SpecterOps Blog

Research & Tradecraft

Operating Outside the Box: NTLM Relaying Low-Privilege HTTP Auth to LDAP

TL;DR When operating out of a ceded access or phishing payload with no credential material, you can use low-privilege HTTP…

Research & Tradecraft

Transforming Red Team Ops with Mythic’s Hidden Gems: Browser Scripting

TL;DR Mythic’s browser scripting provides tons of flexibility that operators can tailor to their unique needs to best analyze the…

Research & Tradecraft

ARM-ed and Dangerous: Dylib Injection on macOS 

Modern Dylib Injection Techniques for AArch64 macOS TL;DR This post details how I extended the Mythic Poseidon agent to support…

Research & Tradecraft

Will WebClient Start

TL;DR WebClient is a common targeted service for NTLM relay attacks. In this post we will cover if it is…

Pantheon Introduction: A Guide and Script Collection for Mythic Eventing

TL;DR Mythic Eventing automates repetitive tasks during red team operations (RTO). This blog documents the eventing system and provides a…

Research & Tradecraft

Juicing ntds.dit Files to the Last Drop

TL;DR Several new Active Directory offline attack capabilities have recently been added to the DSInternals PowerShell module. These enhancements include the Golden…

Research & Tradecraft

Going for Broke(ring) – Offensive Walkthrough for Nested App Authentication

TL;DR: Microsoft uses nested app authentication (NAA) for many applications. Access and refresh tokens for select applications, such as administrator…

Research & Tradecraft

HKLM\SYSTEM\Setup\sMarTdEpLoY –  The (Static) Keys to Abusing PDQ SmartDeploy

TL;DR: Prior to version 3.0.2046, PDQ SmartDeploy used static, hardcoded, and universal encryption keys for secure credential storage. Low-privileged users…

Research & Tradecraft

Certify 2.0

TL;DR Due to modern advances in the AD CS attack landscape, an update to Certify was long overdue. Certify 2.0…