Researcher @SpecterOps. Coding towards chaotic good while living on the decision boundary.

Seattle, WA
5 months ago @tifkin_ and I started looking into the security of Active Directory Certificate Services. Today we're releasing the results of that research- a blog post posts.specterops.io/certifie… + a 140-page whitepaper and defensive audit tool (links at the top of the post) [1/6]
32
630
1,305
Active Directory forests are no longer a security boundary thanks to @tifkin_'s printer bug. Check out posts.specterops.io/not-a-se… for weaponization and mitigation details and @Cyb3rWard0g's post for detection guidance posts.specterops.io/hunting-…
18
774
1,184
So excited - here's my updated "Guide to Attacking Domain Trusts" posts.specterops.io/a-guide-… ! Was a blast to write
11
585
932
In case you were worried
8
80
635
Y’all knew it was just a matter of time : ) PowerShell is definitely a "gateway drug" to C# - GhostPack is a collection of new security tools (currently C#) details at posts.specterops.io/ghostpac… , code live at github.com/GhostPack
27
373
640
Hey, do you like tokens? Have you always wanted to "harvest" tokens for offensive purposes? If so check out my new post posts.specterops.io/koh-the-… where I show I can (finally) write a technical post without memes, and then check out the Koh toolset at github.com/GhostPack/Koh
14
255
546
"Operational Guidance for Offensive User DPAPI Abuse" posts.specterops.io/operatio… documenting some of the ways to use Mimikatz to play with DPAPI. Thanks @gentilkiwi for all the awesome features! :)
4
332
490
The offensive security community means a lot to me. Following @Antonlovesdnb's great thread that injected some much needed infosec positivity, I wanted to highlight a few (offensive-ish) posts/talks that my team and myself enjoyed over the last year or so.
4
206
476
Mad props to Microsoft for taking this very very seriously! techcommunity.microsoft.com/… Reminder that on July 9 things flip, disallowing delegated TGTs across forest trust boundaries by default. This is an awesome fix for the issue that @tifkin_ and I discovered, hats off 👍
4
193
465
Finally the end of a very fun ride- I've merged Dev to Master for PowerSploit and marked the project as no longer supported. Offensive PowerShell was how I started my career, and I owe @obscuresec and @mattifestation a debt of gratitude for bringing me in. [1/3]
9
92
446
Over the last year @tifkin_ and I rewrote GhostPack's Seatbelt from the ground up. Highlights- completely modularized, nearly 2x increase in checks, remote enumeration options, and structured output. Complete changelog at github.com/GhostPack/Seatbel… , code at github.com/GhostPack/Seatbel…
20
204
440
The slides for my @DerbyCon talk "Kerberoasting Revisited" are up at slideshare.net/harmj0y/derby… . Thanks to everyone who came out!
5
187
410
Have a big post dropping tomorrow, probably one of the more important things I’ve written so far in my career. Should be fun :)
27
49
387
I promise I'm not dead! New blog: "Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy" harmj0y.net/blog/redteaming/…
9
274
366
Hey, I heard you like creds! You might like this adaptation of some of @gentilkiwi's DPAPI Mimikatz work: github.com/GhostPack/SharpDP… ("Troopers Edition"). Unfamiliar with DPAPI? Check out harmj0y.net/blog/redteaming/… . Also, @gentilkiwi was right:
1
174
347
[blog] "The PowerView PowerUsage Series #1" - the start to a series of operationally-focused PowerView posts posts.specterops.io/the-powe…
2
225
320
Finally finished drafting my "Guide to Attacking Domain Trusts" post. At 8000+ words, not sure if anyone will read it, but out next week :)
20
42
316
@tifkin_ and I give you "Certificates and Pwnage and Patches, Oh My!" posts.specterops.io/certific… . We clarify some misconceptions we had about AD CS, explain the KB5014754 patch and its implications, and detail some of the awesome AD CS work from people like @ly4k_ . Enjoy!
7
175
311
Nothing revolutionary, but revisiting one of our favorite TTPs in depth, explaining some of the "weird" behavior we've seen in the last few years. Includes details on recent Rubeus kerberoasting enhancements! posts.specterops.io/kerberoa…
4
153
305
[Blog] "Hunting With Active Directory Replication Metadata" posts.specterops.io/hunting-… hunting for malicious attack primitives w/ repl metadata
3
223
302
[blog/tool] "From Kekeo to Rubeus" posts.specterops.io/from-kek… - my journey in reimplementing various aspects of @gentilkiwi's #kekeo project. Code is live at github.com/GhostPack/Rubeus !
