SpecterOps aspires to set the cadence for the rest of the cyber security industry and bring unique insight and training into the advanced threat actor tradecraft. Our team has deep experience built through helping hundreds of clients shut down attack paths, evaluate, and develop security operations programs, providing premier adversarial training courses to thousands of students in advanced adversary Tactics, Techniques, and Procedures (TTPs), and sponsoring numerous projects to help the security industry as a whole.
Our security team consists of some of the most sought-after industry experts, bringing deep knowledge of adversary tradecraft and years of experience in attack path management and improving threat detection and response capabilities across both commercial and government sectors.
You have likely found many of our team members speaking at industry conferences on the latest adversary tools and techniques, providing numerous research papers and posts, and developing some of the most widely used open-source tools in the industry.
Our team members are on the forefront of security research, and we are always willing to share our knowledge of attack path management, tradecraft analysis, and other adversary tactics. The objective of every solution we offer is to provide our customers with capabilities to improve their own security operations, not only while we’re there, but even after we’re gone.
We share our operational knowledge and lessons learned in the cyber security field with your team to hone their skill sets, their efficiency, and ultimately better secure your business.
Leveraging expertise built through years of cyber security training, experience and assessments across industries and hundreds of environments, our operators use our understanding of advanced adversary Tactics, Techniques, and Procedures (TTPs) to effectively assess and improve your security posture and ability to respond to today’s sophisticated attacks.
Whether you are building new adversary tradecraft detection and simulation teams or looking to mature existing competencies, we provide an effective approach focused on comprehensively integrating technical components into the overall cyber security operations program, ensuring robust prevention, detection, Attack Path Management, and response capabilities.
The human component to any security program is critical. Building fundamental knowledge and perfecting the skills necessary to protect the enterprise through realistic adversary training is essential to robust security programs. Our cyber security training courses and solutions equip participants with the skills to attack, defend, and harden their environments against advanced threat actors.
From the creators of BloodHound, an Attack Path Management solution that continuously maps and quantifies Active Directory Attack Paths. Remove millions of Attack Paths within your existing architecture and eliminate the attacker’s easiest, most reliable, and most attractive target.
TL;DR Network Access Account, Task Sequence, and Collection Settings policies can be recovered from SCCM by relaying a remote management point site system to the site database server. Introduction Duane Michael and I recently had the privilege to speak at the TROOPERS 25 conference, where we summarized the last year of SCCM research since the […]
TL;DR LudusHound is a tool for red and blue teams that transforms BloodHound data into a fully functional, Active Directory replica environment via the Ludus framework for controlled testing. This tool can be used to replicate most AD objects and permissions or can be used to replicate a specific Attack Path. Full credit to this […]
TL;DR The BloodHound Enterprise team recently pushed out Privilege Zones, one of the most requested features from our clients. Here’s a brief overview of how it expands (literally) the capabilities of BloodHound Enterprise. A couple of years ago, I wrote a blog post explaining the basic functionality of BloodHound Enterprise: what it does, how it […]
MICROGRAD FOR MORTALS TL;DR Let’s use Micrograd to explain core ML concepts like supervised learning, regression, classification, loss functions, and gradient descent. We’ll break down how models adjust weights and biases during training using backpropagation. Through simple code examples, it visualizing how gradients flow through a minimalistic neural network. Intro This article deviates from the […]
TL;DR This post explains how to request OAuth tokens and enumerate an Entra ID tenant by using an SSO cookie from a non cloud-joined device. Introduction In this post, I’m going to cover a method for requesting Entra ID access tokens using a browser Single Sign-On (SSO) cookie. This is especially useful in scenarios where […]
TL;DR It has been one year since Misconfiguration Manager’s release and the security community has been hard at work researching new tradecraft and identifying new attack paths. Here we summarize everything that we (the community) have done over the past year and the impact it’s making on the state of SCCM security. Introduction In 2024, […]
TL;DR The ability of an attacker controlling one domain to compromise another through an Active Directory (AD) trust depends on the trust type and configuration. To better map these relationships and make it easier to identify cross-domain attack paths, we are replacing the TrustedBy edge in BloodHound with new trust edges. We are also improving […]
TL;DR The Incoming Forest Trust Builders group (not AdminSDHolder protected) can create inbound forest trusts with ticket-granting ticket (TGT) delegation enabled. This configuration causes servers to send their TGT across the trust when coerced to authenticate to a computer with unconstrained delegation. An attacker can abuse this by creating a trust to a fake domain, […]
TL;DR Sentiment analysis models are used to assess conventional use of language, but what happens when you engage with them using l33tspeak? If you’ve been in the security space for some time, you may be familiar with l33tspeak, or 1337, where you replace letters with visually similar words or symbols that resemble the original letters. […]
While LLMs can expedite parts of the technical writing/editing process, these tools still require human oversight and guidance to provide an accurate and helpful response.
