Do You Own Your Permissions, or Do Your Permissions Own You?
tl;dr: Less FPs for Owns/WriteOwner and new Owns/WriteOwnerLimitedRights edges Before we get started, if you’d prefer to listen to a 10-minute presentation instead of or to supplement reading this post, please check out the recording of our most recent BloodHound Release Recap webinar. You can also sign up for future webinars here. Back in August, a […]
Getting the Most Value Out of the OSCP: The PEN-200 Labs
How to leverage the PEN-200 simulated black-box penetration testing scenarios for maximal self-improvement and career success. Disclaimer: All opinions expressed in this article are solely my own. I have reviewed the content to ensure compliance with OffSec’s copyright policies and agreements. I have not been sponsored or incentivized in any way to recommend or oppose any […]
Getting Started with BHE — Part 2
Contextualizing Tier Zero TL;DR An accurately defined Tier Zero provides an accurate depiction of Attack Path Findings in your BHE tenant. Different principals (groups, GPOs, OUs, etc.) have different implications when Tier Zero is defined — understanding these will help reduce confusion around why something showing up as Tier Zero. Welcome to round two of the Getting Started with BloodHound […]
Getting Started with BHE — Part 1
Understanding Collection, Permissions, and Visibility of Your Environment TL;DR Attack Path visibility is dependent upon scope of collection; complete collection is dependent upon appropriate permissions. Your collection strategy benefits from tiering just like your domain(s). Introduction Welcome to my series on Getting Started with BloodHound Enterprise! This series comes after having had several discussions with […]
Decrypting the Forest From the Trees
TL;DR: SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If the site server is a managed client, service account credentials can be decrypted via the Administration Service API. Introduction While Duane Michael, Chris Thompson, and I were originally working on the Misconfiguration Manager project, one of the tasks I took […]
Fueling the Fight Against Identity Attacks
When we founded SpecterOps, one of our core principles was to build a company which brought unique insight into high-capability adversary tradecraft, constantly innovating in research and tooling. We aspired to set the cadence of the cyber security industry through a commitment to benefit our entire security community. Today, I am thrilled to announce that […]
Getting the Most Value Out of the OSCP: The PEN-200 Course
In this second post of a five-part series, I provide advice on how to best utilize the PEN-200 course material for a successful career in ethical hacking. Disclaimer: All opinions expressed in this article are solely my own. I have reviewed the content to ensure compliance with OffSec’s copyright policies and agreements. I have not been […]
Don’t Touch That Object! Finding SACL Tripwires During Red Team Ops
During red team operations, stealth is a critical component. We spend a great deal of time ensuring our payloads will evade any endpoint detection and response (EDR) solution, our traffic is obfuscated and hard to trace, and our commands will interact with a system in a way that limits the number of possible detection opportunities […]
Getting the Most Value out of the OSCP: Pre-Course Prep
The first post in a five-part practical guide series on maximizing the professional, educational, and financial value of the OffSec certification pursuit for a successful career in offensive cybersecurity consulting Disclaimer: All opinions expressed in this article are solely my own. I have reviewed the content to ensure compliance with OffSec’s copyright policies and agreements. […]
Enhancements for BloodHound v7.0 Provide Fresh User Experience and Attack Path Risk Optimizations
TL;DR: Refreshed user interface with a new vertical navigation layout for improved user experience. General Availability of “Improved Analysis Algorithm” that provides more accurate risk scoring for findings across your environment. Enhancements to the Posture page, including a new “Attack Paths” metric and increased visibility into your Attack Path security posture. Release highlights focus on […]