Introduction

BloodHound is one of my favorite tools for auditing Active Directory attack paths. In the BloodHound v8.0 release, SpecterOps introduced BloodHound OpenGraph, enabling the community to ingest data from disparate systems and applications.

Over the past year, the community has published several OpenGraph extensions that expand BloodHound’s attack path management capabilities to systems such as AWS, GitHub, and Jamf. The full extension library is available here.

After seeing that success, I decided to build my own extension: ExchangeHound, focused on Microsoft Exchange on-premises environments. Its goal is to give blue teams a graph-based way to identify abuse paths related to T1098.002 - Account Manipulation: Additional Email Delegate Permissions and other Exchange mailbox abuse paths.

In this post, I’ll walk through how ExchangeHound models Exchange mailbox permissions in OpenGraph and how those relationships can be used to uncover real attack paths.

Why Exchange Delegation Matters

Before diving into the schema, it helps to define the problem in practical terms: Exchange delegation rights are often distributed across large environments and are difficult to reason about in isolation. Permissions like FullAccess, SendAs, and SendOnBehalf may each look harmless on their own, but when combined with existing AD relationships they can form high-impact privilege chains. The same is true for delegated folder access (for example, shared Inbox permissions), which can be abused for stealthy monitoring and persistence. ExchangeHound treats these permissions as graph relationships so they can be analyzed the same way as traditional BloodHound edges.

You can read a great article on this here: POL Cyber Command has observed malicious activity against Microsoft Exchange servers

Data Model

ExchangeHound extends BloodHound with Exchange-specific nodes and relationships so mailbox abuse can be analyzed as part of the same identity graph. The model includes objects such as ExchangeMailbox, ExchangeMailboxFolder, ExchangePublicFolder, ExchangeTransportRule, and ExchangeRbacRole, connected by edges like HasFullAccess, HasSendAs, HasSendOnBehalf, HasFolderAccess, HasCalendarAccess, and HasPublicFolderAccess. By mapping these permissions into OpenGraph, we can move from isolated ACL review to path-based analysis that shows how Exchange rights combine with existing AD relationships.

At the center of the model is the ExchangeMailbox node, which is linked back to identity through OwnsMailbox (owner mapping) and to delegation principals through mailbox permission edges. This makes mailbox ownership explicit in the graph and allows us to immediately separate expected access from non-owner access.

This sample query maps user GraceTurner to Mailboxes:

MATCH p=(u:User)-[:OwnsMailbox|HasFullAccess|HasSendAs|HasSendOnBehalf]->(mb:ExchangeMailbox)
WHERE u.samaccountname = 'GraceTurner'
RETURN p

ExchangeHound then adds depth with folder-level objects. ExchangeMailboxFolder nodes are connected to their parent mailbox via ContainsFolder, and principals can reach those folders through HasFolderAccess or HasCalendarAccess edges. Those edges preserve rights metadata (for example accessrights and calendar sharingpermissionflags), so analysts can distinguish broad mailbox compromise from more selective access such as Inbox-only or Calendar-only delegation.

This sample query maps folders in BenjaminPrice mailbox:

MATCH p=(u:User)-[:OwnsMailbox]->(mb:ExchangeMailbox)-[:ContainsFolder]->(f:ExchangeMailboxFolder)
WHERE u.samaccountname = 'BenjaminPrice'
RETURN p

For visibility beyond mailbox ACLs, the model also includes message-flow and admin-control surfaces. ExchangeTransportRule nodes connect sender conditions (TriggeredBySender) and recipient/action targets (AffectsRecipient), including synthetic ExchangeTransportEndpoint nodes for unresolved external SMTP destinations. ExchangeRbacRole nodes connected through HasExchangeRole represent Exchange administrative assignments with assignment metadata and scope fields, which helps identify persistence or privilege expansion paths in management-plane access.

This sample query shows Exchange RBAC roles for user TylerScott.

MATCH p=(principal)-[r:HasExchangeRole]->(role:ExchangeRbacRole)
WHERE principal.samaccountname = 'TylerScott'
RETURN p

Identity mapping is designed to merge cleanly with existing SharpHound data. Trustee resolution attempts SID-based AD lookups first and uses match_by: "id" to attach Exchange edges directly to existing AD users/groups/computers. For Exchange-only principals like Default and Anonymous, ExchangeHound creates ExchangePermissionPrincipal nodes instead of dropping the relationship, preserving exposure paths that would otherwise be invisible in AD-only graphs.

This sample query shows Folders in Mailboxes that have anonymous access enabled.

MATCH p=(anon:ExchangePermissionPrincipal)-[r:HasFolderAccess]->(folder:ExchangeMailboxFolder)<-[:ContainsFolder]-(mb:ExchangeMailbox)<-[:OwnsMailbox]-(owner:User)
WHERE toLower(anon.displayname) = 'anonymous'
RETURN p

Data Collection Pipeline

At a high level, the workflow is: run ExchangeHound on an on-prem Exchange host, generate OpenGraph JSON, prepare BloodHound for custom model ingestion, and then import the dataset either through the UI or through API scripts.

1. Run collector on Exchange on-prem server
   • Run from Exchange Management Shell (or remote EMS session), with AD resolution available.
   • Start with a pilot scope, then expand to full collection.

