2.0: Building an Offensive VirusTotal > youtu.be/RjLqfhQGUnE
Had some time and decided to take a shot at Fabian’s RAITrigger project. After a look into the RPC internals, I put together a super lightweight C# version (no NtApiDotNet), plus a C++ and BOF version. Enjoy! github.com/klezVirus/RAIW…
Wrote a BOF that extracts access tokens from .tbres files by decrypting DPAPI blobs in the current user context, this tool can be used as an alternate to office_tokens BOF github.com/grayhatkiller/…
New Vuln Research: NetSPI Principal Consultant Ceri Coburn exposes how Forescout SecureConnector agents can be hijacked via a named pipe vulnerability (CVE-2025-4660), turning endpoint security tools into attacker-controlled C2 channels. Read more: ow.ly/6hl250WqWrX
Enroll now for our 40-hour live workshop “EDR Internals: R&D,” co-taught with @MalFuzzer. Starts 23 Oct 2025. Dissect & build EDR drivers, master evasion techniques. Early-bird $1,450 ends 30 Sep. Details: trainsec.net/courses/edr-in… #EDR #WindowsInternals
You don't want to miss Nemesis 2.0 at #BHUSA! Join @harmj0y & @tifkin_'s Arsenal session on the ground-up rewrite of Nemesis focused on manual file triage for offensive operations. Learn more ▶️ ghst.ly/4lowhhC
Ludushound shows the power of community driven innovation in cybersecurity. @bagelByt3s created an awesome tool to convert bloodhound data into a working lab in 🏟️ Ludus. Replicate complex live environments with automation - and get back to the fun stuff! specterops.io/blog/2025/07/1…
Modern obfuscation techniques - a great weekend read. Master's thesis (by Roman Oravec) investigates various common obfuscation techniques and freely available implementations, focusing on the LLVM Pass Framework's potential for program obfuscation. Additionally, several…
PSA to anyone struggling, don't be told that "you're just worried", "you're just feeling sad", "you're overthinking things"... depression, anxiety, OCD, ADHD, Autism are killers. Talk, and advocate for yourself!
Finally landed on an OCD diagnosis yesterday, the fucking relief is unreal. Not like it's a shock, but it's been a loooooong time to get to this point. Look after your mental health h4xx0rz! youtube.com/watch?v=NDBRjB…
New video out 😊 showing how you can take control of port 445 and perform those magical relay attacks toward AD CS when working from a C2 agent. Way easier than before thanks to some great research by @zyn3rgy youtube.com/watch?v=e4f3h5…
Thrilled and humbled to be awarded Microsoft MVP for the 10th year! 🙏 Grateful for the amazing community, endless learning, and opportunities to share knowledge. Thank you @MVPAward for this honor! #MVP #Grateful #MVPBuzz
A little over a week left to register for @retBandit and I's @BlackHatEvents #BHUSA training on attacking MLSecOps and AI-as-a-Service platforms. We are almost full for both the Sat/Sun and Mon/Tues sessions! blackhat.com/us-25/training…
Awesome talk from @Cyb3rWard0g on AI Agents... this for me is the immediate future of LLM's and it's so exciting! youtube.com/watch?v=zoAPS1…
Dear Red Team nerds, If you're curious what a successful and serious malware campaign looks like (if you want to make a more serious Red Team engagement) I HIGHLY suggest reading the write up on the new malware campaign called TransferLoader zscaler.com/blogs/security…
Just found the TokenBreak paper referencing my Tokenization Confusion research. Some overlap in manipulating based on tokenization algorithms, always good to see something I created being referenced 🤗 arxiv.org/pdf/2506.07948
Dudes... please enable Detailed File Share auditing in your environment. All these attackers who switched over to the Impacket suite still run the default configs and it takes like 2 seconds to find them.