Matt Creel
@tw1sm.bsky.social
📤 104
📥 53
📝 4
Adversary Simulation | Wannabe
https://twitter.com/tw1sm
https://blog.tw1sm.io
reposted by
Matt Creel
SpecterOps
9 days ago
NTLM relays failing because of EPA? 😒 Nick Powers &
@tw1sm.bsky.social
break down how to enumerate EPA settings across more protocols + drop new tooling (RelayInformer) to make relays predictable. Check out their blog for more:
ghst.ly/4rqwpRs
loading . . .
Less Praying More Relaying - Enumerating EPA Enforcement for MSSQL and HTTPS - SpecterOps
It's important to know if your NTLM relay will be prevented by integrity protections such as EPA, before setting up for and attempting the attack. In this post, we share how to solve this problem for ...
https://ghst.ly/4rqwpRs
0
3
2
reposted by
Matt Creel
SpecterOps
about 1 month ago
NTLM relay research is evolving! Join Nick Powers &
@tw1sm.bsky.social
TOMORROW as they share new methods to enumerate EPA enforcement across MSSQL, HTTP, & more—and intro RelayInformer, expanding attacker-perspective coverage for key protocols. Grab your spot →
ghst.ly/oct-web-bsky
0
8
4
reposted by
Matt Creel
hotnops
6 months ago
New tricks, same impact
posts.specterops.io/update-dumpi...
loading . . .
Update: Dumping Entra Connect Sync Credentials
Recently, Microsoft changed the way the Entra Connect Connect Sync agent authenticates to Entra ID. These changes affect attacker tradecraft, as we can no longer export the sync account credentials…
https://posts.specterops.io/update-dumping-entra-connect-sync-credentials-4a9114734f71
0
6
7
reposted by
Matt Creel
Garrett
8 months ago
Had some fun with PDQ deploy/inventory credential decryption and wrote about it here:
unsigned-sh0rt.net/posts/pdq_cr...
thanks to
@dru1d.bsky.social
for writing a BOF out of the POC tl;dr get admin on PDQ box, decrypt privileged creds
loading . . .
Decrypting PDQ credentials | unsigned_sh0rt's blog
Walkthrough of how PDQ credentials encrypts service credentials
https://unsigned-sh0rt.net/posts/pdq_credentials/
0
9
6
reposted by
Matt Creel
XPN
8 months ago
Celebrating 1 year at SpecterOps, this was the first project I worked on after starting. Looking at SQL Server Transparent Data Encryption, how to bruteforce weak keys, and how ManageEngine's ADSelfService product uses TDE with a suspect key. Enjoy :)
specterops.io/blog/2025/04...
loading . . .
The SQL Server Crypto Detour - SpecterOps
As part of my role as Service Architect here at SpecterOps, one of the things I’m tasked with is exploring all kinds of technologies to help those on assessments with advancing their engagement. Not l...
https://specterops.io/blog/2025/04/08/the-sql-server-crypto-detour/
1
15
3
Nothing new, but formalized some operator notes on Entra ID/Azure tradecraft I've found to be exceptionally useful on ops. Overlooked this myself for quite some time and thought others in the same boat might find it worth a read! 📖
medium.com/specter-ops-...
loading . . .
An Operator’s Guide to Device-Joined Hosts and the PRT Cookie
Introduction
https://medium.com/specter-ops-posts/an-operators-guide-to-device-joined-hosts-and-the-prt-cookie-bcd0db2812c4
8 months ago
0
5
2
reposted by
Matt Creel
Raphael Mudge
9 months ago
Dig through this timeline and you'll figure out what I'm here to do. I spoke to a commercial leader in the offensive security space last year. My words: you're fucking it up. What I didn't say: I feel compelled, even though I DON'T want the bullshit, to try and fix it. What does all of this mean?
2
23
14
Worked through the CloudBreach Breaching AWS course and exam over the last two weeks. Didn't see a ton of info out there on it prior to buying the course so wrote a small review with my thoughts
blog.tw1sm.io/p/breaching-...
loading . . .
Breaching AWS Course Review
CloudBreach's OAWSP Certification
https://blog.tw1sm.io/p/breaching-aws-course-review
11 months ago
0
0
0
Cool to see another AD enum method bridge BH compatibility with bofhound! 🦾
add a skeleton here at some point
about 1 year ago
1
3
0
reposted by
Matt Creel
Garrett
about 1 year ago
Was doing some digging "What's New" in Server2025
learn.microsoft.com/en-us/window...
specifically the changes to pre-2k machines. Oddvar and I had spoken previously about the changes being solid and demonstrated pre-created machines in ADUC could no longer be set with a default password.
1
10
5
you reached the end!!
feeds!
log in
