SpecterOps Blog

Industry Insights

DPAPI Backup Key Compromise Pt. 1: Some Forests Must Burn

TL;DR The industry recommendation for DPAPI backup key compromise remediation is to destroy and rebuild the environment. This article aims…

BloodHound

Privilege Zones: BloodHound Enterprise spreading like a computer virus (of security)

TL;DR The BloodHound Enterprise team recently pushed out Privilege Zones, one of the most requested features from our clients. Here’s…

Requesting Entra ID Tokens with Entra ID SSO Cookies

TL;DR This post explains how to request OAuth tokens and enumerate an Entra ID tenant by using an SSO cookie…

Research & Tradecraft

Misconfiguration Manager: Still Overlooked, Still Overprivileged

TL;DR It has been one year since Misconfiguration Manager’s release and the security community has been hard at work researching…

Research & Tradecraft

OneLogin, Many Issues: How I Pivoted from a Trial Tenant to Compromising Customer Signing Keys

TL;DR OneLogin was found to have security vulnerabilities in its AD Connector service that exposed authentication credentials and enabled account…

Research & Tradecraft

Update: Dumping Entra Connect Sync Credentials

TL;DR Microsoft has recently changed how Entra Connect Sync authenticates to Entra ID. This blog post will discuss what has…

BloodHound

Chatting with Your Attack Paths: An MCP for BloodHound

TL;DR In an effort to learn about Model Context Protocol servers, I created a MCP server that allows Claude Desktop…

Industry Insights

Getting the Most Value Out of the OSCP: After the Exam

TL;DR In the final post of this series, I’ll discuss what to do after your latest exam attempt to get…

Research & Tradecraft

An Operator’s Guide to Device-Joined Hosts and the PRT Cookie

About five years ago, Lee Chagolla-Christensen shared a blog detailing the research and development process behind his RequestAADRefreshToken proof-of-concept (POC).