SpecterOps Blog

Research & Tradecraft

LSA Whisperer

Thank you to SpecterOps for supporting this research, to Elad for helping draft this blog, and to Sarah, Daniel, and…

Research & Tradecraft

Rooting out Risky SCCM Configs with Misconfiguration Manager

tl;dr: I wrote a script to identify every TAKEOVER and ELEVATE attack in Misconfiguration Manager. Ever since Garrett Foster, Duane…

Research & Tradecraft

Ghostwriter v4.1: The Custom Fields Update

Let’s dive into what makes this so exciting! There’s so much to cover that we won’t be offended if you…

Research & Tradecraft

Getting Intune with Bugs and Tokens: A Journey Through EPM

Written by Zach Stein & Duane Michael SpecterOps Hackathon Back in January, SpecterOps held our annual hackathon event, loosely based on…

Research & Tradecraft

Agent Customization in Mythic: Tailoring Tools for Red Team Needs

Research & Tradecraft

Pwned by the Mail Carrier

How MS Exchange on-premises compromises Active Directory and what organizations can do to prevent that. At SpecterOps, we recommend our customers…

Research & Tradecraft

Summoning RAGnarok With Your Nemesis

I hope I’m Not Too Late With the explosion of large language model (LLM) use, everyone is rushing to apply LLMs…

Research & Tradecraft

Browserless Entra Device Code Flow

Zugspitze, Bavaria, Germany. Photo by Andrew Chiles Did you know that it is possible to perform every step in Entra’s OAuth…

Research & Tradecraft

Misconfiguration Manager: Overlooked and Overprivileged

TL;DR: Misconfiguration Manager is a central knowledge base for all known Microsoft Configuration Manager tradecraft and associated defensive and hardening…