Stay ahead of the adversary
Want to go deeper? From training to enterprise solutions, SpecterOps helps you build resilience, reduce risk, and take on the threats others miss.
BLACK HAT LAS VEGAS | AUG 2 – 7, 2025
Join SpecterOps at
Black Hat USA 2025 &
DEF CON 33
Join us and get hands-on training, powerful open-source tools, and vital insights from the pioneers redefining identity-focused security.
Mandalay Bay | Booth #4527
Schedule time with the creators behind BloodHound, Mythic and more
Curious who made your most beloved open-source tools? Come find us at booth #4527 at Black Hat USA!
Explore Identity Attack Path Management solutions, tools, and training grounded in real-world adversary tradecraft, and discover how BloodHound Enterprise streamlines mitigation efforts and eliminates millions of attack paths to stop sophisticated attackers in their tracks.
TRAININGS
Advance your tradecraft with four specialized training courses
Tools and tech are only as effective as the human using them. Become a solid keystone of your security program with SpecterOps’s courses. Our training programs teach you to think like an attacker, perfecting the skills you need to face off against sophisticated adversaries and win.
Hear from experts on the bleeding edge of cybersecurity
These presentations go beyond demos. Join our team as they share hard-earned insights, research, and new tools that tackle real-world challenges across identity, attack path management, and cloud security.
Jonathan Owens
Crucible is an extensible, multi-user, cross-platform framework designed for post-exploitation, command and control operations, penetration testing, and red teaming.
It consists of a per-operator client application, a shared teamserver, and supports language-agnostic implants and plugins.
With this release of Crucible, modern extensibility is achieved through in-memory .NET plugins or gRPC-based plugins, enabling remote communication with external applications regardless of language, allowing extensibility that fits both the operator’s skill set and needs.
Wednesday, August 6 | 5:00 – 5:55pm | Business Hall, Arsenal Station 5
Forrest Kasler | Kieran Croucher | Rebecca Allor | Max Andreacchi
Custom phishing emails consistently outperform generic pretexts on click-through metrics. In the past crafting custom emails to targets involved a lot of tedious OSINT to identify good targets, understand their interests and motivations, and write a customized message that would speak to them on a personal level. This method is simple, but highly effective. The only drawback is the time it takes; until now. We’ve written some simple OSINT tools so that an AI agent can do the OSINT grunt work for us, collect detailed profiles on our targets, and even write phishing emails for us.
Wednesday, August 6 | 3:00 – 3:55pm | Business Hall, Arsenal Station 6
Will Schroeder | Lee Chagolla-Christensen
Nemesis 2.0 is a ground-up rewrite of the Nemesis offensive data enrichment pipeline. We took two years of lessons learned and rebuilt Nemesis with a focus on extensibility, stability, and massively improved usability. We’ve narrowed the focus for Nemesis to its most used functionality: facilitating manual file triage for offensive operations. While platforms like VirusTotal revolutionized defensive file analysis, the offensive community lacks a centralized, scalable solution tailored to red team operations – exactly what Nemesis aims to be.
Wednesday, August 6 | 12:00pm-12:55pm | Business Hall, Arsenal Station 9
Garrett Foster
SCCMHunter is a post-exploitation tool built to streamline identifying, profiling, and attacking SCCM related assets in an Active Directory domain.
In this update, SCCMHunter has received additions to the recon module for site system profiling, the admin module has been extended for more post-exploitation commands, and a new relay module has been built for credential relaying.
The presentation will include a walkthrough of the tool and it’s various modules and a demonstrations of how to use the modules for SCCM hierarchy takeover.
Wednesday, August 6 | 12:00pm-12:55pm | Business Hall, Arsenal Station 7
Lance Cain | Daniel Mayer
During the preceding year, SpecterOps has had a surprising amount of success leveraging JAMF APIs to laterally move and execute code on managed macOS systems in mature Fortune 500 client environments with multiple name-brand security products in use. Much of this is due to a lack of awareness among defenders regarding the impacts a compromised JAMF account can have on their organization.
Come learn the details of JAMF exploitation techniques available to threat actors and employed by SpecterOps during the preceding year, performing red team assessments of Fortune 500 client organizations to execute reconnaissance and lateral movement undetected. SpecterOps will share the processes they employ upon gaining access to JAMF administrators or service accounts to leverage APIs to accomplish objectives targeting macOS while evading detections in mature environments.