# pilot
.\ExchangeHound.ps1 -ResultSize 100 -SkipSendOnBehalf -OutputPath .\exchangehound_pilot.json

# full coverage
.\ExchangeHound.ps1 -CollectAll -OutputPath .\exchangehound_full.json

1. Prepare BloodHound for OpenGraph data
   • Ensure your BloodHound deployment is using the PostgreSQL/OpenGraph path (PG) instead of Neo4j mode.
   • Upload the ExchangeHound custom model before ingesting data, so custom nodes/edges render correctly.

python update_custom_nodes_to_bloodhound.py -s https://bloodhound.example.com -u <user> -p <pass> -m model.json

1. Import ExchangeHound output
   • GUI path: Administration -> File Ingest and upload ExchangeHound_*.json.
   • Script/API path: use the uploader script for repeatable ingestion pipelines.

python upload_exchangehound_data_to_bloodhound.py -s https://bloodhound.example.com -u <user> -p <pass> -f ExchangeHound_YYYYMMDD_HHMMSS.json

More details can be found on the GitHub repository for ExchangeHound.

Threat Hunting Ideas

Below are practical hunts based only on the data I’ve generated in my lab.

1) Non-owner access to executive mailboxes

Use this to find delegates with privileged access to executive mailboxes (EthanColeman, NatalieParker).

MATCH p=(delegate)-[:HasFullAccess|HasSendAs|HasSendOnBehalf]->(mb:ExchangeMailbox)<-[:OwnsMailbox]-(owner:User)
WHERE mb.displayname IN ['EthanColeman', 'NatalieParker']
  AND delegate <> owner
RETURN p

2) Kerberoastable service account with mailbox control

Use this to identify principals with SPN set and mailbox takeover rights. ArchiveSyncSvc has both mailbox and impersonation-style rights to user mailboxes.

MATCH p=(u:User)-[:HasFullAccess|HasSendAs]->(mb:ExchangeMailbox)<-[:OwnsMailbox]-(owner:User)
WHERE u.hasspn
RETURN p

3) Inbox-level permissions via folder ACLs

Use this to detect selective inbox monitoring (folder-level access) instead of full mailbox compromise.

MATCH p=(delegate)-[:HasFolderAccess]->(folder:ExchangeMailboxFolder)<-[:ContainsFolder]-(mb:ExchangeMailbox)<-[:OwnsMailbox]-(owner:User)
WHERE toLower(coalesce(folder.folderpath, '')) CONTAINS 'inbox'
RETURN p

4) Disabled user with lingering mailbox rights (orphaned access)

Use this to surface stale permissions from deprovisioning failures. In example RyanFoster is disabled but still delegated to VictoriaShaw.

MATCH p=(delegate:User)-[:HasFullAccess|HasSendAs]->(mb:ExchangeMailbox)<-[:OwnsMailbox]-(owner:User)
WHERE delegate.enabled = false
RETURN p

5) Transport-rule exfiltration paths

Use this to trace mail flow rules that route or copy messages to external endpoints.

MATCH p=(rule:ExchangeTransportRule)-[:AffectsRecipient]->(endpoint:ExchangeTransportEndpoint)
RETURN p

6) Overly privileged Exchange RBAC roles on user principals

Use this to identify users with high-impact Exchange administrative roles.

MATCH p=(principal:User)-[:HasExchangeRole]->(role:ExchangeRbacRole)
WHERE toLower(coalesce(role.displayname, '')) IN [
    'organization management',
    'recipient management',
    'role management',
    'organization configuration',
    'organization client access',
    'mail recipients',
    'mail recipient creation',
    'recipient policies'
  ]
RETURN p

Conclusion

Publishing ExchangeHound on GitHub is an important milestone for me. It may not be perfect, but I hope it will be useful for investigations, especially after mailbox or Exchange Server compromise. I built it in my free time and tested it in a lab running Exchange 2019. I hope it also works well across other supported Exchange versions.

I may add Exchange Online support in my spare time.

• ExchangeHound GitHub: github.com/FilipPwn/exchangehound
• ExchangeHound sample data and scenarios: github.com/FilipPwn/exchangehound_samples

I’ve been working in the cybersecurity field for a few years now and during that time I’ve worked on a few certifications. Here’s the list of them, and later some thoughts about them.

Certifications

Important notes:

• Some of these may be expired - I obtained them, I just didn’t always renew them 😄
• I’ve bought some of them, some of them were sponsored by my company

2022

• CompTIA: Security+
• Elastic: Certified Engineer
• Elastic: Certified Observability Engineer
• Elastic: Certified Analyst
• CompTIA: CySA+ (Cybersecurity Analyst)

2023

• GIAC: GCDA + SANS SEC555
• GIAC: GDAT + SANS SEC599

2024

• HackTheBox: CPTS (Certified Penetration Tester Specialist)
• Altered Security: CRTP (Red Team Professional)

2025

• HackTheBox: CAPE (Certified Active Directory Penetration Testing Expert)
• Altered Security: CRTE (Red Team Expert)
• HackTheBox: CWES (Certified Web Exploitation Specialist)
• OffSec: OSCP (Offensive Security Certified Professional)

Thoughts

CompTIA Security+

CompTIA Security+ was my first certification. I was fresh out of university and I wanted to validate my knowledge about general cybersecurity concepts. Security+ is a well-known and well-regarded certification in the industry. It covers a wide range of topics (very broad, but not necessarily deep). It can be considered a good starting point for someone who wants to start their journey in the cybersecurity field.

I prepared for this certification using mainly a Udemy course (videos + mock exams). Udemy is a good platform for self-paced learning and it is very affordable. I spent around 2-3 weeks watching videos and writing notes. After that I took the exam - it is proctored and theory only (multiple choice questions). What stood out for me is that the exam uses very advanced English words and phrases, so it is also a good opportunity to practice your English.

