Clik here to view.
Sleepy — Python Tooling for Sleep
Sleepy — Python Tooling for Sleep Thank you to SpecterOps for supporting this research and to Sarah, Cody, and Daniel for proofreading and editing! Crossposted on the GitHub. TL;DR: You can use sleepy...
View ArticleClik here to view.
Cypher Queries in BloodHound Enterprise
BloodHound Enterprise (BHE) recently saw the addition of a new, game-changing feature: open-ended Cypher searches. For those unfamiliar, Cypher is a declarative query language used for retrieving data...
View ArticleClik here to view.
ADCS Attack Paths in BloodHound — Part 1
ADCS Attack Paths in BloodHound — Part 1 Since Will Schroeder and Lee Christensen published the Certified Pre-Owned whitepaper, the BloodHound Enterprise team at SpecterOps has been eager to implement...
View ArticleClik here to view.
Spinning Webs — Unveiling Arachne for Web Shell C2
Spinning Webs — Unveiling Arachne for Web Shell C2 What is a web shell? A web shell is a payload that allows continued access to a remote system, just like other “shells” we refer to in computer...
View ArticleClik here to view.
ADCS ESC13 Abuse Technique
It is possible to configure an Active Directory Certificate Services (ADCS) certificate template with an issuance policy having an OID group link to a given AD group. This configuration makes AD treat...
View ArticleClik here to view.
Final Steps to BloodHound Enterprise for Government— FedRAMP High Compliance
Final Steps to BloodHound Enterprise for Government— FedRAMP High Compliance Ever since SpecterOps first launched BloodHound Enterprise (BHE) in July 2021, one of our team’s biggest frustrations...
View ArticleClik here to view.
Misconfiguration Manager: Overlooked and Overprivileged
TL;DR: Misconfiguration Manager is a central knowledge base for all known Microsoft Configuration Manager tradecraft and associated defensive and hardening guidance. We’re also presenting this material...
View ArticleClik here to view.
Browserless Entra Device Code Flow
Zugspitze, Bavaria, Germany. Photo by Andrew Chiles Did you know that it is possible to perform every step in Entra’s OAuth 2.0 Device Code flow — including the user authentication steps — without a...
View ArticleClik here to view.
Pwned by the Mail Carrier
How MS Exchange on-premises compromises Active Directory and what organizations can do to prevent that. At SpecterOps, we recommend our customers establish a security boundary around their most...
View ArticleClik here to view.
Ghostwriter v4.1: The Custom Fields Update
Let’s dive into what makes this so exciting! There’s so much to cover that we won’t be offended if you want to look at the CHANGELOG for a quick synopsis. Introducing Customizable Fields Over the...
View ArticleClik here to view.
Summoning RAGnarok With Your Nemesis
I hope I’m Not Too Late With the explosion of large language model (LLM) use, everyone is rushing to apply LLMs to their specific industry and it’s the same for information security. While LLMs have a...
View ArticleClik here to view.
Getting Intune with Bugs and Tokens: A Journey Through EPM
Written by Zach Stein & Duane Michael SpecterOps Hackathon Back in January, SpecterOps held our annual hackathon event, loosely based on Atlassian’s “FedEx Day” (now called “ShipIt Day”). The gist...
View ArticleClik here to view.
Rooting out Risky SCCM Configs with Misconfiguration Manager
tl;dr: I wrote a script to identify every TAKEOVER and ELEVATE attack in Misconfiguration Manager. Ever since Garrett Foster, Duane Michael, and I released Misconfiguration Manager at SO-CON last...
View ArticleClik here to view.
LSA Whisperer
Thank you to SpecterOps for supporting this research, to Elad for helping draft this blog, and to Sarah, Daniel, and Adam for proofreading and editing! Crossposted on GitHub. What follows is the...
View ArticleClik here to view.
Nemesis 1.0.0
In August of last year, @tifkin_, @0xdab0, and I released Nemesis, our offensive data enrichment platform. After lots of feedback, operational testing, hundreds of commits, and another solid dev cycle,...
View ArticleClik here to view.
ADCS Attack Paths in BloodHound — Part 2
ADCS Attack Paths in BloodHound — Part 2 In Part 1 of this series, we explained how we incorporated Active Directory Certificate Services (ADCS) objects into BloodHound and demonstrated how to...
View ArticleClik here to view.
Manual LDAP Querying: Part 2
This post is a follow-up to my previous post on manual LDAP querying. I would highly recommend reading that post prior to reading this one if you are interested in some of the basics of searching LDAP....
View ArticleClik here to view.
Plenty of Phish in the Sea
Phishing School How to Find the Right Phishing Targets A weapon is useless unless you have something to aim it at. When we weaponize social engineering, our targets are the humans who have the ability...
View ArticleClik here to view.
Behavior vs. Execution Modality
On Detection: Tactical to Functional Part 12 Introduction At Shmoocon 2015, Will Schroeder (Harmj0y) gave a talk titled “I Hunt Sys Admins,” describing how attackers can hunt (or find the location of)...
View ArticleClik here to view.
Part 14: Sub-Operations
On Detection: Tactical to Functional When the Operation is not Enough Introduction A while back, I was working on deconstructing a standard variation of Token Theft and stumbled into a couple of...
View Article