Introducing BloodHound Scentry: Accelerate your APM practice. Learn More

  • Contact Us
  • Support
  • Blog
SpecterOps
Book a Demo
  • Platform
    • BloodHound Enterprise

      Advance from mapping to eliminating attack paths with the enterprise platform that delivers at scale

      Identity Attack Path Management
      Privilege Zones
      BloodHound Scentry
      Integrations
      Interactive Demo
      APM Maturity Assessment Tool

      BloodHound Community Edition

      Start mapping attack paths with the open-source tool that started it all

      GitHub
      OpenGraph
      Documentation
      Join the Community on Slack

      BloodHound Scentry

      Accelerate your APM practice and reduce identity risk with expert guidance to protect your critical assets.

      Read More
  • Services & Tradecraft
    • OFFENSIVE SERVICES

      Red Team
      Purple Team
      AI Red Team
      Penetration Testing
      Maturity Assessments
      Attack Path Assessment

      TRAINING

      Adversary Tactics

      Red Team Operations
      Identity-Driven Offensive Tradecraft
      Detection
      Tradecraft Analysis

      Adversary Perspectives

      Active Directory
      Azure

      TRAININGS

      SO-CON 2026

      Master in-demand skills with our specialized courses at SO-CON 2026.

      Register Now
  • Solutions
    • SOLUTIONS

      Privileged Access Governance & Compliance
      Eliminate Lateral Movement
      Manage Identity Risk
      Secure Scaling
      Mergers & Acquisitions

      INDUSTRIES

      Public Sector
      Healthcare
      Financial Services

      PARTNERS & INTEGRATIONS

      Partners
      Integrations

      RESOURCES

      Attack Path Management Maturity Model

      Evaluate your ability to stop identity-based attacks

      Read the Whitepaper
  • Community
    • Our Commitment to 
Open Source

      Committed to advancing the community through open source contributions, cutting-edge research, and knowledge sharing

      OPEN SOURCE TOOLS

      BloodHound Community Edition
      Mythic
      Ghostwriter
      Nemesis 2.0
      See All Tools

      Join the Conversation

      Learn from others and share your story on the BloodHoundGang Slack Community

      Connect with us

      OPEN SOURCE RESEARCH

      Ghostwriter illustration

      Collaborative Editing

      Ghostwriter now supports real-time collaborative editing for observation...

      More Info
  • Company
    • ABOUT US

      Why SpecterOps
      News

      GET IN TOUCH

      Careers
      Contact Us

      PRESS RELEASE

      Specter Ops logo on a blue background

      SpecterOps and Tines Partner to Automate Attack Path Management with Native BloodHound Integration

      Learn More

      FEATURED EVENT

      SO-CON 2026

      Conference: April 13-14, 2026
      Training: April 15-18, 2026

      Register
  • Resources
    • RESEARCH

      Case Studies
      White Papers
      Tools
      Datasheets
      Podcasts
      View All

      BLOG

      Research & Tradecraft
      BloodHound
      Industry Insights
      Company Updates
      View All

      EVENTS

      SpecterOps Events
      SO-CON
      Webinars
      Community Events
      Talks
      View All

      BLOG

      Specter Ops logo on a blue background

      Fueling the Fight Against Identity Attacks

      When we founded SpecterOps, one of our core principles was to build a...

      Read article

      RESOURCES

      The Renaissance of NTLM Relay Attacks

      NTLM relay attacks have been around for a long time. While many security...

      Read the Whitepaper
  • Book a Demo
  • Contact Us
    Support
    Blog
  • Book a Demo
  • Platform
    • BloodHound Enterprise

      Advance from mapping to eliminating attack paths with the enterprise platform that delivers at scale

      Identity Attack Path Management
      Privilege Zones
      BloodHound Scentry
      Integrations
      Interactive Demo
      APM Maturity Assessment Tool

      BloodHound Community Edition

      Start mapping attack paths with the open-source tool that started it all

      GitHub
      OpenGraph
      Documentation
      Join the Community on Slack

      BloodHound Scentry

      Accelerate your APM practice and reduce identity risk with expert guidance to protect your critical assets.

      Read More
  • Services & Tradecraft
    • OFFENSIVE SERVICES

      Red Team
      Purple Team
      AI Red Team
      Penetration Testing
      Maturity Assessments
      Attack Path Assessment

      TRAINING

      Adversary Tactics

      Red Team Operations
      Identity-Driven Offensive Tradecraft
      Detection
      Tradecraft Analysis

      Adversary Perspectives

      Active Directory
      Azure

      TRAININGS

      SO-CON 2026

      Master in-demand skills with our specialized courses at SO-CON 2026.