Pros:

• Good starting point for someone who wants to start their journey in the cybersecurity field
• Widely known and respected certification in the industry

Cons:

• Very broad, but not necessarily deep
• Not very practical
• Valid for 3 years

CompTIA CySA+

CySA+ wasn’t a certification that was on my radar, but I got a pretty good discount for it - I think it was around 80%, and it was a “beta” exam. I used the same strategy as for Security+ - Udemy course + mock exams. At that time I was already working in the cybersecurity field, so I had working knowledge about most of the topics covered in the exam - SIEM, IDS, IPS, investigations, incident response, threat intelligence, etc. The exam was probably easier than Security+ - a bit deeper in security analysis, but still very theoretical.

Pros:

• Good at a discount rate
• Quite easy exam

Cons:

• Not as well known as Security+
• Not very practical
• Valid for 3 years

Elastic Certifications

I’ve done three Elastic certifications available at that time:

• Elastic Certified Engineer
• Elastic Certified Observability Engineer
• Elastic Certified Analyst

Elastic teaches practical skills and knowledge about Elastic Stack and its products. If you ever work with Elastic Stack as an engineer or architect, these training and certifications could be very beneficial for you.

Engineer course teaches you mostly about Elasticsearch - how it works, how to use the API, working with indices, mapping, ingestion, search, aggregation, etc. The only thing missing, in my opinion, is how to deploy and scale your own Elasticsearch cluster.

Observability course teaches you how Elastic can be used to monitor and analyze your logs, metrics, and traces for your applications - like nginx, apache etc. It also shows how things like APM or Heartbeat work.

Analyst course was the easiest one - it teaches you how to use Kibana - visualizations, dashboards, maps etc.

All of the exams are proctored and practical - you have very limited time to complete around 10 tasks. You have to be really confident about what you are doing. Tip: know how to use Elastic docs.

I think that right now there is also another course: Elastic Certified Security Engineer, but I haven’t done it.

Pros:

• Practical skills around Elastic Stack
• Beginner friendly

Cons:

• Probably only for Enterprise customers, I wouldn’t buy it by myself
• Good for beginners, but it is missing some advanced topics
• Valid for 3 years

GIAC: GCDA

SANS SEC555 and GCDA were my first SANS and GIAC courses. GCDA stands for GIAC Certified Detection Analyst - and that’s why I’ve done it, to become a detection engineer. At that time it was taught by Justin Henderson and I must say: I love this guy and his teaching style. I love his jokes and his way of explaining things. The course teaches how to start with detection engineering: how to choose and build a SIEM, make it “tactical”, how to feed it (and not overfeed it), how to use it, build detections / enrichments, etc. This is probably the only course that will teach you that - how to architect a SIEM solution in your enterprise. Great stuff, but for a great price too. Exam is proctored, but as with most typical GIAC exams - it is open-book.

Right now SEC555 is taught by another instructor, so I cannot say much about it.

Pros:

• Must have for SIEM Architect / Detection Engineer
• Tons of practical knowledge about SIEM
• Probably the only course that will teach you how to architect a SIEM solution in your enterprise
• Based on Elastic Stack - very applicable in real-world

Cons:

• Expensive
• Valid for 3 years

GIAC: GDAT

SANS SEC599 was the second SANS course that I’ve done - with GDAT (GIAC Defending Advanced Threats) certification. It is designed to be a purple-team certification - you will learn how to emulate some threats and then how to defend against them. The course is very practical and is taught by experienced instructors. It was not as game-changing as GCDA, but it was a good supplement to my knowledge. To be honest, most of the “red” stuff was really basic, so do not expect to learn advanced red-team techniques. Exam was proctored, similar to other GIAC exams.

Pros:

• Purple-team certification (only one in the industry?)
• Practical skills about red-team and purple-team
• Elastic Stack is used as a SIEM

Cons:

• Expensive
• Red-team stuff is really basic
• Valid for 3 years

HackTheBox: CPTS

Here we go, my first HackTheBox course and certification. HackTheBox is probably the most popular and practical platform to learn cybersecurity skills. Their academy started a few years ago and it is a blast! Before that course, I wasn’t that self-confident about my pentesting skills. The course teaches you everything that a solid pentester should know: enumeration, exploitation, lateral movement, some web skills, some basic Active Directory attacks, some networking skills. All very applicable. To complete the course, you probably need a few weeks/months of dedicated study - but it is totally worth it. Very practical labs, up-to-date content and tools, great community (discord). The exam is not proctored, but it lasts 10 days (I’ve personally used all that time). The report is mandatory, and it has to be a very professional one - probably need a whole day for it. Nevertheless, passing CPTS was a game-changer for me. It opened my eyes to the world of pentesting and I’ve started to love it.

Pros:

• Inexpensive (silver subscription, annual - is enough)
• Most practical course about pentesting I’ve ever seen
• Up-to-date content
• Starting to grow in recognition
• Exam is a real pentest, and it is a real challenge

Cons:

• Not as recognized as OSCP

Altered Security: CRTP

Altered Security (led by Nikhil Mittal) specializes in Active Directory and Azure security. I wanted to go deeper in Active Directory security at that time, and HackTheBox CAPE was not available yet. What is good about CRTP is that it is a beginner-friendly course, quite inexpensive, and materials are for life (only lab time is limited). Material taught here is useful for both offensive and defensive operators. The course brings its own VM in cloud, available via Guacamole, which is very smooth. Exam is not proctored, but it is a realistic Active Directory pentest - ending with a report.

