Logan Goins
@logangoins.bsky.social
📤 22
📥 29
📝 1
Adversary Simulation
@specterops.io
reposted by
Logan Goins
SpecterOps
3 months ago
SCCM client push strikes again for hierarchy takeover!
@logangoins.bsky.social
just dropped a new blog showing how WebClient doesn't need to be already running on site servers to coerce HTTP (WebDav) auth & enable NTLM relay to LDAP for SCCM takeover Read more:
ghst.ly/3Z9Gbu6
loading . . .
Wait, Why is my WebClient Started?: SCCM Hierarchy Takeover via NTLM Relay to LDAP - SpecterOps
During automatic client push installation, an SCCM site server automatically attempts to map WebDav shares on clients, starting WebClient when installed.
https://ghst.ly/3Z9Gbu6
0
5
3
Just released a new
@specterops.io
blog! I discovered that during client push in SCCM env's it's possible to remotely start WebClient and coerce HTTP from site servers for a relay to LDAP resulting in hierarchy takeover when WebClient is installed! 🫠
specterops.io/blog/2026/01...
loading . . .
Wait, Why is my WebClient Started?: SCCM Hierarchy Takeover via NTLM Relay to LDAP - SpecterOps
During automatic client push installation, an SCCM site server automatically attempts to map WebDav shares on clients, starting WebClient when installed.
https://specterops.io/blog/2026/01/14/wait-why-is-my-webclient-started-sccm-hierarchy-takeover-via-ntlm-relay-to-ldap/
3 months ago
0
3
1
reposted by
Logan Goins
SpecterOps
6 months ago
Credential Guard was supposed to end credential dumping. It didn't. Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled. Read for more:
ghst.ly/4qtl2rm
loading . . .
Catching Credential Guard Off Guard - SpecterOps
Uncovering the protection mechanisms provided by modern Windows security features and identifying new methods for credential dumping.
https://ghst.ly/4qtl2rm
0
17
10
reposted by
Logan Goins
SpecterOps
6 months ago
Patching one technique doesn't close the entire attack vector. dMSA abuse is still a problem, and
@logangoins.bsky.social
just dropped a reality check with new tooling to prove it. Learn more about the issue & the new BadTakeover BOF.
ghst.ly/42POg9L
loading . . .
The (Near) Return of the King: Account Takeover Using the BadSuccessor Technique - SpecterOps
After Microsoft patched Yuval Gordon’s BadSuccessor privilege escalation technique, BadSuccessor returned with another blog from Yuval, briefly mentioning to the community that attackers can still abu...
https://ghst.ly/42POg9L
0
3
3
reposted by
Logan Goins
SpecterOps
8 months ago
Trying to fly under EDR's radar?
@logangoins.bsky.social
explains how to use HTTP-to-LDAP relay attacks to execute tooling completely off-host through the C2 payload context. Perfect for when you need LDAP access but want to avoid being caught stealing creds.
ghst.ly/41mjMv7
loading . . .
Operating Outside the Box: NTLM Relaying Low-Privilege HTTP Auth to LDAP - SpecterOps
TL;DR When operating out of a ceded access or phishing payload with no credential material, you can use low-privilege HTTP authentication from the current user context to perform a proxied relay to LD...
https://ghst.ly/41mjMv7
0
5
2
you reached the end!!
feeds!
log in
