Manual LDAP Querying: Part 2
This post is a follow-up to my previous post on manual LDAP querying. I would highly recommend reading that post prior to reading this one if you are interested in some of the basics of searching LDAP. A few people asked why I chose dsquery and ldapsearch for the last blog. There are several options […]
ADCS Attack Paths in BloodHound — Part 2
ADCS Attack Paths in BloodHound — Part 2 In Part 1 of this series, we explained how we incorporated Active Directory Certificate Services (ADCS) objects into BloodHound and demonstrated how to effectively use BloodHound to identify attack paths including the ESC1 abuse technique. In this blog post, we will continue to explore more of the new edges we […]
In August of last year, @tifkin_, @0xdab0, and I released Nemesis, our offensive data enrichment platform. After lots of feedback, operational testing, hundreds of commits, and another solid dev cycle, we’re proud to finally announce Nemesis’ 1.0.0 release. This post will detail several of the major changes we’re excited about, from host modeling, to a […]
Thank you to SpecterOps for supporting this research, to Elad for helping draft this blog, and to Sarah, Daniel, and Adam for proofreading and editing! Crossposted on GitHub. What follows is the culmination of two years of research with funding by SpecterOps and contributions from many of my coworkers. Special thanks are needed to Elad, Lee, […]
Rooting out Risky SCCM Configs with Misconfiguration Manager
tl;dr: I wrote a script to identify every TAKEOVER and ELEVATE attack in Misconfiguration Manager. Ever since Garrett Foster, Duane Michael, and I released Misconfiguration Manager at SO-CON last month, we’ve had tons of great conversations with people interested in finding and fixing configurations that leave an SCCM environment vulnerable to attack, including those that […]
Ghostwriter v4.1: The Custom Fields Update
Let’s dive into what makes this so exciting! There’s so much to cover that we won’t be offended if you want to look at the CHANGELOG for a quick synopsis. Introducing Customizable Fields Over the years, we’ve had many requests for database adjustments to make it easier for Ghostwriter to fit different workflows and team […]
Getting Intune with Bugs and Tokens: A Journey Through EPM
Written by Zach Stein & Duane Michael SpecterOps Hackathon Back in January, SpecterOps held our annual hackathon event, loosely based on Atlassian’s “FedEx Day” (now called “ShipIt Day”). The gist of the event was a bunch of hackers hanging out for a few days and presenting their results. At the event’s start, Specters broke into teams […]
Pwned by the Mail Carrier
How MS Exchange on-premises compromises Active Directory and what organizations can do to prevent that. At SpecterOps, we recommend our customers establish a security boundary around their most critical assets (i.e., Tier Zero) of Active Directory (AD). We help them find and remediate the attack paths that cross this security boundary with BloodHound Enterprise. One of […]
Summoning RAGnarok With Your Nemesis
I hope I’m Not Too Late With the explosion of large language model (LLM) use, everyone is rushing to apply LLMs to their specific industry and it’s the same for information security. While LLMs have a huge range of applications in the security domain, we’re going to focus on one specific use case: answering questions about […]
Browserless Entra Device Code Flow
Zugspitze, Bavaria, Germany. Photo by Andrew Chiles Did you know that it is possible to perform every step in Entra’s OAuth 2.0 Device Code flow — including the user authentication steps — without a browser? Why that matters: Automating authentication flows enables and accelerates comprehensive and ongoing offensive research Headless authentication frees red teamers and pentesters from requiring browser or cookie access Demonstrating […]