spencer
@techspence
Followers
9K
Following
93K
Media
2K
Statuses
33K
pentester | sysadmin in rehab | AD Security Connoisseur | Ethical Threat | offsec @securit360 | host @cyberthreatpov | SWAG https://t.co/PmxR82aMJF
Bob Ross Mountain Range
Joined November 2010
Sysadmins, don’t do this. If your boss tells you to, still don’t.
83
130
2K
The new year is almost here, don’t forget to add the following to your password cracking/spraying lists:. Spring2024.Spring2024!.Summer2024.Summer2024!.Winter2024.Winter2024!.Fall2024.Fall2024!.Password2024.Password2024!.Companyname2024.Companyname2024!.
41
265
2K
Documentation is probably one of THE MOST underestimated SKILLS in all of IT/Security. .
67
218
1K
Active Directory hardening blog post series, like a boss, by Jerry Devore. Posting this so I can reference it later!. Disabling NTLMv1 ..Removing SMBv1 ..Enforcing LDAP Signing -. Enforcing AES for Kerberos.
16
315
1K
How to make pentesters cry. Run PingCastle/PurpleKnight, Locksmith, and ScriptSentry in your environment and fix all the critical issues before your next pentest. I promise you. they will be weep.
25
142
1K
Scare a sysadmin in six words or less. I’ll go first…. Did you take a backup first?.
433
53
1K
How to *never need an internal pentest ever again:. run pingcastle, scriptsentry, locksmith, adeleginator in your environment and fix the issues that are found. *almost.
21
84
1K
I will use this responsibly… I will use this responsibly… I will use this responsibly…
37
40
1K
From Microsoft’s digital defense report, ransomware section. Unmanaged devices is literally crippling organizations
Securing windows endpoints is a full-time job. .
29
129
880
Oh you’re a sysadmin?. Name every system in your environment.
148
44
845
I did a pentest recently where the client had a hardened endpoints, app control, edr & mdr, custom alerts they created themselves, good hygiene, tiered admin accounts, etc. I wish I could talk about all the awesome stuff they were doing. I think part of why offensive security.
36
68
846
Active Directory is hard. Managing permissions is hard. It's even more difficult when you factor in:. - numerous sysadmins.- dozens of GPOs.- tens of dozens of security groups.- thousands of user and computer objects.- certificates.- shares permissions and ntfs permissions.
34
80
786
The fabulous four!
What’s your favorite security tool?.
4
114
786
You're hired as a Senior Sysadmin at an organization. The team is small, 10 people total. You also are responsible for "security" because, well, because. What's the first 3-5 things you're doing to get comfortable with the team, the environment and infrastructure?.
172
42
734
🧵Pentesting from windows is sometimes like. Step 1. Login.Step 2. Open Explorer.Step 3. Open file share.Step 4. Search file share for “vmdk”.Step 5. Download the sam system and security hive using volumiser (cc @_EthicalChaos_).Step 6. Extract hashes with secretsdump. 1/3.
7
87
687
Modern day vulnerability management is great at finding a whole bunch of stuff that doesn’t matter that makes IT teams deprioritize stuff that actually matters in order to drive down a number to show artificial risk reduction.
I think in many ways vulnerability scanners have done more harm than good.
49
103
663
My goto AD toolbelt:. PowerView (custom).PrivescCheck (custom).PingCastle.ScriptSentry.Spray-Passwords (custom).SpoolSample.secretsdump[.]py.AMSI Bypass (custom).bypass-clm (custom).ADExplorer.ADeleg.Rubeus.Certify.BloodHound/SharpHound.Locksmith.SharpSCCM.Inveigh.PowerUpSQL.Nmap.
My latest AD toolbelt:.ldapdomaindump.NetExec.impacket.adidnsdump.certi.Certipy.ldeep.pre2k.certsync.hekatomb.MANSPIDER.Coercer.DonPAPI.go-windapsearch.kerbrute.
9
117
693
Tabletop scenario: Your EDR vendor pushes an update and BSOD all of your computers. Every single one. Across the globe. Go. .
78
68
645
Hey hackers. What's your favorite local privilege escalations in windows/AD environments? 😈😎.
82
67
596
Being a Sysadmin is one of THE HARDEST jobs in tech. Not only do you need to keep the lights on but at most orgs you're wearing so many hats that you also have to upgrade servers, deploy networking equipment. Of and you have to patch and make sure you don't get hacked.
