Logan Goins's Avatar

Logan Goins

@logangoins

Adversary Simulation @specterops.io

22
Followers 29
Following 1
Posts 25.07.2025
Joined
Posts Following

Latest posts by Logan Goins @logangoins

Preview
Wait, Why is my WebClient Started?: SCCM Hierarchy Takeover via NTLM Relay to LDAP - SpecterOps During automatic client push installation, an SCCM site server automatically attempts to map WebDav shares on clients, starting WebClient when installed.

SCCM client push strikes again for hierarchy takeover!

@logangoins.bsky.social just dropped a new blog showing how WebClient doesn't need to be already running on site servers to coerce HTTP (WebDav) auth & enable NTLM relay to LDAP for SCCM takeover

Read more: ghst.ly/3Z9Gbu6

14.01.2026 21:38 πŸ‘ 5 πŸ” 3 πŸ’¬ 0 πŸ“Œ 0
Preview
Wait, Why is my WebClient Started?: SCCM Hierarchy Takeover via NTLM Relay to LDAP - SpecterOps During automatic client push installation, an SCCM site server automatically attempts to map WebDav shares on clients, starting WebClient when installed.

Just released a new @specterops.io blog! I discovered that during client push in SCCM env's it's possible to remotely start WebClient and coerce HTTP from site servers for a relay to LDAP resulting in hierarchy takeover when WebClient is installed! 🫠

specterops.io/blog/2026/01...

14.01.2026 18:43 πŸ‘ 3 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Preview
Catching Credential Guard Off Guard - SpecterOps Uncovering the protection mechanisms provided by modern Windows security features and identifying new methods for credential dumping.

Credential Guard was supposed to end credential dumping. It didn't.

Valdemar CarΓΈe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.

Read for more: ghst.ly/4qtl2rm

23.10.2025 17:45 πŸ‘ 17 πŸ” 10 πŸ’¬ 0 πŸ“Œ 0
Preview
The (Near) Return of the King: Account Takeover Using the BadSuccessor Technique - SpecterOps After Microsoft patched Yuval Gordon’s BadSuccessor privilege escalation technique, BadSuccessor returned with another blog from Yuval, briefly mentioning to the community that attackers can still abu...

Patching one technique doesn't close the entire attack vector.

dMSA abuse is still a problem, and @logangoins.bsky.social
just dropped a reality check with new tooling to prove it.

Learn more about the issue & the new BadTakeover BOF. ghst.ly/42POg9L

20.10.2025 16:54 πŸ‘ 3 πŸ” 3 πŸ’¬ 0 πŸ“Œ 0
Preview
Operating Outside the Box: NTLM Relaying Low-Privilege HTTP Auth to LDAP - SpecterOps TL;DR When operating out of a ceded access or phishing payload with no credential material, you can use low-privilege HTTP authentication from the current user context to perform a proxied relay to LD...

Trying to fly under EDR's radar?

@logangoins.bsky.social explains how to use HTTP-to-LDAP relay attacks to execute tooling completely off-host through the C2 payload context. Perfect for when you need LDAP access but want to avoid being caught stealing creds. ghst.ly/41mjMv7

22.08.2025 18:24 πŸ‘ 5 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0