Less Praying More Relaying - Enumerating EPA Enforcement for MSSQL and HTTPS - SpecterOps It's important to know if your NTLM relay will be prevented by integrity protections such as EPA, before setting up for and attempting the attack. In this post, we share how to solve this problem for ...

NTLM relays failing because of EPA? 😒

Nick Powers & @tw1sm.bsky.social break down how to enumerate EPA settings across more protocols + drop new tooling (RelayInformer) to make relays predictable.

Check out their blog for more: ghst.ly/4rqwpRs

NTLM relay research is evolving!

Join Nick Powers & @tw1sm.bsky.social TOMORROW as they share new methods to enumerate EPA enforcement across MSSQL, HTTP, & more—and intro RelayInformer, expanding attacker-perspective coverage for key protocols.

Grab your spot → ghst.ly/oct-web-bsky

Update: Dumping Entra Connect Sync Credentials Recently, Microsoft changed the way the Entra Connect Connect Sync agent authenticates to Entra ID. These changes affect attacker tradecraft, as we can no longer export the sync account credentials…

New tricks, same impact
posts.specterops.io/update-dumpi...

Had some fun with PDQ deploy/inventory credential decryption and wrote about it here: unsigned-sh0rt.net/posts/pdq_cr... thanks to
@dru1d.bsky.social for writing a BOF out of the POC

tl;dr get admin on PDQ box, decrypt privileged creds

The SQL Server Crypto Detour - SpecterOps As part of my role as Service Architect here at SpecterOps, one of the things I’m tasked with is exploring all kinds of technologies to help those on assessments with advancing their engagement. Not l...

Celebrating 1 year at SpecterOps, this was the first project I worked on after starting. Looking at SQL Server Transparent Data Encryption, how to bruteforce weak keys, and how ManageEngine's ADSelfService product uses TDE with a suspect key. Enjoy :) specterops.io/blog/2025/04...

An Operator’s Guide to Device-Joined Hosts and the PRT Cookie Introduction

Nothing new, but formalized some operator notes on Entra ID/Azure tradecraft I've found to be exceptionally useful on ops. Overlooked this myself for quite some time and thought others in the same boat might find it worth a read! 📖

medium.com/specter-ops-...

Dig through this timeline and you'll figure out what I'm here to do. I spoke to a commercial leader in the offensive security space last year. My words: you're fucking it up.

What I didn't say: I feel compelled, even though I DON'T want the bullshit, to try and fix it.

What does all of this mean?

Breaching AWS Course Review CloudBreach's OAWSP Certification

Worked through the CloudBreach Breaching AWS course and exam over the last two weeks. Didn't see a ton of info out there on it prior to buying the course so wrote a small review with my thoughts blog.tw1sm.io/p/breaching-...

Cool to see another AD enum method bridge BH compatibility with bofhound! 🦾

Was doing some digging "What's New" in Server2025 learn.microsoft.com/en-us/window... specifically the changes to pre-2k machines. Oddvar and I had spoken previously about the changes being solid and demonstrated pre-created machines in ADUC could no longer be set with a default password.

a close up of a man 's face with the words " it 's refreshing " on the bottom ALT: a close up of a man 's face with the words " it 's refreshing " on the bottom

And no ads (yet) 😂