Pros:

• Inexpensive
• Materials are for life and updated
• Great teacher
• Beginner friendly

Cons:

• Not that much recognized

HackTheBox: CAPE

Just after I’ve finished CRTP, HackTheBox released CAPE. It is a certificate for “seniors” in Active Directory security. The course is probably now the best in the industry - teaches advanced AD stuff like AD CS, basic Defense Evasion, advanced enumeration and so on. I’ve written a dedicated post for it here: HackTheBox CAPE Certification. Exam is not proctored and lasts 10 days - and it was the most challenging and rewarding exam that I’ve experienced so far. By the way - I was the 10th person to pass it.

Pros:

• Best course about AD security in the industry
• Exam is a real pentest, and it is a real challenge
• Report has to be professional and detailed
• AD CS attacks are covered

Cons:

• Not yet recognized that much

Altered Security: CRTE

For Black Friday I decided to buy CRTE - a more advanced course than CRTP. I went through it at a faster pace and it is a bit more advanced. I was a bit disappointed that there was not that much new stuff compared to CRTP, but still I consider it a great course. Having already done CAPE - nothing surprised me that much.

Pros:

• Inexpensive
• Materials are for life and updated
• Great teacher

Cons:

• Not that much recognized
• Not that much new stuff compared to CRTP

HackTheBox: CWES

I’ve never been that interested in web exploitation, but since I finished the course path on HackTheBox Academy (which is the best learning source imho) I decided to give the exam a shot. Generally speaking - it is a beginner-friendly course for web exploitation. It teaches you the fundamentals of web exploitation, like SQL injection, XSS, CSRF, etc. These fundamentals will be useful for HackTheBox machines - if you play them. The only downside (at the time that I’ve done it) was there was a bit too much PHP, and a lack of other technologies covered.

Pros:

• Inexpensive
• Great course for beginners
• Web fundamentals are useful for HackTheBox machines

Cons:

• A bit too much of PHP
• Not that much recognized

OffSec: OSCP

OSCP is one of the most recognized certifications in the industry (probably next to CISSP). I did it because I had the opportunity and it is always good to have OSCP on your resume. Since I had already completed three HTB certifications at that time - I was confident to finish it without a course. I cannot speak about the course itself, but the exam was proctored, challenging and rewarding. Good to be OSCP-certified.

Pros:

• Most recognized certification in the industry
• Practical
• OSCP does not expire

Cons:

• OSCP+ expires
• Expensive
• Losing its legendary status in recent years (my opinion)

Conclusion

Looking back at this list, I realize how much the journey itself shaped my thinking — not just the certificates at the end of it.

If I had to give one piece of advice: don’t chase certifications for the badge. Chase them for the gaps they fill. Security+ was right for where I was in 2022. CAPE was right for where I wanted to go in 2025. The order matters, and so does the intent.

A few things I’ve learned along the way:

• Practical > theoretical. Every time. If the exam doesn’t involve actually breaking or building something, its value is limited.
• Blue teamers should go red. Not to switch sides, but to understand what you’re defending against. CPTS changed how I think about detections more than any blue team course ever did.
• Expensive doesn’t mean better. SANS is excellent, but so is HackTheBox Academy at a fraction of the cost. Know what you’re paying for.
• Recognition is overrated — until it isn’t. OSCP still opens doors. CAPE is getting there. But at the end of the day, what matters is what you can actually do.

Still a few things on the list. The journey continues.

When an IP address shows up in your SIEM — in a login event, a firewall log, a VPN connection — you typically get just that: an IP address. If you use GeoIP enrichment, you get geolocation (Country, City) and ASN. But that is often not enough in investigations. The question that follows is usually: who is actually behind this IP? Is it a VPN? A proxy?

That’s where Spur comes in.

Spur is a threat intelligence feed focused on anonymous infrastructure detection. In plain terms: it tells you whether a given IP address belongs to a VPN, a proxy, a residential proxy network, a Tor exit node, or some other anonymization service. This kind of context is invaluable for investigations and threat hunting — a successful authentication attempt from a residential proxy commonly abused by a cybercrime group should raise some alerts.

What Spur offers

Spur’s core product is an IP intelligence feed that is continuously updated and covers:

• VPN detection — identifies IPs associated with commercial VPN providers (NordVPN, ExpressVPN, Mullvad, etc.), including the provider name
• Residential proxies — flags IPs that are part of residential proxy networks, where traffic is routed through real consumer devices
• Anonymous proxies — datacenter-based proxies and anonymization services
• Tor exit nodes — identifies Tor exit nodes at query time
• Hosting / datacenter classification — distinguishes between consumer and infrastructure IPs
• Geographic and ASN context — enriched location and autonomous system data

Each IP entry in Spur’s data includes structured tags and metadata — not just a binary “yes/no” flag, but the type of anonymization, the service name where known, and confidence indicators.

Why VPN enrichment matters for detection

Most SIEMs ingest IP addresses as-is. Geolocation alone is not enough — a VPN exit node in Germany looks identical to a legitimate German user at the IP level. Spur bridges that gap.

With Spur enrichment in place, you can:

• Enrich authentication logs to flag logins from known VPN or proxy IPs
• Build targeted detection rules — e.g., alert when a user authenticates from a VPN exit node they’ve never used before
• Reduce false positives by understanding why an IP looks suspicious (residential proxy vs. bulletproof hosting vs. Tor)
• Feed threat hunting workflows with structured anonymization context, not just raw IP reputation scores

Pricing

Important note: Spur is a paid service. Free users get only 250 manual lookups per month — enough for ad-hoc investigations, not for automated enrichment. API access for bulk/automated use starts at $200/month.

If you’re evaluating it, the free tier is good enough to explore the data model and validate threat hunting ideas before committing.

