Slándáil Research:
Feeds
Feeds
Search
Search Engine
Feed: SpecterOps Team Blog
Link
Nemesis 1.0.0
LSA Whisperer
Rooting out Risky SCCM Configs with Misconfiguration Manager
Final Steps to BloodHound Enterprise for Government— FedRAMP High Compliance
Ghostwriter v4.1: The Custom Fields Update
Getting Intune with Bugs and Tokens: A Journey Through EPM
Pwned by the Mail Carrier
Summoning RAGnarok With Your Nemesis
Browserless Entra Device Code Flow
Misconfiguration Manager: Overlooked and Overprivileged
Final Steps to BloodHound Federal — FedRAMP High Compliance
ADCS ESC14 Abuse Technique
SCCM Hierarchy Takeover with High Availability
The Most Dangerous Entra Role You’ve (Probably) Never Heard Of
ADCS ESC13 Abuse Technique
Directory.ReadWrite.All Is Not As Powerful As You Might Think
Spinning Webs — Unveiling Arachne for Web Shell C2
Microsoft Breach — How Can I See This In BloodHound?
Microsoft Breach — What Happened? What Should Azure Admins Do?
BOFHound: Session Integration
ADCS Attack Paths in BloodHound — Part 1
Calling Home, Get Your Callbacks Through RBI
Cypher Queries in BloodHound Enterprise
Sleepy — Python Tooling for Sleep
Mythic v3.2 Highlights: Interactive Tasking, Push C2, and Dynamic File Browser
Merlin’s Evolution: Multi-Operator CLI and Peer-to-Peer Magic
Abusing Slack for Offensive Operations: Part 2
Lateral Movement without Lateral Movement (Brought to you by ConfigMgr)
Phishing With Dynamite
Domain of Thrones: Part II
Lateral Movement: Abuse the Power of DCOM Excel Application
CVE-2023–4632: Local Privilege Escalation in Lenovo System Updater
Domain of Thrones: Part I
Bloodhound Enterprise: securing Active Directory using graph theory
Uncovering RPC Servers through Windows API Analysis
Perfect Loader Implementations
SCCM Hierarchy Takeover
Ghostwriter v4: 2FA, RBAC, and Logging, Oh My!
Reactive Progress and Tradecraft Innovation
What is Tier Zero — Part 2
Shadow Wizard Registry Gang: Structured Registry Querying
Site Takeover via SCCM’s AdminService API
Hacking With Your Nemesis
BloodHound Community Edition: A New Era
BloodHound Enterprise Learns Some New Tricks
Challenges In Post-Exploitation Workflows
Your new best friend: Introducing BloodHound Community Edition
On (Structured) Data
Performance, Diagnostics, and WMI
Sowing Chaos and Reaping Rewards in Confluence and Jira
What is Tier Zero — Part 1
Understanding Telemetry: Kernel Callbacks
Less SmartScreen More Caffeine: (Ab)Using ClickOnce for Trusted Code Execution
On Detection: From Tactical to Functional
Beyond Procedures: Digging into the Function Call Stack
FOSS BloodHound 4.3.1 release
Security Distilled: Building a First-Principles Approach to Understanding Security
From DA to EA with ESC5
C2 and the Docker Dance: Mythic 3.0’s Marvelous Microservice Moves
Exploring Impersonation through the Named Pipe Filesystem Driver
Introducing BloodHound 4.3 — Get Global Admin More Often
I’d TAP That Pass
Uncovering Windows Events
Abusing Azure App Service Managed Identity Assignments
Telemetry Layering
Ghostwriter v3.2 Release
At the Edge of Tier Zero: The Curious Case of the RODC
The Defender’s Guide to Windows Services
SCCM Site Takeover via Automatic Client Push Installation
Passwordless Persistence and Privilege Escalation in Azure
Uncovering Windows Security Events
Stalking inside of your Chromium Browser
Uncovering Window Security Events
Certificates and Pwnage and Patches, Oh My!
The Defender’s Guide to the Windows Registry
Ghostwriter v3.1 Now Available
Prioritization of the Detection Engineering Backlog
WMI Internals Part 3
On Detection: Tactical to Function
Get your SOCKS on with gTunnel
Automating Azure Abuse Research — Part 2
Introducing BloodHound 4.2 — The Azure Refactor
Encrypting Strings at Compile Time
On Detection: Tactical to Functional
Dealing with Failure: Failure Escalation Policy in CLR Hosts
Koh: The Token Stealer
Relaying NTLM Authentication from SCCM Clients
The Phantom Credentials of SCCM: Why the NAA Won’t Die
Understanding the Function Call Stack
Establish security boundaries in your on-prem AD and Azure environment
Hang Fire: Challenging our Mental Model of Initial Access
Introducing Ghostwriter v3.0
Managed Identity Attack Paths, Part 3: Function Apps
Managed Identity Attack Paths, Part 2: Logic Apps
Managed Identity Attack Paths, Part 1: Automation Accounts
DeepPass — Finding Passwords With Deep Learning
Automating Azure Abuse Research — Part 1
EntropyCapture: Simple Extraction of DPAPI Optional Entropy
Learning Machine Learning Part 3: Attacking Black Box Models
Learning Machine Learning Part 2: Attacking White Box Models
Abusing Azure Container Registry Tasks
Coercing NTLM Authentication from SCCM
Ghostwriter v2.3.0 & 2022 Road Map
Learning Machine Learning Part 1: Introduction and Revoke-Obfuscation
War In Ukraine
Announcing Azure in BloodHound Enterprise
Revisiting Phishing Simulations
Attack Path Management Pillars: Part 3 — Safe AD Security Remediation Guidance
Dylib Loads that Tickle your Fancy
Introducing BloodHound 4.1 — The Three Headed Hound
Apollo 2.0 — New Year, New Features
Mythic 2.3 — An Interface Reborn
3 Foundational Pillars for Attack Path Management: Pillar 2 — Empirical Impact Assessment
Ghostwriter: Looking Back at 2021
3 Foundational Pillars for Attack Path Management: Pillar 1 — Continuous & Comprehensive Mapping
Azure Privilege Escalation via Azure API Permissions Abuse
Active Directory Attack Paths — “Is everyone this bad?”
Capability Abstraction Case Study: Detecting Malicious Boot Configuration Modifications
Formalized Curiosity
Azure Privilege Escalation via Service Principal Abuse
Life is Pane: Persistence via Preview Handlers
AWS ReadOnlyAccess: Not Even Once
Entity Based Detection Engineering with BloodHound Enterprise
1Password Secret Retrieval — Methodology and Implementation
Thoughts on Detection
Introducing BloodHound Enterprise: Attack Path Management for Everyone
BloodHound Enterprise vs. BloodHound Open-Source
Certified Pre-Owned
Learning from our Myths
Shadow Credentials: Abusing Key Trust Account Mapping for Takeover
Proxy Windows Tooling via SOCKS
BloodHound versus Ransomware: A Defender’s Guide
An Introduction to Manual Active Directory Querying with Dsquery and Ldapsearch
Evadere Classifications
Saving Your Access
The Attack Path Management Manifesto