My name is Jonas, and I am working as a Product Architect at SpecterOps. I enjoy writing ugly code to solve real and imaginary technical problems in the offensive and defensive security space. In my daily tasks, I investigate attack vectors to determine how they can be implemented in BloodHound.

I have a background as a security consultant working with customers to harden their AD and Windows infrastructure, and I have practical experience fixing and breaking customer environments with security measures such as AD tiering, Protected Users, IPSec, and disabling NTLM.

• GitHub
• Twitter
• LinkedIn
• Medium (blog)
• BloodHoundGang Slack

Feel free to reach out to me on Twitter, LinkedIn, or BloodHoundGang Slack.

See LinkedIn

2024

• 2024/11/04 - Talk: Defending Against ADCS Domain Escalation Techniques
• 2024/09/11 - Blogpost: ADCS Attack Paths in BloodHound — Part 3
• 2024/06/26 - Talk: Analyzing and Executing ADCS Attack Paths with BloodHound (Troopers)
• 2024/06/14 - Talk: Analyzing and Executing ADCS Attack Paths with BloodHound (x33fcon)
• 2024/05/01 - Blogpost: ADCS Attack Paths in BloodHound — Part 2
• 2024/03/27 - Webinar: Defining the Undefined: What is Tier Zero Part III
• 2024/03/20 - Blogpost: Pwned by the Mail Carrier
• 2024/03/11 - Talk: Analyzing and Executing ADCS Attack Paths with BloodHound (SO-CON)
• 2024/02/28 - Blogpost: ADCS ESC14 Abuse Technique
• 2024/02/14 - Blogpost: ADCS ESC13 Abuse Technique
• 2024/01/24 - Blogpost: ADCS Attack Paths in BloodHound — Part 1

2023

• 2023/12/07 - Webinar: ADCS Attack Paths in BloodHound
• 2023/09/14 - Blogpost: What is Tier Zero — Part 2
• 2023/09/12 - Webinar: Defining the Undefined: What is Tier Zero Part II
• 2023/06/28 - Talk: Hidden Pathways: Exploring the Anatomy of ACL-Based Active Directory Attacks and Building Strong Defenses (Troopers)
• 2023/06/22 - Webinar: Defining the Undefined: What is Tier Zero
• 2023/06/22 - Blogpost: What is Tier Zero — Part 1
• 2023/05/23 - Blogpost: FOSS BloodHound 4.3.1 release
• 2023/01/10 - Blogpost: Protect Active Directory users from password attacks with Fine-Grained Password Policy (FGPP)

2022

• 2022/10/08 - Talk: Active Directory trust attacks (BSides Copenhagen)
• 2022/09/15 - Webinar: Practical approach to secure critical assets in Active Directory and Azure
• 2022/08/14 - Talk: Don’t be trusted: Active Directory trust attacks (DEF CON Adversary Village)
• 2022/06/23 - Webinar: Securing On-Prem and Cloud Infrastructure with SpecterOps & Teal
• 2022/06/20 - Blogpost: Establish security boundaries in your on-prem AD and Azure environment
• 2022/04/08 - Blogpost: SID filter as security boundary between domains? (Part 7) - Trust account attack - from trusting to trusted
• 2022/04/07 - Blogpost: SID filter as security boundary between domains? (Part 6) - Schema change trust attack - from child to parent
• 2022/04/06 - Blogpost: SID filter as security boundary between domains? (Part 5) - Golden GMSA trust attack - from child to parent
• 2022/04/04 - Blogpost: SID filter as security boundary between domains? (Part 4) - Bypass SID filtering research
• 2022/04/01 - Blogpost: SID filter as security boundary between domains? (Part 3) - SID filtering explained
• 2022/03/29 - Blogpost: SID filter as security boundary between domains? (Part 2) – Known AD attacks - from child to parent
• 2022/03/28 - Blogpost: SID filter as security boundary between domains? (Part 1) - Kerberos authentication explained

2021

• 2021/10/05 - Workshop: ImproHound OWASP Copenhagen workshop
• 2021/08/16 - Talk: ImproHound demo - DEF CON Adversary Village presentation (DEFCON channel)
• 2021/08/08 - Talk: ImproHound demo - DEF CON Adversary Village presentation
• 2021/06/04 - Video: ImproHound demo
• 2021/04/21 - Blogpost: ImproHound - Identify AD tiering violations
• 2021/04/16 - Tool: ImproHound

2020

• 2020/04/01 - Blogpost: Setup RDP to DC from jumphost/PAW only — with IPSec