SpecterOps Blog

Research & Tradecraft

Malware Development Pt. 1: Dynamic Module Loading in Go

Introduction As a blend between offensive security engineer and developer, I find myself frustrated in attempting to adhere to the…

Research & Tradecraft

Death from Above: Lateral Movement from Azure to On-Prem AD

Intro I’ve been looking into Azure attack primitives over the past couple of months to gain a better understanding of…

Research & Tradecraft

A Change of Mythic Proportions

Research & Tradecraft

Covenant v0.6

Research & Tradecraft

Persistent AWS access with role chain juggling

Research & Tradecraft

Requesting Azure AD Request Tokens on Azure-AD-joined Machines for Browser SSO

RequestAADRefreshToken is a tool that returns OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a…

Research & Tradecraft

Audio Unit Plug-ins

Legitimate Un-signed Code Execution MacOS is known as the premiere platform for sound and video editing software. Applications such as…

Research & Tradecraft

Automating DLL Hijack Discovery

Introduction This blogpost will describe the concept of dynamic-link library (DLL) search order hijacking and how it can be used…

Research & Tradecraft

Attacking FreeIPA — Part IV: CVE-2020–10747

I was informed on Wednesday June 17th 2020 that CVE 2020–10747 was revoked after it had been initially issued on…