6
221
295
Good news everyone! Rubeus 2.0 is coming _very_ soon, with massive improvements and new features from @exploitph and @_EthicalChaos_ . They've worked hard to bring us all some new fun :)
4
68
288
[blog] "A Case Study in Attacking KeePass" harmj0y.net/blog/redteaming/…
13
240
269
Just released SharpDPAPI v 1.6.0. Landed @lefterispan's PR to incorporate /password:X for masterkey decryption, and integrated the new Chrome v80+ AES key stuff from @djhohnstein's SharpChrome project. Chrome triage is back on the table! github.com/GhostPack/SharpDP…
2
124
281
"Kerberoasting Without Mimikatz" harmj0y.net/blog/powershell/… … Kerberoasting background and details on @machosec's sweet PowerView pull request!
1
267
273
I've been working on machine learning for a while now. After two years, I think I'm finally starting to (maybe) emerge from the "Valley of Despair". Should have some fun stuff coming out soon!
16
23
263
@tifkin_ and I are super excited to present "Certified Pre-Owned: Abusing Active Directory Certificate Services" at BlackHat USA 2021 this year! blackhat.com/us-21/briefings…
9
88
269
Really happy with how our @SpecterOps course challenge coins turned out!
14
19
270
For anyone interested, SharpDPAPI/SharpChrome have had some recent mods, including KeePass ProtectedUserKey.bin decryption, a revamp for certificate extraction (including CNG support), and lots of usability updates. Changelog (as always) at github.com/GhostPack/SharpDP…
2
107
263
Rubeus 1.6.0 is out! I had pretty much nothing to do with the new functionality- all @exploitph and @_EthicalChaos_'s awesome work. Writeup on changes at github.com/GhostPack/Rubeus/… . More detail on @exploitph's #opsec changes is at github.com/0xe7/Talks/blob/m…
1
107
261
This is an amazing thread for anyone interested in AD and/or kerberos!
[thread 🧵] Kerberos basics & (ab)use of Certificates within Active Directory (i.e. AD CS and PKINIT) - Kerberos 101 - Pass-the-Certificate - UnPAC-the-Hash - Shadow Credentials - AD CS escalation (ESC1 to ESC8) (Links and credits at the end)
2
75
250
@tifkin_ and myself are happy to announce Seatbelt 1.1.0 ! Various fixes and 10 new modules means we've passed the 100 module mark. Full changelog at github.com/GhostPack/Seatbel…
1
112
245
Tomorrow morning @tifkin_ and I are releasing something we've been working on for over 5 months. We're proud of the work and excited to help shed some more light on the security of Active Directory Certificate Services!
3
45
245
Nothing fancy, but dug this out of the archives in case anyone else needs to PTH to RDP github.com/GhostPack/Restric… . tl;dr uses the StdRegProv WMI class to enable Restricted Admin Mode on a remote system you have admin on. The code isn't great but it's functional 👍
3
74
235
"Command and Control Using Active Directory" harmj0y.net/blog/powershell/… with PoC code at gist.github.com/HarmJ0y/a219…
4
196
226
"Another Word on Delegation" posts.specterops.io/another-… - abusing resource-based constrained delegation to take over computer objects. Thanks to @elad_shamir for the idea and Rubeus addition!
1
165
230
The detailed breakdown of the remote reg DACL modification work from @tifkin_, @enigma0x3, and myself - "Remote Hash Extraction On Demand Via Host Security Descriptor Modification" posts.specterops.io/remote-h…
3
156
228
"The Most Dangerous User Right You (Probably) Have Never Heard Of" harmj0y.net/blog/activedirec… a follow on to the constrained delegation post
5
187
224
Thank you @WEareTROOPERS for another amazing experience! The slides for @tifkin_'s and my "Not a Security Boundary: Breaking Forest Trusts" talk are up at slideshare.net/harmj0y/not-a…, demo video at piped.video/watch?v=NNoQGA9G…, blog at harmj0y.net/blog/redteaming/…
118
224
Few goodies for everyone today- first a PowerSploit cheat sheet github.com/HarmJ0y/CheatShee…
3
148
224
The third post in my adversarial ML series "Learning Machine Learning Part 3: Attacking Black Box Models" is now up at posts.specterops.io/learning… and the Invoke-Evasion repo has been updated with the associated Jupyter notebooks/samples github.com/GhostPack/Invoke-…
2
94
211
[blog] a bit of a niche topic, but here's "A Pentester’s Guide to Group Scoping" harmj0y.net/blog/activedirec…
2
153
218
thinking of releasing Azure build scripts to create the reference trust architecture used in my "Guide to Attacking Domain Trusts" post posts.specterops.io/a-guide-… - any interest?
