Logan Goins
@logangoins.bsky.social
Adversary Simulation @specterops.io
Reposted by Logan Goins
Credential Guard was supposed to end credential dumping. It didn't.
Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.
Read for more: ghst.ly/4qtl2rm
Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.
Read for more: ghst.ly/4qtl2rm
Catching Credential Guard Off Guard - SpecterOps
Uncovering the protection mechanisms provided by modern Windows security features and identifying new methods for credential dumping.
ghst.ly
October 23, 2025 at 5:45 PM
Credential Guard was supposed to end credential dumping. It didn't.
Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.
Read for more: ghst.ly/4qtl2rm
Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.
Read for more: ghst.ly/4qtl2rm
Reposted by Logan Goins
Patching one technique doesn't close the entire attack vector.
dMSA abuse is still a problem, and @logangoins.bsky.social
just dropped a reality check with new tooling to prove it.
Learn more about the issue & the new BadTakeover BOF. ghst.ly/42POg9L
dMSA abuse is still a problem, and @logangoins.bsky.social
just dropped a reality check with new tooling to prove it.
Learn more about the issue & the new BadTakeover BOF. ghst.ly/42POg9L
The (Near) Return of the King: Account Takeover Using the BadSuccessor Technique - SpecterOps
After Microsoft patched Yuval Gordon’s BadSuccessor privilege escalation technique, BadSuccessor returned with another blog from Yuval, briefly mentioning to the community that attackers can still abu...
ghst.ly
October 20, 2025 at 4:54 PM
Patching one technique doesn't close the entire attack vector.
dMSA abuse is still a problem, and @logangoins.bsky.social
just dropped a reality check with new tooling to prove it.
Learn more about the issue & the new BadTakeover BOF. ghst.ly/42POg9L
dMSA abuse is still a problem, and @logangoins.bsky.social
just dropped a reality check with new tooling to prove it.
Learn more about the issue & the new BadTakeover BOF. ghst.ly/42POg9L
Reposted by Logan Goins
Trying to fly under EDR's radar?
@logangoins.bsky.social explains how to use HTTP-to-LDAP relay attacks to execute tooling completely off-host through the C2 payload context. Perfect for when you need LDAP access but want to avoid being caught stealing creds. ghst.ly/41mjMv7
@logangoins.bsky.social explains how to use HTTP-to-LDAP relay attacks to execute tooling completely off-host through the C2 payload context. Perfect for when you need LDAP access but want to avoid being caught stealing creds. ghst.ly/41mjMv7
Operating Outside the Box: NTLM Relaying Low-Privilege HTTP Auth to LDAP - SpecterOps
TL;DR When operating out of a ceded access or phishing payload with no credential material, you can use low-privilege HTTP authentication from the current user context to perform a proxied relay to LD...
ghst.ly
August 22, 2025 at 6:24 PM
Trying to fly under EDR's radar?
@logangoins.bsky.social explains how to use HTTP-to-LDAP relay attacks to execute tooling completely off-host through the C2 payload context. Perfect for when you need LDAP access but want to avoid being caught stealing creds. ghst.ly/41mjMv7
@logangoins.bsky.social explains how to use HTTP-to-LDAP relay attacks to execute tooling completely off-host through the C2 payload context. Perfect for when you need LDAP access but want to avoid being caught stealing creds. ghst.ly/41mjMv7