Demonstrations will be included of newly available open-source tooling introduced to automate the attack paths described. The presentation will end with recommendations to prevent and detect the actions performed for onsite or cloud hosted JAMF tenants.
Wednesday, August 6 | 4:20pm-5:00 pm | Islander E & I, Level 0 – North Convention Center
Garrett Foster
Windows Server Failover Cluster (WSFC) implementations represent a critical yet underexamined attack surface in enterprise environments. This research exposes how WSFC’s architectural design inadvertently creates exploitable abuse paths and presents novel attack methodologies demonstrating how the compromise of a single cluster node can lead to complete cluster takeover, lateral movement across clustered infrastructure, and ultimately, domain compromise.
This Briefing will present previously undiscovered techniques for extracting and leveraging cluster credentials, manipulating Kerberos authentication, and exploiting excessive permissions granted to cluster objects. This “set it and forget it” high-availability infrastructure represents a significant blind spot for organizations.
You will leave with a better understanding of WSFC’s internal security architecture, strategies for enumerating and abusing these new attack paths, and concrete defensive guidance for protecting organizations from these new abuses.
Thursday, August 7 | 11:20am-12:00pm | Oceanside C, Level 2
Join us for happy hour!
Brooklyn Bowl
3545 South Las Vegas Boulevard, Las Vegas, NV 89109
Wednesday, August 6, 2025 | 6:00 – 9:00 PM
Register NowDEF CON 33
SpecterOps at DEF CON 33: Red Team talks, tools and tactics
We’re back at DEF CON as proud sponsors of the Red Team Village: Where offensive security pros gather to trade tactics, and push boundaries. Stop by for cutting-edge talks, real-world tradecraft, and fresh insights from the team behind the best open-source tools built for the adversary mindset.
Come to our Talks at DEF CON
Skyler Knect
Proxies and pivots play an important role in modern day red-team tradecraft. This presentation will dive into the setup, usage, and attacker techniques required to be effective with proxies. Local, reverse, and dynamic forwards enable red teams to maintain persistent access and move laterally within target environments. By combining these techniques, operators can construct sophisticated attack chains that enable deep network access through multiple segmented environments. To perform these techniques, the presenters will leverage a publicly available tunneling toolkit, Messenger.
Michael Donley
Operating with modern red team tools has a lot of ins, a lotta outs, a lotta what-have-yous. If you were like me before operating with tools like Mythic, managing your projects with Ghostwriter, and analyzing your data automatically with Nemesis, you were probably living in the past and piecing things together manually, writing things down in a tedious, un-zen lack-of-system that would leave you scrambling at the end of testing, when your report should be about to go to a peer review or QA.
You might be saying, “But Michael, I like doing things manually and wasting mine and my client’s time.” Yeah, well, you know, that’s just, like, your opinion, man.
That is entering a world of pain. I don’t know about you, but when that’s happening, I feel really out of my element.
Luckily, Mythic, Ghostwriter, and Nemesis really tie the room together and are a huge quality-of-life boost. No more will you say to yourself, “This aggressor script will not stand, man!” Sometimes the bear eats you, but it’s high time you eat the bear.
Get ready to be bowled away by a modern approach to managing your red team operations with tools like Mythic, Ghostwriter, and Nemesis (or whatever else you can think of to plug into these tools’ APIs if you’re not into the whole brevity thing) to streamline your workflow.
You might get so excited that you’ll flail your arms around in joy – but be careful man, there’s a beverage here!
Hugo van den Toorn, Joey Dreijer
BloodHound Quest
Time to unleash the hounds! This isn’t your run-of-the-mill CTF, we are talking full-blown digital treasure hunt mode. No hacking required, no shells to pop and no buffers to overflow. Just pure BloodHound wizardry.
Ready to get your paws dirty with BloodHound Enterprise? Sure, it shares some DNA with your trusty Community Edition, but this beast has some serious bite differences that’ll keep you on your toes. Let’s play during the BloodHound Challenge at DEF CON 33’s Red Team Village!
Stay ahead of the adversary
Want to go deeper? From training to enterprise solutions, SpecterOps helps you build resilience, reduce risk, and take on the threats others miss.