The Security Principle Every Attacker Needs to Follow
Earlier this year, I was tasked with developing a follow-on course for our renowned Adversary Tactics: Red Team Operations course. The new course needed to cover the advanced tradecraft we perform on engagements and teach students how to navigate highly secure environments. I decided to focus on “Identity-Driven Offensive Tradecraft”, which ultimately became the course […]
The Security Principle Every Attacker Needs to Follow
Earlier this year, I was tasked with developing a follow-on course for our renowned Adversary Tactics: Red Team Operations course. The new course needed to cover the advanced tradecraft we perform on engagements and teach students how to navigate highly secure environments. I decided to focus on “Identity-Driven Offensive Tradecraft”, which ultimately became the course […]
Mythic 3.3 Beta: Rise of the Events
A brief overview of Mythic 3.3’s new features Eventing Flows Mythic 3.3 Updates Mythic 3.3 has too many updates to mention them all here, so if you want a deeper dive into the change log, please check it out on GitHub. Instead, we’re going to focus on the biggest changes and why you should care. Because this Mythic […]
PHISHING SCHOOL How to Make Your Phishing Sites Blend In As you read this, bots are coming to find and destroy your phishing sites. You need to protect them before it’s too late! But how? A phishing page is no good if our targets never get to see it. After bypassing the secure email gateway, convincing a […]
An AWS Administrator Identity Crisis: Part 1
BLUF: Every attack path needs a destination. This is a formalized way of describing destinations in AWS. In cloud providers where we only have data plane access, we divert our focus from an arbitrary definition of administrator to resources we care about. How many administrators are in your AWS environment? Does it even matter? This is seemingly […]
I Will Make you Phishers of Men
PHISHING SCHOOL Convincing Targets to Click Your Links When it comes to phishing advice, the number one question I get from co-workers is “what campaigns are you using?”. People see my success, and wish to emulate it. Well, if a phish is what you wish, I would like you to meet my friend Ish: Who am I? […]
Mapping Snowflake’s Access Landscape
Attack Path Management Because Every Snowflake (Graph) is Unique Introduction On June 2nd, 2024, Snowflake released a joint statement with Crowdstrike and Mandiant addressing reports of “[an] ongoing investigation involving a targeted threat campaign against some Snowflake customer accounts.” A SpecterOps customer contacted me about their organization’s response to this campaign and mentioned that there seems […]
Lateral Movement with the .NET Profiler
Lateral Movement with the .NET Profiler The accompanying code for this blogpost can be found HERE. Intro I spend a lot of my free time modding Unity games. Since Unity is written in C#, the games are very easy to work with compared to those that compile to unmanaged code. This makes it a perfect hobby project to […]
Automating SCCM with Ludus: A Configuration Manager for Your Configuration Manager
TL;DR: Using Ludus as the backend, and with the help of Erik at Bad Sector Labs, I present a fully customizable SCCM deployment you can integrate into your home lab. https://github.com/Synzack/ludus_sccm Intro The past couple of years have been an exciting time in Microsoft Endpoint Configuration Manager (formerly System Center Configuration Manager [SCCM]) tradecraft. I’ve […]
On Detection: Tactical to Functional When the Operation is not Enough Introduction A while back, I was working on deconstructing a standard variation of Token Theft and stumbled into a couple of interesting edge cases that my model still needed to account for. Below is the operation chain for one of the most common Token Impersonation […]