Hi I’m Logan Goins, an Associate Adversary Simulation Operator at SpecterOps. As part of Consulting Services, I perform Penetration Tests and Red Team Operations for clients looking to measure impact in the case of a breach or improve their detection and response capabilities.

Additionally, I love to continuously learn and develop new tools and tradecraft for exploiting or abusing easily mis-configurable or complex technologies which may enable risk for an organization. My primary interests are in Active Directory and other identity focused tradecraft, including Active Directory Certificate Services (AD CS), System Center Configuration Manager (SCCM), Entra ID, and more. I’m also the author of SharpSuccessor, SOAPy, and others.

---

Here’s a quick summary of my experiences, tooling development, and research:

• Experience:
  • Associate Consultant, Adversary Simulation at SpecterOps (May 2025 to Present)
  • Offensive Security Consultant Co-op at IBM X-Force Red (January 2025 to May 2025)
  • Offensive Security Consultant Intern at IBM X-Force Red (May 2024 to August 2024)
• Education:
  • Bachelors in Cybersecurity, The University of Texas at San Antonio (August 2023 to August 2026)
• Tooling Development:
  • BadTakeover, Beacon Object File (BOF) for Using the BadSuccessor Technique for Account Takeover (Sep 2025)
  • SharpSuccessor, .NET Proof of Concept (POC) for fully weaponizing Yuval Gordon’s (@YuG0rd) BadSuccessor attack from Akamai. (May 2025)
  • Stifle, a .NET post-exploitation utility to exploit strong explicit certificate mappings (ESC14) for account takeover in Active Directory environments. (Feb 2025)
  • Krueger, Proof of Concept (PoC) .NET tool for remotely disabling EDR with weaponized WDAC to enable lateral movement. (Dec 2024)
  • Cable, .NET post-exploitation toolkit for Active Directory reconnaissance and exploitation. (Nov 2024)
  • SOAPy, Proof of Concept (PoC) Python tool for conducting offensive interaction with Active Directory Web Services (ADWS) from Linux hosts. (Aug 2024)
• Major Blogs:
  • The (Near) Return of the King: Account Takeover Using the BadSuccessor Technique (Oct 2025)
  • Operating Outside the Box: NTLM Relaying Low-Privilege HTTP Auth to LDAP (Aug 2025)
  • Make Sure to Use SOAP(y) – An Operators Guide to Stealthy AD Collection Using ADWS (July 2025)
  • Attacking and Defending Configuration Manager - An Attackers Easy Win (April 2025)
  • SOAPy: Stealthy enumeration of Active Directory environments through ADWS (Feb 2025)
  • Using Offensive .NET to Enumerate and Exploit Active Directory Environments (Oct 2024)
  • NTLM Relaying to LDAP - The Hail Mary of Network Compromise (July 2024)
  • Active Directory Certificate Services (AD CS) - A Beautifully Vulnerable and Mis-configurable Mess (May 2024)
• Certifications:
  • Certified Red Team Operator (CRTO)
  • Offensive Security Certified Professional (OSCP)
  • CompTIA Cybersecurity Analyst+ ce (CySA+) - April 2023 to April 2026
  • CompTIA Security+ ce - April 2023 to April 2026

---