Hi, I’m Logan Goins, an Adversary Simulation Operator at SpecterOps. As part of the Adversary Simulation team at SpecterOps, I simulate an attacker to perform red team operations and penetration testing assessments for SpecterOps clients looking to improve their detection and response capabilities or measure impact in the case of a breach.

My primary interests are in Active Directory and other identity focused offensive tradecraft, including Active Directory Certificate Services (ADCS), System Center Configuration Manager (SCCM), Active Directory Web Services (ADWS), Entra ID, and more. I’m also the author of open-source offensive tools such as SharpSuccessor, SOAPy, and others.

---

A summary of my security research, capability/tradecraft development, community contributions, and certifications, can be found below:

• Experience:
  • Consultant, Adversary Simulation at SpecterOps (May 2026 - Present)
  • Associate Consultant, Adversary Simulation at SpecterOps (May 2025 to May 2026)
  • Offensive Security Consultant Co-op at IBM X-Force Red (January 2025 to May 2025)
  • Offensive Security Consultant Intern at IBM X-Force Red (May 2024 to August 2024)
• Education:
  • Bachelors in Cybersecurity, UT San Antonio (In progress)
• Tooling Development:
  • BadTakeover, Beacon Object File (BOF) for Using the BadSuccessor Technique for Account Takeover (Sep 2025)
  • SharpSuccessor, .NET Proof of Concept (POC) for fully weaponizing Yuval Gordon’s (@YuG0rd) BadSuccessor attack from Akamai. (May 2025)
  • Stifle, a .NET post-exploitation utility to exploit strong explicit certificate mappings (ESC14) for account takeover in Active Directory environments. (Feb 2025)
  • Krueger, Proof of Concept (PoC) .NET tool for remotely disabling EDR with weaponized WDAC to enable lateral movement. (Dec 2024)
  • Cable, .NET post-exploitation toolkit for Active Directory reconnaissance and exploitation. (Nov 2024)
  • SOAPy, Proof of Concept (PoC) Python tool for conducting offensive interaction with Active Directory Web Services (ADWS) from Linux hosts. (Aug 2024)
• Major Blogs:
  • Wait, Why is my WebClient Started? - SCCM Hierarchy Takeover via NTLM Relay to LDAP (Jan 2026)
  • The (Near) Return of the King: Account Takeover Using the BadSuccessor Technique (Oct 2025)
  • Operating Outside the Box: NTLM Relaying Low-Privilege HTTP Auth to LDAP (Aug 2025)
  • Make Sure to Use SOAP(y) – An Operators Guide to Stealthy AD Collection Using ADWS (July 2025)
  • Attacking and Defending Configuration Manager - An Attackers Easy Win (April 2025)
  • SOAPy: Stealthy enumeration of Active Directory environments through ADWS (Feb 2025)
  • Using Offensive .NET to Enumerate and Exploit Active Directory Environments (Oct 2024)
  • NTLM Relaying to LDAP - The Hail Mary of Network Compromise (July 2024)
  • Active Directory Certificate Services (AD CS) - A Beautifully Vulnerable and Mis-configurable Mess (May 2024)
• Certifications:
  • Adversary Tactics: Identity Driven Offensive Tradecraft (IDOT)
  • Attacking and Defending Azure & M365
  • Certified Red Team Operator (CRTO)
  • Offensive Security Certified Professional (OSCP)
  • CompTIA Cybersecurity Analyst+ ce (CySA+) - April 2023 to April 2026
  • CompTIA Security+ ce - April 2023 to April 2026

---