SpecterOps Blog

Research & Tradecraft

Ghostwriter v6 is Live!

TL;DR: Ghostwriter now supports real-time collaborative editing for observations, findings, and report fields using the YJS framework, Tiptap editor, and…

Research & Tradecraft

I’d Like to Speak to Your Manager: Stealing Secrets with Management Point Relays

TL;DR Network Access Account, Task Sequence, and Collection Settings policies can be recovered from SCCM by relaying a remote management…

BloodHound

LudusHound: Raising BloodHound Attack Paths to Life

TL;DR LudusHound is a tool for red and blue teams that transforms BloodHound data into a fully functional, Active Directory…

BloodHound

Privilege Zones: BloodHound Enterprise spreading like a computer virus (of security)

TL;DR The BloodHound Enterprise team recently pushed out Privilege Zones, one of the most requested features from our clients. Here’s…

Research & Tradecraft

Machine Learning Series Chapter 1

MICROGRAD FOR MORTALS TL;DR Let’s use Micrograd to explain core ML concepts like supervised learning, regression, classification, loss functions, and…

Requesting Entra ID Tokens with Entra ID SSO Cookies

TL;DR This post explains how to request OAuth tokens and enumerate an Entra ID tenant by using an SSO cookie…

Research & Tradecraft

Misconfiguration Manager: Still Overlooked, Still Overprivileged

TL;DR It has been one year since Misconfiguration Manager’s release and the security community has been hard at work researching…

BloodHound

Good Fences Make Good Neighbors: New AD Trusts Attack Paths in BloodHound

TL;DR The ability of an attacker controlling one domain to compromise another through an Active Directory (AD) trust depends on…

Research & Tradecraft

Untrustworthy Trust Builders: Account Operators Replicating Trust Attack (AORTA)

TL;DR The Incoming Forest Trust Builders group (not AdminSDHolder protected) can create inbound forest trusts with ticket-granting ticket (TGT) delegation…