Understanding the Spur data model

Before jumping into threat hunting ideas, it’s worth understanding what Spur actually returns for an IP. Here’s an example response:

{
  "ip": "45.88.190.70",
  "infrastructure": "DATACENTER",
  "organization": "Packethub S.A.",
  "as": {
    "number": 147049,
    "organization": "PacketHub S.A."
  },
  "location": {
    "city": "Montreal",
    "country": "CA",
    "state": "Quebec"
  },
  "tunnels": [
    {
      "anonymous": true,
      "operator": "NORD_VPN",
      "type": "VPN"
    }
  ],
  "risks": [
    "CALLBACK_PROXY",
    "TUNNEL"
  ],
  "client": {
    "behaviors": ["FILE_SHARING"],
    "count": 2,
    "proxies": ["IPIDEA_PROXY", "NETNUT_PROXY"],
    "types": ["MOBILE"]
  }
}

The fields that matter most for detection:

• tunnels — the core of Spur’s value. Contains the anonymization type (VPN, TOR, PROXY, REMOTE_DESKTOP) and the operator name (e.g., NORD_VPN, PROTON_VPN). This is what lets you identify which VPN service is in use, not just that a tunnel exists.
• infrastructure — the type of infrastructure behind the IP. Documented values include DATACENTER, MOBILE, SATELLITE. IPs in the residential proxy feed will have client.proxies populated regardless of infrastructure type.
• risks — a list of risk tags associated with the IP. Confirmed values: TUNNEL, CALLBACK_PROXY, GEO_MISMATCH, LOGIN_BRUTEFORCE. Useful for building tiered alert severity.
• client.types — what kind of device/client is typically seen on this IP. Documented values: MOBILE, DESKTOP.
• client.behaviors — behavioral patterns observed from this IP. Documented values include FILE_SHARING, TOR_PROXY_USER.

Threat Hunting with Spur

Below are a few ideas that are easy to operationalize once you have the feed integrated into your SIEM.

TH Idea 1 — Correlate logons with VPN / Proxy provider

The idea is simple. Let’s say that from threat intelligence you know an adversary uses NordVPN to perform password spraying against your service. Using Spur, you can easily spot both legitimate users using NordVPN on a daily basis and the adversary doing the same. They can switch countries, cities — but tunnels.operator will always tell you the truth.

Connection using NordVPN from Canada:

{
  "ip": "45.88.190.70",
  "location": { "city": "Montreal", "country": "CA" },
  "tunnels": [{ "operator": "NORD_VPN", "type": "VPN", "anonymous": true }]
}

Same adversary, switched to UK:

{
  "ip": "188.241.144.125",
  "location": { "city": "London", "country": "GB" },
  "tunnels": [{ "operator": "NORD_VPN", "type": "VPN", "anonymous": true }]
}

The IP, country, and ASN all changed. But tunnels.operator is NORD_VPN in both cases. Without Spur, these look like two unrelated IPs from two different countries. With Spur, it’s the same pattern.

This is especially powerful when combined with user-level context — if a user suddenly authenticates from a VPN provider they’ve never used before, that’s a much stronger signal than just “new country.”

TH Idea 2 — Residential proxy detection for account takeover

Residential proxies are a favourite tool for account takeover attacks. Unlike datacenter VPNs, residential proxies route traffic through real consumer devices — making them much harder to block by IP reputation alone. GeoIP won’t help you here: the IP looks like a legitimate home user in the same country.

Spur exposes this through the client.proxies field, which lists residential proxy operators associated with the IP. A login from a residential proxy in the user’s own country, at an unusual hour, is a very different risk profile than a plain residential IP.

Hunting idea: look for authentication events where spur.client.proxies is not empty. Enrich further with login history — a first-time residential proxy login for a given user is worth investigating.

TH Idea 3 — Risk tags as a tiered alert signal

Spur’s risks array lets you build detection rules with graduated severity rather than binary flags. Here’s some of the values to look at:

This lets you avoid the “everything is suspicious” trap — a plain TUNNEL flag on a login may just be a privacy-conscious user, while LOGIN_BRUTEFORCE + CALLBACK_PROXY on the same IP warrants immediate investigation. As you ingest Spur data, you’ll encounter additional tags — treat them as enrichment signals and build severity tiers based on what you observe in your own environment.

What’s next

In Part 2, I’ll walk through how to integrate Spur’s data feed into Elastic SIEM — downloading the feed, parsing it, setting up an ingest pipeline, and building the enrichment processor so these fields are automatically added to your logs at query time.

Enterprise defenders often have many agents running in the environment: SIEM, EDR, VPN, you name it. Having 100% of the agents running and healthy is a dream of every defender, but the reality is that it’s not always possible. Sometimes agents are broken: never installed, stopped by some administrator or just not working as expected.

It is a great idea to have a healthcheck for your agents to ensure that they are running and healthy.

Introducing the Whisperer

One day I was thinking if it would be possible to know how many agents are running and healthy in the environment. How many are stopped? How many are not installed? How many are working as expected? I started to think about it and I came up with the idea of a Whisperer.

The Whisperer is just a simple PowerShell script deployed in Active Directory environment using Group Policy. Script is running in scheduled task: running 10 minutes after the power on and once a day around noon.

Script is using PowerShell to pull the status of the agents from computer, checking if their service is running, their versions, etc. Additionally it is sending some useful information like: Microsoft Defender (status of updates, exclusions etc.), and system info (version, patch). We could add more things if we would like to.

