SpecterOps Blog

BloodHound

LudusHound: Raising BloodHound Attack Paths to Life

TL;DR LudusHound is a tool for red and blue teams that transforms BloodHound data into a fully functional, Active Directory…

BloodHound

Privilege Zones: BloodHound Enterprise spreading like a computer virus (of security)

TL;DR The BloodHound Enterprise team recently pushed out Privilege Zones, one of the most requested features from our clients. Here’s…

Research & Tradecraft

Machine Learning Series Chapter 1

MICROGRAD FOR MORTALS TL;DR Let’s use Micrograd to explain core ML concepts like supervised learning, regression, classification, loss functions, and…

Requesting Entra ID Tokens with Entra ID SSO Cookies

TL;DR This post explains how to request OAuth tokens and enumerate an Entra ID tenant by using an SSO cookie…

Research & Tradecraft

Misconfiguration Manager: Still Overlooked, Still Overprivileged

TL;DR It has been one year since Misconfiguration Manager’s release and the security community has been hard at work researching…

BloodHound

Good Fences Make Good Neighbors: New AD Trusts Attack Paths in BloodHound

TL;DR The ability of an attacker controlling one domain to compromise another through an Active Directory (AD) trust depends on…

Research & Tradecraft

Untrustworthy Trust Builders: Account Operators Replicating Trust Attack (AORTA)

TL;DR The Incoming Forest Trust Builders group (not AdminSDHolder protected) can create inbound forest trusts with ticket-granting ticket (TGT) delegation…

Research & Tradecraft

Lost in Translation: How L33tspeak Might Throw Sentiment Analysis Models for a Loop

TL;DR Sentiment analysis models are used to assess conventional use of language, but what happens when you engage with them…

Research & Tradecraft

LLMentary, My Dear Claude: Prompt Engineering an LLM to Perform Word-to-Markdown Conversion for Templated Content

While LLMs can expedite parts of the technical writing/editing process, these tools still require human oversight and guidance to provide…