Adversary Simulation @SpecterOps
Joined April 2024
- Tweets 187
- Following 192
- Followers 1,441
- Likes 391
5 Photos and videos
Pinned Tweet
Jan 14
Just released a new @SpecterOps blog! I discovered that during client push in SCCM env's it's possible to remotely start WebClient and coerce HTTP from site servers for a relay to LDAP resulting in hierarchy takeover when WebClient is installed! đź«
specterops.io/blog/2026/01/1…
1
65
160
14,908
Logan Goins retweeted
May 11
Registration for training at #BHUSA 2026 is officially open, and we are bringing a full slate of adversary-focused courses to Las Vegas. 🎰
Early reg. pricing ends May 22, so now is the time to lock in your seat.
🧵 Links to each course ⤵️
1
5
15
4,533
Logan Goins retweeted
Apr 30
Yes! We have a library of other scenarios and testing ranges available as well. I'm happy to talk through what we offer whenever you'd like. Linking our 2-pager on that service below: specterops.io/wp-content/upl…
2
11
1,144
Logan Goins retweeted
CopyFail (CVE-2026-31431) in Go. In case you want to get root from a static binary without Python as a dependency.
github.com/badsectorlabs/cop…
16
224
1,099
78,001
Apr 27
Just added krb5 auth over ADWS in my tool SOAPy. I noticed since SOAPy released 2 yrs ago with the first ADWS python code nobody had implemented krb5 auth in python.
Check it out here, and stay tuned for an upcoming blog post big release đź‘€
github.com/logangoins/SOAPy/
1
39
124
9,473
Logan Goins retweeted
Apr 22
Tired of fighting K8s for security research?
Spin up K8s environments in @badsectorlabs' Ludus with:
* Falco Grafana/Loki detections
* @SpecterOps' Mythic C2 callbacks
* @grahamhelton3's nodes/proxy RCE demo
* Common misconfigs out of the box
github.com/heilancoos/ludus_…
1
10
58
6,846
Logan Goins retweeted
Apr 17
gopacket is live! Check it out, it is intended to be a full reimplementation of Impacket in Go (it is in beta please send me bug reports) github.com/mandiant/gopacket…
7
126
421
60,738
Logan Goins retweeted
New Titanis release => github.com/trustedsec/Titani…
The new Dsrep lets you dump secrets from AD, Ldap supports queries for DNS records and timestamp conversions, Dcom supports dotted-property notation, along with other enhancements and fixes.
2
30
86
5,862
A debate in the BloodHound Slack: can you attribute the originating host from an ADWS query? 🤨
Challenge accepted.
Part 5B continues the ADWS blind spot:
Event 5156 recovers the attacker’s real IP in ~60ms. 🕵️
Check out my latest post…
huntress.com/blog/ldap-activ…
1
8
25
2,827
Logan Goins retweeted
Apr 2
SCCM is everywhere, but realistic testing environments aren’t.
In his latest blog post, @_Mayyhem expands on work by @synzack21 and @badsectorlabs with a Ludus-based SCCM lab for research and attack path testing.
Read more ⬇️ ghst.ly/4bYltDo
23
54
4,156
Logan Goins retweeted
Apr 2
I added an SCCM central admin site, child site, passive site server, secondary site, and remote system roles to @synzack21 and @badsectorlabs Ludus lab so you can skip the manual deployment. It's vuln to almost every technique in Misconfiguration Manager. specterops.io/blog/2026/04/0…
1
19
63
2,295
Logan Goins retweeted
Feb 19
Have you got SCCM in your environment? Want to catch adversaries attempting to abuse it for malicious purposes?
Check out my newest blog to setup deceptions within existing SCCM infra
specterops.io/blog/2026/02/1…
8
16
984
Logan Goins retweeted
Feb 17
Every Entra ID assessment ends here: “How do I get a token without triggering Conditional Access controls?” 🤔
@rbnroot built CAPSlock, an offline ROADrecon-based Conditional Access engine that simulates sign-ins & flags gaps without touching the tenant. ghst.ly/4aKIk64
3
89
278
29,042
Logan Goins retweeted
Feb 10
Introducing BloodHound Scentry: BloodHound Enterprise SpecterOps experts working alongside your team to eliminate attack paths and accelerate APM.
Level 0 → Level 3 maturity in ~6 months. Not theory. Tradecraft. 🎯
Learn more ➡️ ghst.ly/bhscentry-tw
1
12
27
2,810
Jan 30
I ended up quickly modifying ntlmrelayx to support these changes so that relays to LDAP are possible again, thanks y'all for your hard work on figuring this out!
You can find the changes here: github.com/logangoins/impack…
Jan 30
🚀Our tool keycred for KeyCredentialLinks and Shadow Credential attacks now works with updated domain controllers again!
It turns out, Microsoft violated their own specs.
Try it out: github.com/RedTeamPentesting…
31
85
8,903
Logan Goins retweeted
Jan 28
🚨Introducing EventHorizon!🚨
A framework built to arm researchers with customizable ETW telemetry and sigma-like detection and response rules! It allows you to easily retrieve ETWTI telemetry, all with a simple msi installer and included wiki.
github.com/HullaBrian/EventH…
22
55
4,894
Logan Goins retweeted
Jan 27
SpecterOps has a really good line up for SO-CON'26.
specterops.io/so-con/#agenda
1
4
430
Logan Goins retweeted
Jan 21
Still running MDT? As of Jan 6, 2025, it’s unsupported and unpatched. In this post, @unsigned_sh0rt shows how attackers can locate MDT/WDS (even unauthenticated) and chain issues into credential risk. Defenses included.
Read more ⤵️ ghst.ly/49UHoeW
1
17
48
4,648
Logan Goins retweeted
Jan 21
I found unauthenticated bugs in MDT that can be abuse to coerce authenticaton from the host server or to leak creds stored in the deployment share's rules file. Instead of fixing the issues, Microsoft retired MDT.
specterops.io/blog/2026/01/2…
2
56
124
17,865
Logan Goins retweeted
Jan 21
RIP SCCM hierarchy TAKEOVER-5: learn.microsoft.com/en-us/in…
github.com/subat0mik/Misconf…
It's a good idea to upgrade to 2509 ASAP, sysadmin friends! There's no other mitigation if you have an SMS Provider hosted remotely from the site server AFAIK.
12
40
101
12,694