PowerShell script

Proof of concept PowerShell script is available here. It basically does the following:

• Collects basic host information: hostname, domain, OS name, version, build number, install date and last boot time.
• Queries the status and version of key security agents: Elastic Agent, Elastic Endpoint, and Sysmon (we can configure other agents to be checked if we would like to).
• Pulls hardware and BIOS details for inventory purposes.
• Retrieves Microsoft Defender status, including definitions update state and configured exclusions.
• Ships everything as a single JSON payload via an authenticated HTTP POST to the Whisperer receiver endpoint.

Deployment using Group Policy

Deployment is straightforward using a GPO scheduled task. I won’t go into full GPO configuration here, but the key points are:

• Run as SYSTEM — no user interaction required.
• Trigger on startup (with a 10-minute delay to allow network stabilisation) and daily at noon (we can add some jitter to the time to avoid overloading the network).
• Script is stored in SYSVOL and is accessible from the machine account.
• Consider code-signing the script if your environment enforces PowerShell execution policy.

Elastic Stack integration

The script sends data to a simple HTTP listener — in my case, I’ve used Elastic Stack integration. I’ve added Basic Authentication to the endpoint to ensure that only the Whisperer can send data to the endpoint.

Full configuration of integration:

PUT kbn:/api/fleet/package_policies/whisperer-package-policy
{
  "package": {
    "name": "http_endpoint",
    "version": "2.5.0"
  },
  "name": "whisperer",
  "namespace": "",
  "description": "",
  "policy_ids": [
    "whisperer-server-policy"
  ],
  "vars": {},
  "inputs": {
    "http_endpoint-http_endpoint": {
      "enabled": true,
      "streams": {
        "http_endpoint.http_endpoint": {
          "enabled": true,
          "vars": {
            "method": "POST",
            "listen_address": "0.0.0.0",
            "listen_port": "12345",
            "data_stream.dataset": "whisperer",
            "pipeline": "whisperer",
            "preserve_original_event": false,
            "basic_auth": true,
            "username": "whisperer",
            "password": {
              "id": "2ebXkZ0B83xKn-wv4Mzj",
              "isSecretRef": true
            },
            "include_headers": [],
            "ssl": "enabled: false\ncertificate: \"/etc/pki/client/cert.pem\"\nkey: \"/etc/pki/client/cert.key\"\n",
            "tags": []
          }
        }
      }
    }
  }
}

I’ve also added a pipeline to the integration to parse the JSON payload and extract the relevant information.

PUT _ingest/pipeline/whisperer
{
  "description": "Whisperer endpoint inventory pipeline",
  "processors": [
    {
      "rename": {
        "field": "json",
        "target_field": "whisperer",
        "ignore_missing": true
      }
    },
    {
      "script": {
        "description": "Convert WMI /Date(epoch)/ to ISO8601",
        "lang": "painless",
        "source": """
          def fields = [
            ['whisperer', 'mpstatus', 'AntivirusSignatureLastUpdated'],
            ['whisperer', 'mpstatus', 'AntispywareSignatureLastUpdated'],
            ['whisperer', 'mpstatus', 'NISSignatureLastUpdated'],
            ['whisperer', 'mpstatus', 'DeviceControlPoliciesLastUpdated']
          ];
          for (def path : fields) {
            def obj = ctx;
            for (int i = 0; i < path.length - 1; i++) {
              if (obj == null || !(obj instanceof Map) || !obj.containsKey(path[i])) { obj = null; break; }
              obj = obj[path[i]];
            }
            if (obj == null) continue;
            def lastKey = path[path.length - 1];
            if (!obj.containsKey(lastKey) || obj[lastKey] == null) continue;
            def val = obj[lastKey].toString();
            def m = /\/Date\((-?\d+)\)\//.matcher(val);
            if (m.find()) {
              long epoch = Long.parseLong(m.group(1));
              obj[lastKey] = epoch > 0 ? Instant.ofEpochMilli(epoch).toString() : null;
            }
          }
        """
      }
    },
    {
      "date": {
        "field": "whisperer.created_at",
        "target_field": "@timestamp",
        "formats": ["ISO8601"],
        "ignore_failure": true
      }
    },
    {
      "remove": {
        "field": "whisperer.created_at",
        "ignore_missing": true
      }
    },
    {
      "set": {
        "field": "host.name",
        "copy_from": "whisperer.host.name",
        "ignore_empty_value": true
      }
    }
  ],
  "on_failure": [
    {
      "set": {
        "field": "error.pipeline",
        "value": "whisperer"
      }
    },
    {
      "set": {
        "field": "error.message",
        "value": ""
      }
    }
  ]
}

Of course the pipeline is not perfect and can be improved - but it is a good starting point.

Kibana Dashboard

Finally we can browse the data in Kibana:

Every workstation in the Active Directory domain is now reporting the status of the agents. Additionally we can create an Elastic transform to get only the latest status of the agents for each workstation. Here’s an example of the transform — remember to start it separately after creation with POST _transform/inventory-whisperer/_start:

PUT _transform/inventory-whisperer
{
  "source": {
    "index": [
      "logs-whisperer-default"
    ]
  },
  "latest": {
    "unique_key": [
      "host.name"
    ],
    "sort": "@timestamp"
  },
  "dest": {
    "index": "inventory-whisperer"
  }
}

Detection Opportunities

The Whisperer data isn’t just for operational dashboards. It opens up some interesting detection use cases:

• Agent tampering: if a host that was previously reporting a running Elastic Agent suddenly reports stopped or none, that warrants investigation. Adversaries commonly target security tooling early in an attack. We can also catch administrators that are stopping the agents.
• Version anomalies: a host running a significantly older agent version than the rest of the fleet may indicate that the agent is broken.
• Defender exclusion changes: new exclusion paths or processes appearing across the fleet outside of a change window are a high-fidelity signal worth alerting on.
• Gaps in telemetry: hosts that stop reporting entirely are a blind spot. Correlating Whisperer check-ins against your SIEM’s endpoint list lets you identify hosts generating no telemetry at all.

