SpecterOps Blog

Research & Tradecraft

What’s Your Secret?: Secret Scanning by DeepPass2 

TL;DR DeepPass2 is a secret scanning tool that combines regex rules, a fine-tuned BERT model, and LLM validation to detect…

Research & Tradecraft

Entra Connect Attacker Tradecraft: Part 3

TL;DR Attackers can exploit Entra Connect sync accounts to hijack device userCertificate properties, enabling device impersonation and bypassing conditional access…

BloodHound

BloodHound Community Edition v8 Launches with OpenGraph: Identity Attack Paths Beyond Active Directory & Entra ID 

TL;DR SpecterOps announces the rollout of BloodHound Community Edition 8.0, which includes usability and expandability enhancements for community members. The…

BloodHound

BloodHound v8: Usability, Extensibility, and OpenGraph

TL;DR BloodHound v8 introduces exciting new features enabling users to get more and do more with the BloodHound Attack Path…

Industry Insights

DPAPI Backup Key Compromise Pt. 1: Some Forests Must Burn

TL;DR The industry recommendation for DPAPI backup key compromise remediation is to destroy and rebuild the environment. This article aims…

Research & Tradecraft

Make Sure to Use SOAP(y) – An Operators Guide to Stealthy AD Collection Using ADWS

Learn how to perform stealthy recon of Active Directory environments over ADWS for Red Team Assessments

Escaping the Confines of Port 445

TL;DR NTLM relay attacks on SMB restrict lateral movement to port 445/TCP capabilities. To extend beyond, leverage the Service Control…

Research & Tradecraft

Ghostwriter v6 is Live!

TL;DR: Ghostwriter now supports real-time collaborative editing for observations, findings, and report fields using the YJS framework, Tiptap editor, and…

Research & Tradecraft

I’d Like to Speak to Your Manager: Stealing Secrets with Management Point Relays

TL;DR Network Access Account, Task Sequence, and Collection Settings policies can be recovered from SCCM by relaying a remote management…