Daniel Heinsen

It's alive! Apeman is a graph-based tool to model AWS IAM permissions. This marks the start of a new journey to methodically identify and remediate IAM attack paths, and I look forward to learning together with y'all. github.com/hotnops/apeman

This post goes more into Entra Connect tradecraft and how partially synced objects can be hijacked for cross domain attacks. posts.specterops.io/entra-connect-…

Want to run roadrecon, but a device compliance policy is getting in your way? You can use the Intune Company Portal client ID, which is a hardcoded and undocumented exclusion in CA for device compliance. It has user_impersonation rights on the AAD Graph 😃

i'm on the internet this week. head over to advent.cloudsecuritypodcast.tv to hear me talk about tokens and conditional access

A new fun way to set shadow credentials posts.specterops.io/attacking-entr…

Want to move laterally from C2 on an Intune admin's workstation to any Intune-enrolled device? Check out Maestro (github.com/Mayyhem/Maestro), a new(ish) tool I wrote for those situations, and this blog post to walk you through how: posts.specterops.io/maestro-9ed71d…

my workshop tomorrow in a nutshell

Don't miss our next webinar w/ @hotnops, which will showcase how Apeman can quickly identify Attack Paths by solving AWS CTF challenges. Each challenge will highlight a common misconfiguration & how Apeman can help identify them. Register today ▶️ ghst.ly/4dCog48

Let's take a ride in the Wayback machine! In our new #blog, @nyxgeek takes a look at time-based user enumeration in #Azure, its origins dating back to 2014, and the release of a new tool called Autodiscover Enumerator. Read it now! hubs.la/Q02S235F0

had the opportunity to take the dry run of this class. HFS. it brings the foo.

EntraID, in one diagram. (Note, not perfectly updated. Some complexity not shown)

Awesome blog post about a career at SpecterOps. Feel free to reach out to me directly if you have any questions at all. You can DM me here or on the Bloodhound slack.

A new undocumented AWS STS API popped up! "sts:AssumeRoot". It requires you to hit an (AFAIK) undocumented endpoint but they are allow listing accounts so you can't do anything with it. AWS is definitely cooking up something interesting!

This is the last of my phishing series! It's a recap and reference for the whole thing. Hope it was as fun to read as it was to write:

Is it just me, or does every Entra application registration client secret have a tilde at the fifth index? Is it always 40 characters? Anyone else notice this?

PSA: Apeman exposes a Neo4J panel under the hood. Here is a query to detect roles that are vulnerable to the Amplify vulnerabilities that @Frichette_n presented at Blackhat. Gist here: gist.github.com/hotnops/a1d4ab…

Just wrapped up DEF CON Demo Labs and published Maestro, a new tool for lateral movement with Intune from C2. Thanks to everyone who came to check it out! I'll be posting a blog and wiki with more info soon, but here's the code and link to today's slides: github.com/Mayyhem/Maestro

Join us at #SOCON2025, happening March 31-April 1, for two days all about Attack Path Management. Register today to get 50% off and learn about our CFP, opening Oct. 1st! 👉 specterops.io/so-con-2025/

No phishing blog this week, but if you're in Vegas come see my Arsenal talk: blackhat.com/us-24/arsenal/…

Something new I'm hacking together. Can't wait to share it... Graph PowerShell → Duck DB → Awesome sauce All running locally on your desktop 😍 Cost: $0