Limitations

This is a proof of concept, so there are rough edges. The receiver has no deduplication logic, so a host that reboots twice in a day will submit two records. The script also runs in the context of SYSTEM, which means it can’t capture per-user agent state.

Summary

The Whisperer is a simple but effective way to get visibility into the health of your security tooling across a large Active Directory environment. It costs almost nothing to deploy, generates structured data that integrates naturally into an existing Elasticsearch stack, and surfaces gaps that you simply can’t see from agent-side telemetry alone — because those gaps are, by definition, silent.

The full script is on GitHub. Feedback welcome.

I figured the obligatory first post is as good a place as any to explain what this blog is and why it exists.

If you want to know more about who I am — my background, certs, what I work on day to day — head over to the About page.

What this blog is about

Honestly? Things I find cool.

I’m not going to commit to a strict content schedule or a neatly defined scope. If something catches my attention — a technique, a tool, a CTF challenge, a weird edge case I ran into — and I think it’s worth writing down, I’ll write it down. That might be a full CTF writeup, a short note on a detection idea, something offensive, something defensive, or just a random rabbit hole I went down.

The common thread is that I genuinely found it interesting. No filler, no content for the sake of content.

What you might find here

• CTF writeups — focused on methodology, not just “here’s the flag”
• Detection engineering and threat hunting notes
• Red team techniques and tooling
• Whatever else ends up being interesting enough to write about

The stack

The site is built with Jekyll and hosted on GitHub Pages. Plain HTML and CSS, no JavaScript. Source is at github.com/FilipPwn/filippwn.github.io if you’re curious.

Anyway — more posts to come. Eventually.

• CAPE (Certified Active Directory Penetration Testing Expert) is HackTheBox’s most advanced AD-focused certification, requiring ~3–4 months of dedicated preparation and a 10-day practical exam
• The certification combines comprehensive learning (15 modules) with a challenging practical exam that tests both technical skills and report writing abilities
• Key success factors: strong AD fundamentals (CPTS recommended), dedicated study time, thorough documentation, and report writing skills
• Worth it if you’re serious about AD security, but not an entry-level cert — expect to invest 160–320 hours total (learning path + exam)
• Best suited for security professionals looking to master enterprise AD security, whether from red or blue team backgrounds

Introduction

I recently achieved something remarkable — passing the HackTheBox CAPE exam on my first attempt. As one of the few individuals who’ve accomplished this feat, and noticing the lack of comprehensive reviews, I decided to share my experience with the cybersecurity community.

About CAPE

HackTheBox CAPE (Certified Active Directory Penetration Testing Expert) stands as one of the most rigorous certifications in the cybersecurity landscape. As HTB’s fifth certification offering, it distinguishes itself through its laser focus on Active Directory penetration testing.

Before attempting the certification exam, candidates must complete an intensive learning path consisting of 15 comprehensive modules — 6 medium-difficulty and 9 hard-difficulty. The curriculum is meticulously designed to cover every aspect of Active Directory security:

• Active Directory Enumeration — mastering both external tools (PowerView, BloodHound) and built-in Windows utilities
• Windows Lateral Movement — deep dive into protocols like WMI, SMB, RDP, DCOM, and WSUS exploitation
• Netexec — the Swiss Army knife of AD pentesting, offering versatile attack capabilities
• Kerberos Attacks — comprehensive coverage of Kerberos authentication vulnerabilities
• DACL Attacks — exploring common privilege escalation paths and advanced techniques like GPO abuse
• NTLM Relay Attacks — achieving privilege escalation without credential compromise
• ADCS Attacks — in-depth exploration of 11 ESC paths using modern tools like Certipy and Certify
• Active Directory Trust Attacks — both intra-forest and cross-forest exploitation techniques
• C2 Operations — hands-on experience with the Sliver C2 framework
• Windows Evasion Techniques — advanced methods to bypass Windows Defender (having your own Visual Studio installed is my recommendation)
• Enterprise Service Attacks — essential techniques for compromising MSSQL, Exchange, and SCCM

The learning path assumes foundational knowledge in penetration testing methodology and general security concepts. Prior completion of CPTS is highly recommended.

About the Exam

The CAPE exam simulates a real-world internal penetration test against an enterprise Active Directory environment. Candidates are tasked with conducting a professional security assessment that includes reading and acknowledging a letter of engagement, identifying and exploiting vulnerabilities and misconfigurations, and producing a comprehensive, commercial-grade penetration testing report.

Key Exam Details

• Duration: 10 days to complete both the penetration test and submit the final report
• Environment: Dedicated testing environment accessible via VPN
• Format: Non-proctored examination
• Objectives: Multiple flags must be captured to demonstrate progress
• Retake Policy: Free second attempt within 14 days if initial report is submitted, with detailed examiner feedback on your first attempt
• Assessment: Primary evaluation based on report quality, not just flag capture

Time Management

The 10-day exam duration is both a blessing and a challenge. Unlike typical 24/48-hour certification exams, CAPE requires careful time management and dedication:

• It’s not recommended to attempt this exam “after-hours” or alongside regular work
• The complexity demands focused, dedicated time for both testing and documentation
• Report writing alone can take multiple days to complete properly

Technical Aspects

• The exam environment is fully dedicated to each candidate
• Environment can be reset as needed, but changes are not persistent
• Machine resets affect the entire environment, not individual systems
• Multiple complex steps are typically required to capture each flag

Report Requirements

The report is the cornerstone of the exam evaluation:

• A mandatory template must be followed
• Each finding requires detailed documentation and evidence
• Recommendations must demonstrate meaningful impact on environmental security
• Quality and completeness of the report directly determine exam success

While flag capture demonstrates technical ability, the report’s quality is the primary factor in passing the exam. The second attempt opportunity is only provided if a complete report was submitted in the first attempt.