34
62
225
The second post in my "PowerView PowerUsage" series, mapping computer shortnames with the global catalog posts.specterops.io/the-powe…
126
210
Thank you so much to @x33fcon and its organizers for an awesome experience! @tifkin_ and I had a blast talking about the new Nemesis 2.0 rewrite (code live at github.com/SpecterOps/Nemesi… !) and hope to be back next year #x33fcon
3
66
218
20,844
the updated slides for @_wald0's and my @BlackHatEvents/@defcon presentation "An ACE Up the Sleeve" are now up at slideshare.net/harmj0y/ace-u…
2
140
212
The fourth post in my "PowerView PowerUsage" series posts.specterops.io/the-powe… - covers enumerating cross-trust DACLs/ACEs
1
159
202
Thanks for the warm welcome @Sp4rkCon ! The slides for @tifkin_ , @enigma0x3, and my presentation "The Unintended Risks of Trusting Active Directory" are now up at slideshare.net/harmj0y/the-u…
2
118
205
I usually don't share a lot of personal details on Twitter- this past fall my mom died from a rare brain disease and the @ASPCA was one of her favorite causes. Andy/the BH team let me choose them for the charity drive in her honor. Thank you to all who grab a shirt <3
The #BloodHoundEnterprise team presents: #BloodHound 4.1! Highlights for this release in this thread 🧵: With this release, we are selling this limited edition BloodHound shirt. All profits from the sales of this shirt will be donated to the @ASPCA: customink.com/fundraising/bl…
21
25
200
In case you missed it, @tifkin_ and I recently rolled up changes for Seatbelt into a 1.2.0 release with details in the CHANGELOG at github.com/GhostPack/Seatbel… . Definitely have some fun new things, thanks to everyone who contributed!
2
83
199
"Building an EmPyre with Python" harmj0y.net/blog/empyre/buil… - a Python-based Empire-like agent with a focus on OS X post-exploitation
9
166
187
I know I haven't blogged for a bit, but I promise @tifkin_, @0xdab0, and I have been working on something cool! This is the first blog in a series on the problem set we've been tackling, leading up to what we've built to address it - "On (Structured) Data" posts.specterops.io/on-struc…
9
68
189
30,693
Wheels down in Vegas, not sure we brought enough stickers :)
17
18
186
It's almost here! @tifkin_ and I will finally be releasing Certify (for AD CS misconfig abuses) and ForgeCert (for "golden" forged certificates) during the virtual session at #BHUSA Wednesday of our "Certified Pre-Owned" talk! blackhat.com/us-21/briefings…
3
57
189
GUYS, THIS IS WHO I GET TO WORK WITH EVERYDAY specterops.io/who-we-are/the… AND RAPHAEL MUDGE IS MY BOSS, I DON’T KNOW HOW THIS HAPPENED
20
21
177
It's a big day- @tifkin_, @0xdab0, and I are proud to announce that Nemesis 1.0.0 has landed! We have a ton of awesome new features and a streamlined installation, check out the details at posts.specterops.io/nemesis-… and the code at github.com/SpecterOps/Nemesi…
1
59
185
17,642
"A Case Study in Wagging the Dog: Computer Takeover" posts.specterops.io/a-case-s… - another example of @elad_shamir's recent resource-based constrained delegation work!
1
99
185
note to anyone I chatted with in Vegas- pdfs of cheatsheets for PowerView/PowerUp/PowerSploit/Empire/Beacon are at github.com/HarmJ0y/CheatShee…
2
137
168
Proud to announce that I've been renewed as a Microsoft MVP!
13
2
176
[Blog] Roasting AS-REPs harmj0y.net/blog/activedirec… how to abuse accounts w/o Kerberos preauth enabled, basic toolset at github.com/adaptivethreat/AS…
2
133
170
“I sometimes resort to using Mimikatz as my password manager” - @tifkin_
2
27
170
My second post in my adversarial ML series "Learning Machine Learning Part 2: Attacking White Box Models" is now up at posts.specterops.io/learning… and the Invoke-Evasion repo has been updated with the Jupyter notebooks/samples from the post github.com/GhostPack/Invoke-…
3
68
172
I love working with people smarter than myself who are convinced they are surrounded by people smarter than themselves, keeps ya grounded
4
52
163
I finally landed @exploitph's new `nopac` Rubeus goodness landed in master! Check out his writeup at exploit.ph/cve-2021-42287-cv… if you haven't already 👍
55
171
The slides from my @BlueHatIL talk "The Travelling Pentester: Diaries of the Shortest Path to Compromise" are up at slideshare.net/harmj0y/the-t…
2
131
169
So long PowerSploit, and thanks for all the shells. [3/3]
13
7
162
Version 0.2.0 of Seatbelt, summary of changes at github.com/GhostPack/Seatbel… . A few fun new goodies!
