SpecterOps Blog

Industry Insights

Epic Pentest Fail

How to Wreck Entra with a Single Mistyped Character This is a cautionary tale. Always read the docs when you…

BloodHound

ShareHound: An OpenGraph Collector for Network Shares

TL;DR: ShareHound is an OpenGraph collector for BloodHound CE and BloodHound Enterprise that maps network shares, permissions, and paths at…

Research & Tradecraft

Catching Credential Guard Off Guard

TL;DR Due to new security features in Windows and the lack of existing research, we set out to find ways…

Research & Tradecraft

Is Kerberoasting Still a Risk When AES-256 Kerberos Encryption Is Enabled?

TL;DR Kerberoasting is fundamentally a weak password problem. Stronger encryption slows down cracking, but it doesn’t eliminate the risk. If…

Research & Tradecraft

The (Near) Return of the King: Account Takeover Using the BadSuccessor Technique

TL;DR – After Microsoft patched Yuval Gordon’s BadSuccessor privilege escalation technique, BadSuccessor returned with another blog from Yuval, briefly mentioning…

Research & Tradecraft

PingOne Attack Paths

TL;DR: You can use PingOneHound in conjunction with BloodHound Community Edition to discover, analyze, execute, and remediate identity-based attack paths…

A Gentle Crash Course to LLMs

TL;DR Large Language Models (LLMs) are an evolution of a long history of turning non-mathy things into mathy things and…

Research & Tradecraft

NAA or BroCI…? Let Me Explain

TL;DR This writeup is a summary of knowledge and resources for nested application authentication (NAA) and brokered client IDs (BroCI). …

BloodHound

The Clean Source Principle and the Future of Identity Security

TL;DR Modern identity systems are deeply interconnected, and every weak dependency creates an attack path — no matter how strong any…