Clik here to view.
Getting the Most Value Out of the OSCP: The PEN-200 Course
In this second post of a five-part series, I provide advice on how to best utilize the PEN-200 course material for a successful career in ethical hacking. Disclaimer: All opinions expressed in this...
View ArticleClik here to view.
Fueling the Fight Against Identity Attacks
When we founded SpecterOps, one of our core principles was to build a company which brought unique insight into high-capability adversary tradecraft, constantly innovating in research and tooling. We...
View ArticleClik here to view.
Decrypting the Forest From the Trees
TL;DR: SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If the site server is a managed client, service account credentials can be decrypted via...
View ArticleClik here to view.
Getting Started with BHE — Part 1
Understanding Collection, Permissions, and Visibility of Your Environment TL;DR Attack Path visibility is dependent upon scope of collection; complete collection is dependent upon appropriate...
View ArticleClik here to view.
Getting Started with BHE — Part 2
Contextualizing Tier Zero TL;DR An accurately defined Tier Zero provides an accurate depiction of Attack Path Findings in your BHE tenant. Different principals (groups, GPOs, OUs, etc.) have different...
View ArticleClik here to view.
Getting the Most Value Out of the OSCP: The PEN-200 Labs
How to leverage the PEN-200 simulated black-box penetration testing scenarios for maximal self-improvement and career success. Disclaimer: All opinions expressed in this article are solely my own. I...
View ArticleClik here to view.
Do You Own Your Permissions, or Do Your Permissions Own You?
tl;dr: Less FPs for Owns/WriteOwner and new Owns/WriteOwnerLimitedRights edges Before we get started, if you’d prefer to listen to a 10-minute presentation instead of or to supplement reading this...
View ArticleClik here to view.
An Operator’s Guide to Device-Joined Hosts and the PRT Cookie
Introduction About five years ago, Lee Chagolla-Christensen shared a blog detailing the research and development process behind his RequestAADRefreshToken proof-of-concept (POC). In short, on Entra ID...
View ArticleClik here to view.
The SQL Server Crypto Detour
As part of my role as Service Architect here at SpecterOps, one of the things I’m tasked with is exploring all kinds of technologies to help those on assessments with advancing their engagement. Not...
View ArticleClik here to view.
The Renaissance of NTLM Relay Attacks: Everything You Need to Know
NTLM relay attacks have been around for a long time. While many security practitioners think NTLM relay is a solved problem, or at least a not-so-severe one, it is, in fact, alive and kicking and...
View Article