SpecterOps Blog

Research & Tradecraft

The (Near) Return of the King: Account Takeover Using the BadSuccessor Technique

TL;DR – After Microsoft patched Yuval Gordon’s BadSuccessor privilege escalation technique, BadSuccessor returned with another blog from Yuval, briefly mentioning…

Research & Tradecraft

WriteAccountRestrictions (WAR) – What is it good for?

TL;DR A lot of things. The User-Account-Restrictions property grants read/write permissions to the user-account-control LDAP attribute, which can be used…

Industry Insights

The Salesloft–Drift Breach: An Attack Path Case Study

TL;DR This post analyzes the Salesloft–Drift incident through an attack path lens, showing how violations of the clean source principle,…

Research & Tradecraft

This One Weird Trick: Multi-Prompt LLM Jailbreaks (Safeguards Hate It!)

TL;DR: Using multiple prompts within the context of a conversation with an LLM can lead to safeguard bypasses. How can…

Research & Tradecraft

Transforming Red Team Ops with Mythic’s Hidden Gems: Browser Scripting

TL;DR Mythic’s browser scripting provides tons of flexibility that operators can tailor to their unique needs to best analyze the…

Pantheon Introduction: A Guide and Script Collection for Mythic Eventing

TL;DR Mythic Eventing automates repetitive tasks during red team operations (RTO). This blog documents the eventing system and provides a…

Research & Tradecraft

HKLM\SYSTEM\Setup\sMarTdEpLoY –  The (Static) Keys to Abusing PDQ SmartDeploy

TL;DR: Prior to version 3.0.2046, PDQ SmartDeploy used static, hardcoded, and universal encryption keys for secure credential storage. Low-privileged users…

Research & Tradecraft

Nemesis 2.0

TL;DR We took a chainsaw to Nemesis 1.0, kept the parts that operators loved (i.e., automated file processing), and rebuilt…

BloodHound

Attack Graph Model Design Requirements and Examples

TL;DR OpenGraph makes it easy to add new nodes and edges into BloodHound, but doesn’t design your data model for…