Getting the Most Value Out of the OSCP: The Exam
A practical guide to maximizing the short- and long-term benefits of your upcoming OSCP exam attempt(s). Disclaimer: All opinions expressed in this article are solely my own. I have reviewed the content to ensure compliance with OffSecās copyright policies and agreements. I have not been sponsored or incentivized in any way to recommend or oppose […]
The Renaissance of NTLM Relay Attacks: Everything You Need to Know
NTLM relay attacks have been around for a long time. While many security practitioners think NTLM relay is a solved problem, or at least a not-so-severe one, it is, in fact, alive and kicking and arguably worse than ever before. Relay attacks are the easiest way to compromise domain-joined hosts nowadays, paving a path for […]
The SQL Server Crypto Detour
As part of my role as Service Architect here at SpecterOps, one of the things Iām tasked with is exploring all kinds of technologies to help those on assessments with advancing their engagement. Not long after starting this new role, I was approached with an interesting problem. A SQL Server database backup for a ManageEngineās […]
An Operatorās Guide to Device-Joined Hosts and the PRT Cookie
About five years ago, Lee Chagolla-Christensen shared a blog detailing the research and development process behind his RequestAADRefreshToken proof-of-concept (POC).
Do You Own Your Permissions, or Do Your Permissions Own You?
tl;dr: Less FPs for Owns/WriteOwner and new Owns/WriteOwnerLimitedRights edges Before we get started, if youād prefer to listen to a 10-minute presentation instead of or to supplement reading this post, please check out the recording of our most recent BloodHound Release Recap webinar. You can also sign up for future webinarsĀ here. Back in August, a […]
Getting the Most Value Out of the OSCP: The PEN-200 Labs
How to leverage the PEN-200 simulated black-box penetration testing scenarios for maximal self-improvement and careerĀ success. Disclaimer: All opinions expressed in this article are solely my own. I have reviewed the content to ensure compliance with OffSecās copyright policies and agreements. I have not been sponsored or incentivized in any way to recommend or oppose any […]
Getting Started with BHEāāāPart 2
Contextualizing TierĀ Zero TL;DR An accurately defined Tier Zero provides an accurate depiction of Attack Path Findings in your BHEĀ tenant. Different principals (groups, GPOs, OUs, etc.) have different implications when Tier Zero is definedāāāunderstanding these will help reduce confusion around why something showing up as TierĀ Zero. Welcome to round two of the Getting Started with BloodHound […]
Getting Started with BHEāāāPart 1
Understanding Collection, Permissions, and Visibility of Your Environment TL;DR Attack Path visibility is dependent upon scope of collection; complete collection is dependent upon appropriate permissions. Your collection strategy benefits from tiering just like your domain(s). Introduction Welcome to my series on Getting Started with BloodHound Enterprise! This series comes after having had several discussions with […]
Decrypting the Forest From the Trees
TL;DR: SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If the site server is a managed client, service account credentials can be decrypted via the Administration ServiceĀ API. Introduction While Duane Michael, Chris Thompson, and I were originally working on the Misconfiguration Manager project, one of the tasks I took […]
Fueling the Fight Against Identity Attacks
When we founded SpecterOps, one of our core principles was to build a company which brought unique insight into high-capability adversary tradecraft, constantly innovating in research and tooling. We aspired to set the cadence of the cyber security industry through a commitment to benefit our entire security community. Today, I am thrilled to announce that […]