Preparations

My Background

As a detection engineer and threat hunter by profession, my journey to CAPE was somewhat unconventional. Despite never having conducted a formal penetration test in a real environment, I firmly believe in the principle: “to catch a hacker, you need to think like one” (if you’ve read Mitnick’s Ghost in the Wires — you know what I mean). This mindset, combined with my blue team experience, led me to pursue offensive security certifications.

Prerequisites and Prior Experience

My path to CAPE included several key milestones:

• CPTS Certification — completed HackTheBox’s Certified Penetration Tester Specialist exam, which I consider essential groundwork for CAPE
• Pro Labs Experience — completed multiple HTB Pro Labs including Dante, Zephyr, Offshore, and Alchemy, strengthening my methodology in enterprise-like environments
• CRTP Certification — finished Altered Security’s Red Team Professional course, providing additional AD-focused expertise from a red team perspective

The Learning Path Experience

The CAPE learning path requires a Gold Subscription to HackTheBox. What sets HTB’s learning approach apart is their focus on practical, hands-on learning through reading, understanding, and performing. Instead of relying on potentially outdated video tutorials, the content remains current and accessible even after subscription expiration. I did it slowly but steadily, trying to dedicate at least a few hours every week.

Standout Modules

Three modules particularly impressed me during the learning path:

1. ADCS Attacks Comprehensive coverage of AD CS misconfigurations, aligned with SpecterOps’ cutting-edge research, with a clear explanation of complex exploitation paths.

2. Introduction to Windows Evasion Techniques A unique approach to defensive bypass techniques covering static/dynamic analysis, process injection, AMSI and UAC bypass, AppLocker evasion, and PowerShell Constrained Language Mode. Hands-on coding with Visual Studio is recommended.

3. Using NetExec (formerly CrackMapExec) A deep dive into this versatile tool’s capabilities, with practical applications for streamlining AD penetration testing.

All modules remain accessible post-completion, serving as valuable reference material during the exam and future engagements.

The Exam Experience

Setup and Environment

Picture this: 10 days of pure focus, a complex enterprise AD environment, and a mission to compromise it completely. That’s the CAPE exam in a nutshell. Drawing from my previous HTB CPTS experience, I approached this challenge with a carefully prepared environment:

• Kali Linux VM — pre-configured with tools from the learning path
• Windows 10 VM — equipped with Visual Studio for evasion techniques
• Obsidian — for comprehensive note-taking, crucial for report writing

The Journey

The exam proved to be a true test of understanding rather than mere tool proficiency. Several key observations stood out:

• Deep Understanding Required — simply following “exploit playbooks” proved insufficient; each challenge demanded thorough comprehension of the underlying concepts
• Continuous Learning — even during the exam, I found myself researching newly discovered vulnerabilities to fully understand their impact
• Persistence Pays Off — what initially seemed like impenetrable barriers became stepping stones with a methodical approach
• Building Momentum — each successful exploitation provided momentum for tackling subsequent challenges

I was about to give up on day 6. I didn’t.

Mental Approach

The exam tested not just technical skills but also mental resilience:

• Taking Breaks — regular walks helped clear my mind when faced with challenging obstacles
• Self-Care — maintaining good sleep patterns and regular meals proved crucial for sustained performance
• Attention to Detail — often, a small overlooked detail was the key to progress
• Time Management — completing 90% of the technical portion 36 hours before deadline allowed adequate time for report writing

Final Push

The last phase of my exam journey included dedicating a full day to report writing, resulting in a comprehensive 142-page document, and using the final 6 hours to achieve 100% completion of all objectives.

Conclusions and Advice

Overall Assessment

CAPE stands out as an exceptional learning path and certification for anyone serious about Active Directory security. It provides in-depth knowledge of AD security concepts, offers practical real-world scenarios, and prepares you thoroughly for enterprise-level challenges.

Time Investment

This is not a certification to be taken lightly:

• Learning path: ~36 days (~100–200 hours)
• Exam preparation and execution: 60–120 hours
• Total commitment: expect to invest 3–4 months of dedicated study

Prerequisites

CAPE is definitely an intermediate-level certification. Before attempting it, ensure you:

• Have completed CPTS certification
• Have experience with several HTB Pro Labs
• Are comfortable with pivoting and lateral movement
• Know multiple tools for each attack technique
• Have strong environment awareness skills

Key Tips for Success

Documentation

• Take detailed notes during the exam
• Document every exploitation path
• Keep organized records of all credentials
• Start report writing early

Learning Path Approach

• Don’t rush through the modules
• Understand the why behind each technique
• Use modules as reference material during the exam
• Review challenging modules before the exam

Exam Strategy

• Prepare your VM environment in advance
• Practice thorough enumeration — it is key
• Take regular breaks when stuck
• Maintain work-life balance during the exam

Final Thoughts

CAPE is more than just another certification — it’s a transformative journey into the depths of Active Directory security. While it may not yet have widespread HR recognition, its technical depth and practical approach make it invaluable for security professionals. The certification’s commitment to keeping materials current and relevant ensures that the skills you gain will remain applicable in real-world scenarios.

The journey through CAPE isn’t just about passing an exam — it’s about becoming a more competent cybersecurity professional.

This post was originally published on Medium.