      Register Now
  • Solutions
    • SOLUTIONS

      Privileged Access Governance & Compliance
      Eliminate Lateral Movement
      Manage Identity Risk
      Secure Scaling
      Mergers & Acquisitions

      INDUSTRIES

      Public Sector
      Healthcare
      Financial Services

      PARTNERS & INTEGRATIONS

      Partners
      Integrations

      RESOURCES

      Attack Path Management Maturity Model

      Evaluate your ability to stop identity-based attacks

      Read the Whitepaper
  • Community
    • Our Commitment to 
Open Source

      Committed to advancing the community through open source contributions, cutting-edge research, and knowledge sharing

      OPEN SOURCE TOOLS

      BloodHound Community Edition
      Mythic
      Ghostwriter
      Nemesis 2.0
      See All Tools

      Join the Conversation

      Learn from others and share your story on the BloodHoundGang Slack Community

      Connect with us

      OPEN SOURCE RESEARCH

      Ghostwriter illustration

      Collaborative Editing

      Ghostwriter now supports real-time collaborative editing for observation...

      More Info
  • Company
    • ABOUT US

      Why SpecterOps
      News

      GET IN TOUCH

      Careers
      Contact Us

      PRESS RELEASE

      Specter Ops logo on a blue background

      SpecterOps and Tines Partner to Automate Attack Path Management with Native BloodHound Integration

      Learn More

      FEATURED EVENT

      SO-CON 2026

      Conference: April 13-14, 2026
      Training: April 15-18, 2026

      Register
  • Resources
    • RESEARCH

      Case Studies
      White Papers
      Tools
      Datasheets
      Podcasts
      View All

      BLOG

      Research & Tradecraft
      BloodHound
      Industry Insights
      Company Updates
      View All

      EVENTS

      SpecterOps Events
      SO-CON
      Webinars
      Community Events
      Talks
      View All

      BLOG

      Specter Ops logo on a blue background

      Fueling the Fight Against Identity Attacks

      When we founded SpecterOps, one of our core principles was to build a...

      Read article

      RESOURCES

      The Renaissance of NTLM Relay Attacks

      NTLM relay attacks have been around for a long time. While many security...

      Read the Whitepaper
  • Book a Demo
  • Contact Us
    Support
    Blog
  • Book a Demo

Matt Creel

Senior Consultant

Matt Creel is a Senior Consultant at SpecterOps with expertise in performing Windows-focused penetration tests and red team assessments. He is also a lead trainer for SpecterOps’ Adversary Tactics: Red Team Operations course.

See the latest by Matt Creel

Less Praying More Relaying – Enumerating EPA Enforcement for MSSQL and HTTPS

Research & Tradecraft

Less Praying More Relaying – Enumerating EPA Enforcement for MSSQL and HTTPS

TL;DR – It’s important to know if your NTLM relay will be prevented by integrity protections such as EPA, before…

By: Nick Powers, Matt Creel

16 mins

An Operator’s Guide to Device-Joined Hosts and the PRT Cookie

Research & Tradecraft

An Operator’s Guide to Device-Joined Hosts and the PRT Cookie

About five years ago, Lee Chagolla-Christensen shared a blog detailing the research and development process behind his RequestAADRefreshToken proof-of-concept (POC).

By: Matt Creel

15 mins

BOFHound: AD CS Integration

Research & Tradecraft

BOFHound: AD CS Integration

TL;DR: BOFHound can now parse Active Directory Certificate Services (AD CS) objects, manually queried from LDAP, for review and attack…

By: Matt Creel

14 mins

BOFHound: Session Integration

Research & Tradecraft

BOFHound: Session Integration

Background If you’ve found yourself on a red team assessment without SharpHound (maybe due to OPSEC or stealth requirements), you’d…

By: Matt Creel

13 mins

Abusing Slack for Offensive Operations: Part 2

Research & Tradecraft

Abusing Slack for Offensive Operations: Part 2

When I first started diving into offensive Slack access, one of the best public resources I found was a blog…

By: Matt Creel

7 mins

SpecterOps

Platform

BloodHound Enterprise
BloodHound Community Edition

Services and Tradecraft

Offensive Services

TRAINING

Red Team Operations
Identity-Driven Offensive Tradecraft
Detection
Tradecraft Analysis
Active Directory
Azure

Solutions

SOLUTIONS

Privileged Access Governance and Compliance
Eliminate Lateral Movement
Manage Identity Risk
Secure Scaling
Mergers & Acquisitions

INDUSTRIES

Public Sector
Healthcare
Financial Services

PARTNERS & INTEGRATIONS

Partners
Integrations

Resources

Research
Blog
Events
Podcasts
Open Source Tools

Company

Why SpecterOps
News
Careers
Contact

Copyright 2026 Specter Ops, Inc. All Rights Reserved.

Terms of Service
|
Privacy Policy
|
Trust Center