This article explores a novel attack technique that combines Ghost SPNs and Kerberos reflection to elevate privileges on SMB servers, highlighting a critical gap in traditional detection methods. It details how attackers can exploit stale or misconfigured Service Principal Names (SPNs) in Active Directory—termed "Ghost SPNs"—to manipulate Kerberos authentication and reflect service tickets back to the SMB server, gaining elevated access. The technique bypasses common defenses like LDAP filtering and SPN hygiene, making it stealthy and potent. Semperis emphasizes the need for proactive detection strategies and shares insights into identifying vulnerable configurations and mitigating the threat. semperis.com/blog/exploiting…

AdminSDHolder is kinda my jam. I wrote the e-book on it. If you work with Activity Directory, I highly recommend you give this a skim, or at least check the spoilers in the blog.

🚨Detect Actor Token Abuse (#CVE-2025-55241) After verifying the details with @_dirkjan, I created a query to detect Actor Token abuse, regardless of the activity involved. The idea is simple: If these activities are S2S, they should originate from Microsoft service IPs. 🧐 Link to query: github.com/Cyb3r-Monk/Threat…

AD recovery is no simple fix; it’s a high-stakes strategy. The right prep, automation, and testing separate organizations that recover fast from those that crumble. Learn how leaders prepare before disaster strikes with @Semperis + Cohesity: cohesity.co/41Lm6fq #CyberResilience #ActiveDirectory #DataProtection

Getting ready for my "Domain Controller Firewall: Fact or Fiction" session at #HIPConf25, focusing on the Infrastructure as Code (IaC) approach to Windows Firewall policy management, RPC filters, outbound traffic, hybrid environment challenges, and network service discovery.

Pass the free Active Directory Administrator practical applied skill test learn.microsoft.com/en-us/cr… and go into the draw to win 50% off your next Microsoft certification exam. Details at: learn.microsoft.com/en-us/cr…

🚨 Fortinet RCE: There's a new critical vulnerability in #FortiSIEM. CVE‑2025‑25256 allows for unauthenticated #RCE attacks, allowing an attacker to gain complete control over the affected system. This includes accessing sensitive data, modifying or deleting system resources, and potentially installing malware or creating backdoors. Horizon3.ai customers are now able to run a Rapid Response test — if you haven't, confirm you're not exploitable at horizon3.ai/attack-research/…. #NodeZero #pentesting #infosec

ICYMI: Was just perusing the latest CrowdStrike 2025 Threat Hunting report (crowdstrike.com/en-us/resour…) and check this wild timeline for Scattered Spider - from account takeover to Entra ID bulk user export in <5 minutes 👀

Wanna play around with #KQL and #Graph Microsoft just released sample datasets to play around and look at this gorgeous visualization for the #Bloodhound schema they offer! Thanks @cosh23 🥰 learn.microsoft.com/en-us/ku…

Turning your Active Directory into the attacker’s C2 Modern Group Policy Objects enumeration and exploitation Defcon 33 slides: media.defcon.org/DEF%20CON%2… Tool: github.com/synacktiv/OUned

🧵 Red teams are shifting to stealthier AD enumeration via Active Directory Web Services (ADWS) over port 9389. Tools like SOAPHound, SoaPy & ShadowHound wrap LDAP queries in SOAP, bypassing traditional detections. ipurple.team/2025/08/12/acti… A KQL to detect this type of AD enumeration: detections.ai/share/rule/vSh… #Cybersecurity #ADEnumeration #ADWS

6 places I check when I'm reviewing a company's external footprint and tech stack to get a basic understanding of the architecture: 1. aadinternals.com/osint 2. dnsdumpster.com 3. virustotal.com 4. crt.sh 5. LinkedIn 6. Careers Go check these things to see what others look at. It usually takes me less than 1 hour.

This article is really interesting to me: red.anthropic.com/2025/cyber… What if the most pressing security problem to solve with LLMs is how to defend against attackers using them to perform relatively repeatable attacks (e.g. install ransomware on low-to-mid defended environments)?

Quantum computing exposes Active Directory to urgent new risks - SecurityBrief Australia securitybrief.com.au/story/q… #QuantumComputing

Today, together with Jonathan Elkabas, we're releasing EntraGoat - A Deliberately Vulnerable Entra ID Environment. Your own hands-on Entra lab for identity attack simulation. Built for red teams, blue teams and identity nerds. Check it out here👉github.com/semperis/entragoa…

Ransomware threats are going offline — literally. Our new 2025 Global Ransomware Report shows cybercriminals are now threatening physical harm to victims who don't pay up. This isn’t just cyber risk — it's personal risk. 🔗 theregister.com/2025/07/31/r…

Microsoft Active Directory Forest Recovery Guide, by @shorinsean semperis.com/wp-content/uplo…

Ransomware Attacks Escalate to Physical Threats Against Executives ift.tt/sBTXYK2 Semperis found that executives were physically threatened in 40% of ransomware incidents, in a bid to pressure victims to pay demands

Heading to #BlackHatUSA? Don’t miss EntraGoat—a vulnerable Microsoft Entra ID environment built for testing real-world misconfigs and attack paths. Presented by @SemperisTech researchers Tomer Nahum & Jonathan Elkabas #BHUSA

ONE OF THESE DAYS....