AI Isn’t Changing the Game, It’s Speeding It Up: Rethinking Modern Attack Paths Register Now

SpecterOps Blog

Filters

Categories

Clear all
Clear Search
Leveraging Tailscale Keys

Research & Tradecraft

Leveraging Tailscale Keys

TL;DR: This post introduces red team operators to Tailscale concepts and tradecraft that can be leveraged in the reader compromises…

By: Andrew Luke

15 mins
STOP THE CAP: Making Entra ID Conditional Access Make Sense Offline

Research & Tradecraft

STOP THE CAP: Making Entra ID Conditional Access Make Sense Offline

TL;DR: Conditional Access is powerful but hard to reason about once policies start to overlap. CAPSlock is an offline Conditional…

By: Lee Robinson

18 mins
SpecterOps + Cisco: BloodHound Enterprise Now Available on Cisco Marketplace

Company Updates

SpecterOps + Cisco: BloodHound Enterprise Now Available on Cisco Marketplace

We are excited to announce a new partnership with worldwide technology leader Cisco, adding BloodHound Enterprise to the Cisco Solutions…

By: SpecterOps Team

2 mins
Weaponizing Whitelists: An Azure Blob Storage Mythic C2 Profile

Research & Tradecraft

Weaponizing Whitelists: An Azure Blob Storage Mythic C2 Profile

TL;DR: Mature enterprises lock down egress but often carve out broad exceptions for trusted cloud services. This post shows how…

By: Andrew Gomez, Allen DeMoura

10 mins
MSSQL and SCCM Elevation of Privilege Vulnerabilities

Research & Tradecraft

MSSQL and SCCM Elevation of Privilege Vulnerabilities

TL;DR: I found two privilege escalation vulnerabilities, one in MSSQL (CVE-2025-49758) and one in Microsoft Configuration Manager (CVE-2025-47179), while mapping…

By: Chris Thompson

16 mins
Azure Seamless SSO: When Cookie Theft Doesn’t Cut It

Research & Tradecraft

Azure Seamless SSO: When Cookie Theft Doesn’t Cut It

TL;DR The cookie crumbled when it expired, but the attack path didn’t. Learn how BloodHound graph analysis and Azure Seamless…

By: Andrew Gomez

17 mins
SCOMmand and Conquer – Attacking System Center Operations Manager (Part 1)

Research & Tradecraft

SCOMmand and Conquer – Attacking System Center Operations Manager (Part 1)

TL:DR SCOM suffers from similar insecure default configurations as its SCCM counterpart, enabling attackers to escalate privileges, harvest credentials, and…

By: Garrett Foster

21 mins
SCCM Hierarchy Takeover via Entra Integration…Because of the Implication

Research & Tradecraft

SCCM Hierarchy Takeover via Entra Integration…Because of the Implication

TL;DR SCCM sites (prior to KB35360093) integrated with Entra ID can be abused to compromise the entire hierarchy. Introduction Despite…

By: Garrett Foster

17 mins
Taming the Attack Graph: A Many Subgraphs Approach to Attack Path Analysis

BloodHound

Taming the Attack Graph: A Many Subgraphs Approach to Attack Path Analysis

TL;DR This blog presents a framework using technology subgraphs, decomposition, and graph abstraction to model hybrid attack paths and scale…

By: JD Crandell

8 mins

Sign up for the latest updates

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Sign Up For Updates From SpecterOps

By clicking Sign Up you're confirming that you agree with our Terms and Conditions.