See the latest by Jonas Bülow Knudsen
Good Fences Make Good Neighbors: New AD Trusts Attack Paths in BloodHound
TL;DR The ability of an attacker controlling one domain to compromise another through an Active Directory...
By: Jonas Bülow Knudsen
Jun 25, 2025 • 24 min read
Read Post
Untrustworthy Trust Builders: Account Operators Replicating Trust Attack (AORTA)
TL;DR The Incoming Forest Trust Builders group (not AdminSDHolder protected) can create inbound forest trusts with...
By: Jonas Bülow Knudsen
Jun 25, 2025 • 20 min read
Read Post
ADCS Attack Paths in BloodHound — Part 3
ADCS Attack Paths in BloodHound — Part 3 In Part 1 of this series, we explained how we incorporated...
By: Jonas Bülow Knudsen
Sep 11, 2024 • 22 min read
Read Post
ADCS Attack Paths in BloodHound — Part 2
ADCS Attack Paths in BloodHound — Part 2 In Part 1 of this series, we explained how we incorporated...
By: Jonas Bülow Knudsen
May 1, 2024 • 13 min read
Read Post
How MS Exchange on-premises compromises Active Directory and what organizations can do to prevent that. At SpecterOps,...
By: Jonas Bülow Knudsen
Mar 20, 2024 • 28 min read
Read Post
The altSecurityIdentities attribute of Active Directory (AD) computers and users allows you to specify explicit certificate...
By: Jonas Bülow Knudsen
Feb 28, 2024 • 38 min read
Read Post
It is possible to configure an Active Directory Certificate Services (ADCS) certificate template with an issuance...
By: Jonas Bülow Knudsen
Feb 14, 2024 • 15 min read
Read Post
ADCS Attack Paths in BloodHound — Part 1
ADCS Attack Paths in BloodHound — Part 1 Since Will Schroeder and Lee Christensen published the Certified Pre-Owned whitepaper,...
By: Jonas Bülow Knudsen
Jan 24, 2024 • 16 min read
Read Post
What is Tier Zero — Part 2 Round 2! This is Part 2 of our webinar and blog post...