Introducing BloodHound Scentry: Accelerate your APM practice. Learn More

Matt Creel

Senior Consultant

Matt Creel is a Senior Consultant at SpecterOps with expertise in performing Windows-focused penetration tests and red team assessments. He is also a lead trainer for SpecterOps’ Adversary Tactics: Red Team Operations course.

See the latest by Matt Creel

Less Praying More Relaying – Enumerating EPA Enforcement for MSSQL and HTTPS

Research & Tradecraft

Less Praying More Relaying – Enumerating EPA Enforcement for MSSQL and HTTPS

TL;DR – It’s important to know if your NTLM relay will be prevented by integrity protections such as EPA, before…

By: Nick Powers, Matt Creel

16 mins
An Operator’s Guide to Device-Joined Hosts and the PRT Cookie

Research & Tradecraft

An Operator’s Guide to Device-Joined Hosts and the PRT Cookie

About five years ago, Lee Chagolla-Christensen shared a blog detailing the research and development process behind his RequestAADRefreshToken proof-of-concept (POC).

By: Matt Creel

15 mins
BOFHound: AD CS Integration

Research & Tradecraft

BOFHound: AD CS Integration

TL;DR: BOFHound can now parse Active Directory Certificate Services (AD CS) objects, manually queried from LDAP, for review and attack…

By: Matt Creel

14 mins
BOFHound: Session Integration

Research & Tradecraft

BOFHound: Session Integration

Background If you’ve found yourself on a red team assessment without SharpHound (maybe due to OPSEC or stealth requirements), you’d…

By: Matt Creel

13 mins
Abusing Slack for Offensive Operations: Part 2

Research & Tradecraft

Abusing Slack for Offensive Operations: Part 2

When I first started diving into offensive Slack access, one of the best public resources I found was a blog…

By: Matt Creel

7 mins