Inspired by this topic, I hacked together a little feature that let's you quickly preview a diff of the associated SCP changes when moving an AWS account/OU to a new parent. Hopefully helps save folks a few unexpected "Access Denied" errors!

The Mythic 3.3 Beta just dropped! All sorts of new features including a new Eventing System, more container types, more developer features, better sleep tracking features, and even SSO possibilities! posts.specterops.io/mythic-3-3-bet… Check it out!

👀 AWS OIDC Provider Enumeration Rami McCarthy built a PoC that enumerates AWS account IDs that have the GitHub Actions OIDC provider configured, leveraging the known_aws_accounts repository → Identified 34 accounts across 29 vendors ramimac.me/oidc-provider-…

Check out my latest blog post, "The Security Principle Every Attacker Needs to Follow", in which I lay the foundation for a framework for discovering attack paths, including those that BloodHound can't find yet. posts.specterops.io/the-security-p…

Session Takeover via Pass the Challenge powered by Evan McBroom's lsa-whisperer and Oliver Lyak's impacket fork.

1/ A world first reverse engineering analysis of AWS Session Tokens. Prior to our research these tokens were a complete black box. Today, we are making it more of a glass box, by sharing code and tools to analyze and modify AWS Session Tokens. medium.com/@TalBeerySec/r…

🧵 Yesterday Microsoft released a post describing CVE-2024-37085, a vulnerability in ESXi hypervisors. According to the disclosure, a low-privilege user can gain "full administrative access" to domain-joined ESXi hypervisors. microsoft.com/en-us/security…

Something new I'm hacking together. Can't wait to share it... Graph PowerShell → Duck DB → Awesome sauce All running locally on your desktop 😍 Cost: $0

[Tool & Blog release] - smbtakeover, a technique to unbind/rebind port 445 without loading a driver, loading a module into LSASS, or rebooting the target machine. The goal is to ease exploitation of targeted NTLM relay primitives while operating over C2. Github repo is linked at

Apeman finding a path to a sensitive SSM parameter. Come check out my BH arsenal talk to see it in action

No phishing blog this week, but if you're in Vegas come see my Arsenal talk: blackhat.com/us-24/arsenal/…

Join us at #SOCON2025, happening March 31-April 1, for two days all about Attack Path Management. Register today to get 50% off and learn about our CFP, opening Oct. 1st! 👉 specterops.io/so-con-2025/

Just wrapped up DEF CON Demo Labs and published Maestro, a new tool for lateral movement with Intune from C2. Thanks to everyone who came to check it out! I'll be posting a blog and wiki with more info soon, but here's the code and link to today's slides: github.com/Mayyhem/Maestro

PSA: Apeman exposes a Neo4J panel under the hood. Here is a query to detect roles that are vulnerable to the Amplify vulnerabilities that Nick Frichette presented at Blackhat. Gist here: gist.github.com/hotnops/a1d4ab…

Is it just me, or does every Entra application registration client secret have a tilde at the fifth index? Is it always 40 characters? Anyone else notice this?

This is the last of my phishing series! It's a recap and reference for the whole thing. Hope it was as fun to read as it was to write:

A new undocumented AWS STS API popped up! "sts:AssumeRoot". It requires you to hit an (AFAIK) undocumented endpoint but they are allow listing accounts so you can't do anything with it. AWS is definitely cooking up something interesting!

Awesome blog post about a career at SpecterOps. Feel free to reach out to me directly if you have any questions at all. You can DM me here or on the Bloodhound slack.

EntraID, in one diagram. (Note, not perfectly updated. Some complexity not shown)