Martin Sohn Christensen

Profiles

• X @martinsohndk
• Bluesky @martinsohn.dk
• LinkedIn @martinsohn
• GitHub @martinsohn

Tools

• BloodHound Query Library - A community-driven repository of BloodHound queries
• ManagerOfHound - OpenGraph extension for BloodHound to discover manager-subordinate privilege escalation paths
• CIS Controls Initial Assessment Tool v8.0b - Enhanced CIS Controls v8 assessment spreadsheet with consolidated safeguards and enriched metadata
• Office phish templates and defense recommendations - Social engineering templates to trick users into enabling macros (featured by Emotet), plus comprehensive defense strategies
• PowerShell TCP reverse shell - Encrypted reverse shell with DNS-over-HTTPS C2 discovery and comprehensive PowerShell defense guidance

Posts

• 2026-03-24, RTFM: Read The Fatal Manual – When Vendor Documentation Creates Critical Attack Paths
• 2025-06-17, Introducing the BloodHound Query Library
• 2023-03-02, How I killed BT’s payphone email service
• 2023-02-13, Basic Microsoft Active Directory Security - Identify and Prioritize Low-hanging Risks
• 2022-09-13, Local privilege escalation vulnerabilities in PeaZip MSI installer - CVE-2022-40779 & CVE-2022-47082
• Series: Email security (collab w/ Jeffrey Bencteux & Sebastian Andersen)
  • 2022-06-21, Part 1: All Your SPF Includes Are Belong To Us
  • 2022-06-27, Part 2: Phish’n’Chimps: email spoofing via marketing and CRM platforms
  • 2022-07-08, Part 3: Email Security Pitfalls
• Series: SID filter as security boundary between domains? (collab w/ Jonas Bülow Knudsen & Tobias Torp)
  • 2022-03-28, Part 1: Kerberos authentication explained
  • 2022-03-29, Part 2: Known AD attacks - from child to parent
  • 2022-04-01, Part 3: SID filtering explained
  • 2022-04-04, Part 4: Bypass SID filtering research
  • 2022-04-06, Part 5: Golden GMSA trust attack - from child to parent
  • 2022-04-07, Part 6: Schema change trust attack - from child to parent
  • 2022-04-08, Part 7: Trust account attack - from trusting to trusted
• 2022-03-17, Privilege escalation vulnerability in Anaconda3 and Miniconda3 - CVE-2022-26526
• 2022-03-01, Network share risks - Deploying secure defaults and searching shares for sensitive information (credentials, PII, and more)
• 2021-12-03, The command prompt has been disabled by your administrator. Press any key to continue… or use these weird tricks to bypass – admins will hate you!
• 2021-01-28, Privilege escalation vulnerability in NinjaRMM Agent MSI Installer introduced by EXEMSI MSI Wrapper - CVE-2021-26273 & CVE-2021-26274
• 2020-06-16, Pi-hole CVE-2020-8816 analysis and alternative PoC

Talks

• 2026-06-24, TROOPERS26: Tier Breakers: Blind Spots in Cloud-Managed PAWs (collab w/ Thomas Naunheim)
• 2026-06-20, BSides Aarhus 2026: RTFM - Read The Fatal Manual: When Documentation Creates Critical Misconfiguration
• 2026-04-24, BSides Prague 2026: RTFM - Read The Fatal Manual: When Documentation Creates Critical Misconfiguration
• 2022-10-09, BSides Copenhagen 2022: Don’t be trusted: Active Directory trust attacks, and the recording (collab w/ Jonas Bülow Knudsen)
• 2022-08-14, Adversary Village DEF CON 30: Don’t be trusted: Active Directory trust attacks (collab w/ Jonas Bülow Knudsen)
• 2022-03-26, OWASP Copenhagen: Email spoofing via marketing platforms

CVEs & Security Advisories

• Multiple vendors - RTFM: Read The Fatal Manual – When Vendor Documentation Creates Critical Attack Paths
  • CyberArk CA25-38: Critical severity issue in the “Manage AD certificates in the devices” section of CyberArk Identity documentation
  • ManageEngine security advisory: Corrected AD CS certificate template guidance
• PeaZip - Local privilege escalation vulnerabilities in PeaZip MSI installer
  • CVE-2022-40779: Privilege escalation in PeaZip version 8.8.0 MSI installer due to EXEMSI vulnerability
  • CVE-2022-47082: Privilege escalation in PeaZip version 8.8.0 MSI Installer due to incorrect access control
• Anaconda3 and Miniconda3 - Privilege escalation vulnerability in Anaconda3 and Miniconda3
  • CVE-2022-26526: Privilege escalation in Anaconda3 v2021.11.0.0 and Miniconda3 v11.0.0.0
• NinjaRMM Agent - Privilege escalation vulnerability in NinjaRMM Agent MSI Installer introduced by EXEMSI MSI Wrapper
  • CVE-2021-26273: Privilege escalation in NinjaRMM Agent v5.0.909
  • CVE-2021-26274: Insecure installation folder permissions in NinjaRMM Agent v5.0.909
  • CVE-2021-32415: EXEMSI MSI Wrapper Versions prior to 10.0.50 and at least since version 6.0.91 will introduce a local privilege escalation vulnerability in installers it creates.

Certifications/trainings

• SpecterOps - Adversary Tactics: Identity-Driven Offensive Tradecraft (AT:IDOT)
• SpecterOps - Adversary Tactics: Red Team Operations (AT:RTO) @ SO-CON 2025
• SpecterOps - Adversary Perspectives: Active Directory (AP:AD) [Certified Trainer]
• Outsider Security - Offensive Entra ID (Azure AD) and Hybrid AD Security @ Insomni’hack 2024
• SpecterOps - Adversary Tactics: Vulnerability Research for Operators (AT:VRO) @ Black Hat 2023
• SpecterOps - Adversary Tactics: Tradecraft Analysis (AT:TA) @ Black Hat 2022
• eLearnSecurity - Certified Professional Penetration Tester (eCPPTv2)
• Zero-Point Security - Certified Red Team Operator (CRTO)
• Pentester Academy - Certified Red Team Professional (CRTP)