45
51
542
If you're a red teamer or pentester, where do you go to learn more about evasion? These immediately come to mind. Are there others you'd recommend?. 1. Maldev academy.2. Sektor7.3. RTO 1 & 2 by zero-point security.4. S3cur3th3sh1ts content.5. Mr. Un1k0d3r's content.
27
88
527
🚨 Incase you were not able to make it to the Harden Active Directory webinar I did recently, here's a link to all the resources for you!. Webinar recording: Slides: Thanks so much for everyone's support. ✌🙏
8
120
496
What’s the best way to get someone up to speed with securing Active Directory that has only an introductory level of knowledge about AD?.
73
27
473
An attacker's favorite target once they are inside a network: IT management servers. So many times I've seen them:.- Not have EDR, or if they do it's disabled.- Have scheduled tasks running as Domain Admins.- Have loads of unsecured creds on c:\, d:\ and e:\ drives.- etc, etc.
28
70
463
Things I wish I knew about cybersecurity/pentesting/red teaming/etc when I started…. I’ll go first:.
51
45
452
I'm fascinated by the number of engagements I do where I tell an IT admin about PingCastle and it's the first they have ever heard of it. Such a phenomenal, free tool, that can find VERY serious vulnerabilities with the click of the mouse. 🙏🙏.
24
40
454
Does anyone ever work in absolute and complete silence? Sometimes when I am pentesting, I have no music nothing on. Just the silence of me and my keboard.
167
6
436
98% of pentesters do not get Domain Admin on day 1. And they don’t know why. 🧵 Implement these tips if you want to dominate any domain you enter.
6
27
398
In the last 3 years or so of internal pentesting I’ve never exploited a vuln that was found by Nessus.
99% of vulnerabilities don’t matter.
36
34
389
Save for later.
12
51
385
Hey infosec. Fun thought experiment: .- you’re dropped into a medium size business as the sole security person.- there is sr level IT & Security exec.- no formal security program but do have a small IT team. What do you do to defend the company and grow the security program?.
123
82
361
These are my top 3 favorite security tools for all sysadmins and it admins. 1. PingCastle: an Active Directory health assessment tool (. 2. Locksmith: a tool to find and fix common Active Directory certificate services misconfigurations.
12
52
377
This is a nice BloodHound user guide. I like the additional use of AD-miner. Spent some time with AD-miner last night as a result. It's pretty neat. Definitely recommend checking it out if you haven't already . tool by Mazars Tech . . blog by @m4lwhere.
4
90
370
@SoniaCuff being a jack of all trades means your a master of none but thats ok because that's many times what the job calls for.
10
9
357
Monitor privileged groups for modifications. Not just Domain Admins. All of them.
20
53
359
To be a better hacker, take less certifications and do more pentests.
24
31
348
I'm not sure who put this site together, but this PingCastle cheat sheet is awesome. If you're a PingCastle fan, definitely something to check out. . If anyone knows who this site belongs to, let me know so I can give a proper shout out!.
4
89
357
Want to get into cybersecurity, leave a question. Already have a job in cybersecurity, leave advice. I’ll go first: . Try different things until you find the thing that really speaks to you. Don’t be afraid to put yourself out there on social media or by creating content.
155
32
337
🏰 One method I use to find unsafe permissions in Active Directory…. 1. Download PingCastle and run a health check.2. Review the “Control Paths” section of the report.3. Look for “critical” findings. These are issues where low-privileged users or groups such as “Everyone” have.
7
39
340
Ok here’s a real 🌶️ debate: you should know how to MEME to work in cybersecurity….
59
20
330
🪟Pentesting from windows:. 1. Open file share.2. Copy paste domain admin password from login.txt to cmd.3. Net group “domain admins” hacker /add /domain and login to the DC. 🐧Pentesting from Linux:. 1. /Responder.py -I eth0.2. Sip coffee while gathering hashes.3. Crack the.
17
29
297
It’s hard for IT Admins, sysadmins and managers to care when senior leadership give those individuals all of the responsibility but none of the power to affect change.
18
40
323
Allowing for unfettered VPN access into your organization is part of this unmanaged device risk. Username + password, even with MFA alone is not enough. What's an ideal vpn setup?.- device certificates.- conditional access.- username + password + mfa.- network segmentation for.