2
79
156
"The Empire Strikes Back" - details on the Empire 2.0 beta released at @DerbyCon harmj0y.net/blog/empire/the-…
157
156
Pushed a new Rubeus release after getting some additional feedback from our most recent AT:RTO students. The full changes are detailed here github.com/GhostPack/Rubeus/… . To highlight a few new features- "/nowrap" globally prevents base64 blobs from line-wrapping, (1/4)
2
81
160
[Blog] "Offensive Encrypted Data Storage (DPAPI edition)" posts.specterops.io/offensiv… nothing too fancy, but might be interesting to some
2
104
154
Very cool Kerberoasting implementation using LsaCallAuthenticationPackage, all through a macro github.com/Adepts-Of-0xCC/VB…
3
50
157
I've built out a series of cheat sheets for PowerView, PowerUp, and Empire harmj0y.net/blog/redteaming/… PDFs at github.com/HarmJ0y/CheatShee…
116
154
The demo videos from @tifkin_ , @enigma0x3 , and my #DerbyCon2018 talk "The Unintended Risks of Trusting Active Directory" are up at piped.video/ZnOfevedJrU and piped.video/tLPJkh_GcPQ , and the video recording is at piped.video/-bcWZQCLk_4
85
153
Where My Admins At? (GPO Edition) harmj0y.net/blog/redteaming/… aka enumerating what users have admin rights where with only DC communications
3
130
148
I missed this post when it first dropped exploit.ph/strange-case-of-t… but it's a really neat trick! Why is this useful? Say you're in domain A, and A -external_trust-> B -any_trust-> C. Because external trusts don't have transitivity, you can't query/kerberoast/etc. domain C [1/4]
1
51
153
Happy Friday! @tifkin_ and I are happy to announce that we have cut the release for Nemesis 2.0.0 - check out the CHANGELOG for a (brief) summary of changes, and dive into our new docs for more detail! We're extremely proud and excited for this release github.com/SpecterOps/Nemesi…
5
37
146
11,903
the next in the "PowerView PowerUsage" series posts.specterops.io/the-powe… searching for abusable GPOs in a foreign domain
1
100
146
By @tifkin_ and @Ne0nd0g's request, just pushed a "triage" command to let you easily triage servers with a lot of tickets. Can filter by /luid:X, /user:USER, or /service:KRBTGT github.com/GhostPack/Rubeus#… . Less detail than the "klist" cmd, but easier to handle for lots of results
1
67
140
In my first foray into what @moo_hax terms "Offensive ML", I took at shot at data mining documents for passwords using deep learning. You can read about the approach at posts.specterops.io/deeppass… and can find the notebook + Dockerized model at github.com/GhostPack/DeepPas…
2
56
137
One more new feature for Rubeus 1.2.0 - MS kpasswd resets a la ArotoPW github.com/GhostPack/Rubeus/… … Post on all the new fun at posts.specterops.io/rubeus-n… … Thanks again for #kekeo @gentilkiwi! <3
92
142
The follow up to our "On (Structured) Data"  post is now up, "Challenges In Post-Exploitation Workflows" posts.specterops.io/challeng… . We cover a number of common workflow challenges and briefly introduce the solution @tifkin_, @0xdab0, and I have been working on: Nemesis! 1/3
3
63
133
19,514
Sidenote for anyone interested, instructions on using Rubeus as a library and/or running Rubeus through PowerShell are now up on the README.md github.com/GhostPack/Rubeus/…
54
133
Thanks to everyone who attended @tifkin_'s and my "Certified Pre-Owned" sessions! The slides are on the BH website as well as SlideShare slideshare.net/harmj0y/certi… , code is on github.com/GhostPack/
52
134
In case you missed it, @exploitph and @4ndr3w6S just released some _awesome_ work that just landed into Rubeus' master branch- "Diamond Tickets"! Check out more details at semperis.com/blog/a-diamond-…. Great work Charlie and Andrew!!
3
59
132
Slides and demo commands from my @44CON talk "Trusts You Might Have Missed" are up at slideshare.net/harmj0y/trust… and gist.github.com/HarmJ0y/5837…
2
113
131
Just wanna say how awesome @_xpn_'s blog is (blog.xpnsec.com/), been really enjoying the posts! Definitely worth a read if you haven't checked it out
1
33
133
To continue, @_xpn_'s entire blog. The breadth and depth of Adam's work is truly amazing, but if I had to pick a favorite recent post(s) it would be his articles on Mimikatz internals: blog.xpnsec.com/exploring-mi… and blog.xpnsec.com/exploring-mi…
2
30
128
on PowerView's recent ground-up refactor harmj0y.net/blog/powershell/…
7
112
127
Finally got des_cbc_md5 and aes128_cts_hmac_sha1 support fully integrated into Rubeus so @gentilkiwi would stop being disappointed in me :) Also have some recent Kerberoasting modifications I'll be blogging about soon! github.com/GhostPack/Rubeus/…
1
44
126
The BloodHound slack (bloodhoundgang.herokuapp.com…) isn't just BloodHound- we have rooms for Aggressor, CrackMapExec, PowerView, and more!
3
42
120