SpecterOps Blog

Research & Tradecraft

Is Kerberoasting Still a Risk When AES-256 Kerberos Encryption Is Enabled?

TL;DR Kerberoasting is fundamentally a weak password problem. Stronger encryption slows down cracking, but it doesn’t eliminate the risk. If…

Research & Tradecraft

The (Near) Return of the King: Account Takeover Using the BadSuccessor Technique

TL;DR – After Microsoft patched Yuval Gordon’s BadSuccessor privilege escalation technique, BadSuccessor returned with another blog from Yuval, briefly mentioning…

Research & Tradecraft

PingOne Attack Paths

TL;DR: You can use PingOneHound in conjunction with BloodHound Community Edition to discover, analyze, execute, and remediate identity-based attack paths…

A Gentle Crash Course to LLMs

TL;DR Large Language Models (LLMs) are an evolution of a long history of turning non-mathy things into mathy things and…

Research & Tradecraft

NAA or BroCI…? Let Me Explain

TL;DR This writeup is a summary of knowledge and resources for nested application authentication (NAA) and brokered client IDs (BroCI). …

BloodHound

The Clean Source Principle and the Future of Identity Security

TL;DR Modern identity systems are deeply interconnected, and every weak dependency creates an attack path — no matter how strong any…

Research & Tradecraft

AI Gated Loader: Teaching Code to Decide Before It Acts

TL;DR AI gated loaders collect telemetry, apply a policy with an LLM, and execute only when defined OPSEC rules are…

Research & Tradecraft

WriteAccountRestrictions (WAR) – What is it good for?

TL;DR A lot of things. The User-Account-Restrictions property grants read/write permissions to the user-account-control LDAP attribute, which can be used…

Research & Tradecraft

DCOM Again: Installing Trouble

TL;DR I am releasing a DCOM lateral movement beacon object file (BOF) that uses the Windows Installer Custom Action server…