53
29
331
Apprenticeship is a lost art. I think cybersecurity and especially pentesting is a great candidate for apprenticeship-type learning. .
32
21
317
📽🔴 How to Harden Active Directory to Prevent Cyber Attacks. my webinar I did. is now LIVE on YouTube! .
4
60
298
Top notch resources to learn Active Directory security (defenders pov). Please chime in with your recommendations below! 🧵.
8
49
300
How to be more educated about cybersecurity in 2025: make reading The DFIR Report a regular thing you do. So good.
7
68
298
🧵How to find privilege escalation vulnerabilities in windows part 1. 1. Open cmd.2. Paste the following:. wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """. 3. Exploit. 4. Brag to your friends how cool.
7
51
287
I’ve got thoughts about this….🧵. EDR quickly advanced, SMBs adopted EDR but also quickly realized they couldn’t manage it themselves so they went the MSSP route. The MSSP uses a “SIEM” but their detections are not bullet proof and EDR is only going to get you so much of the.
Average twitter person -> PowerShell is dead. Red canary threat reports -> PowerShell being top 1~ for 4+ years
20
38
285
Learn ADVANCED red team hacking techniques. Such as. Scanning with nmap.Using Microsoft cmd. /s.
22
9
272
IR tabletop scenario: You get a High alert from a server. There's suspicious activity detected. You come to find out your EDR is not sending data to the mothership on 90% of your fleet of hosts. What do you do. .
82
22
273
Pentesters/red teamers, what resources do you check for known vulns, cves, etc.? E.g. 3rd party software on an endpoint may be old and you want to check if there's any vulns. google, github and cvedetails has been my main three. .
19
40
263
This was recorded 8 years ago. Still probably THE BEST video on the windows firewall and doing it right, to ya know actually secure things. ht @jepayneMSFT 👏🙏.
6
49
271
These are my top recommendations for free/very affordable and top notch security training. I know this is not all of them but these I have experience with and I don’t like talking about things I don’t know. Here’s my thoughts…🧵.
6
54
266
You don’t HAVE to pentest from Kali or even from Linux. Windows can work just as good.
What is one thing you think all Junior Pentesters should know? Either you wish someone would have told you, or your interaction with a Jr Pentester you wish they knew xyz. What is that one thing? cc: @ashleyhacksss.
57
15
255
I've spent the last 3+ years focused on attacking active directory/internal networks and I'm going to do my absolute best to provide a road map for sysadmins to secure AD. Wed 5/29 12pm Eastern. Memes included, register here if you wanna come hang 👇.
7
46
273
TFW: You think you understand tier 0 then read this. Learning every day. Always stay humble 🙏 . ht @Jonas_B_K.
2
54
269
I’m making a funny NSA sticker. Which one is better?. A) I know what you did last login.B) They know what you did last login.C) We know what you did last login.
106
11
257
⚠ SYSADMINS! You using LAPS in your environment? No? Chances are good that you're reusing local admin passwords. This is something I check for and ABUSE on every single internal engagement. It's silly easy to implement LAPS, go do it! 💪🙏.
23
25
246
Time to update your banned password/spraying lists. Spring2025.Summer2025.Fall2025.Winter2025.Spring2025!.Summer2025!.Fall2025!.Winter2025!.January2025!.February2025!.March2025!.April2025!.May2025!.June2025!.July2025!.August22025!.September2025!.October2025!.November2025!.
6
27
244
Help desk nor anyone else should be using the local admin password (LAPS or not). They should be using their tiered admin account. The local admin thing is a flaw in the design of windows in my opinion.
33
13
238
What are some of the most underappreciated skills in infosec? I'll go first. Communicating clearly, effectively, and in a way that's suitable to your audience.
60
18
228
💣🧵 Last year, while on an internal penetration test I was able to abuse several logon script misconfigurations. After that engagement, I kept seeing these same issues crop up engagement after engagement.
1
43
228
Cybersecurity is a lot like lighting weights…. This stuff takes dedication, consistency, good form (basics), strategy, hard work. All without seeing any “fruits” of your labor for a very long time. Until you wake up one day and you do.
13
26
225
Don't sleep on PingCastle folks
wow.
3
33
218