Pwned by the Mail Carrier
How MS Exchange on-premises compromises Active Directory and what organizations can do to prevent that. At SpecterOps, we recommend our customers establish a security boundary around their most critical assets (i.e., Tier Zero) of Active Directory (AD). We help them find and remediate the attack paths that cross this security boundary with BloodHound Enterprise. One of […]
Browserless Entra Device Code Flow
Zugspitze, Bavaria, Germany. Photo by Andrew Chiles Did you know that it is possible to perform every step in Entra’s OAuth 2.0 Device Code flow — including the user authentication steps — without a browser? Why that matters: Automating authentication flows enables and accelerates comprehensive and ongoing offensive research Headless authentication frees red teamers and pentesters from requiring browser or cookie access Demonstrating […]
Misconfiguration Manager: Overlooked and Overprivileged
TL;DR: Misconfiguration Manager is a central knowledge base for all known Microsoft Configuration Manager tradecraft and associated defensive and hardening guidance. We’re also presenting this material at SO-CON 2024 on March 11, 2024. We’ll update this post with a link to the recording when it becomes available. Background Suppose you’ve been following offensive security research […]
Final Steps to BloodHound Federal — FedRAMP High Compliance
Final Steps to BloodHound Federal — FedRAMP High Compliance Ever since SpecterOps first launched BloodHound Enterprise (BHE) in July 2021, one of our team’s biggest frustrations involved a lack of FedRAMP qualifications, which prevented us from supporting a large set of desired users; specifically in the federal space. This is why I am both proud and happy […]
ADCS ESC13 Abuse Technique
It is possible to configure an Active Directory Certificate Services (ADCS) certificate template with an issuance policy having an OID group link to a given AD group.
Spinning Webs — Unveiling Arachne for Web Shell C2
Spinning Webs — Unveiling Arachne for Web Shell C2 What is a web shell? A web shell is a payload that allows continued access to a remote system, just like other “shells” we refer to in computer security. What makes a web shell a little different is that it’s not beaconing out to a command-and-control (C2) server, nor is […]
ADCS Attack Paths in BloodHound — Part 1
ADCS Attack Paths in BloodHound — Part 1 Since Will Schroeder and Lee Christensen published the Certified Pre-Owned whitepaper, the BloodHound Enterprise team at SpecterOps has been eager to implement Active Directory Certificate Services (ADCS) attack paths in BloodHound. However, the complexity of ADCS presented challenges in creating simple-to-use BloodHound edges for covering ADCS domain escalations. That’s why […]
Cypher Queries in BloodHound Enterprise
BloodHound Enterprise (BHE) recently saw the addition of a new, game-changing feature: open-ended Cypher searches. For those unfamiliar, Cypher is a declarative query language used for retrieving data from a graph database (in this case, Neo4j). As you’ll soon see, the nature of Cypher is one that helps drive the concept of relationships between nodes […]
Sleepy — Python Tooling for Sleep
Sleepy — Python Tooling for Sleep Thank you to SpecterOps for supporting this research and to Sarah, Cody, and Daniel for proofreading and editing! Crossposted on the GitHub. TL;DR: You can use sleepy to automate common tasks when working with Sleep code. Raphael Mudge created the embeddable scripting language, Sleep, in April 2002. Sleep was designed to extend Java applications […]
Mythic v3.2 Highlights: Interactive Tasking, Push C2, and Dynamic File Browser
TL;DR; Mythic v3.2 has Push C2, Interactive Async Tasking, TypedArray parameters, new graphing libraries in the UI, database migrations, dynamic file browser groupings, and more! Image Generated by https://hotpot.ai/art-generator Mythic v3.2 It’s been a few months since the last Mythic update, so it’s time to release a new version! This version has many major updates from […]