blog category

Research & Tradecraft

image for Revisiting COM Hijacking

Research & Tradecraft

Revisiting COM Hijacking

TL;DR: This post shows how COM hijacking can serve as a reliable persistence method while also...

May 28, 2025 • 7 min read
Read Post
image for Understanding & Mitigating BadSuccessor

Research & Tradecraft

Understanding & Mitigating BadSuccessor

TL;DR: BadSuccessor is a new AD attack primitive that abuses dMSAs, allowing an attacker who can...

May 27, 2025 • 24 min read
Read Post
image for The SQL Server Crypto Detour

Research & Tradecraft

The SQL Server Crypto Detour

As part of my role as Service Architect here at SpecterOps, one of the things I’m...

Apr 8, 2025 • 12 min read
Read Post
image for An Operator’s Guide to Device-Joined Hosts and the PRT Cookie

Research & Tradecraft

An Operator’s Guide to Device-Joined Hosts and the PRT Cookie

About five years ago, Lee Chagolla-Christensen shared a blog detailing the research and development process behind...

Apr 7, 2025 • 15 min read
Read Post
image for Do You Own Your Permissions, or Do Your Permissions Own You?

Research & Tradecraft

Do You Own Your Permissions, or Do Your Permissions Own You?

tl;dr: Less FPs for Owns/WriteOwner and new Owns/WriteOwnerLimitedRights edges Before we get started, if you’d prefer...

Mar 26, 2025 • 8 min read
Read Post
image for Getting Started with BHE — Part 2

Research & Tradecraft

Getting Started with BHE — Part 2

Contextualizing Tier Zero TL;DR An accurately defined Tier Zero provides an accurate depiction of Attack Path Findings...

Mar 19, 2025 • 10 min read
Read Post
image for Getting Started with BHE — Part 1

Research & Tradecraft

Getting Started with BHE — Part 1

Understanding Collection, Permissions, and Visibility of Your Environment TL;DR Attack Path visibility is dependent upon scope...

Mar 12, 2025 • 6 min read
Read Post
image for Decrypting the Forest From the Trees

Research & Tradecraft

Decrypting the Forest From the Trees

TL;DR: SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If...

Mar 6, 2025 • 10 min read
Read Post
image for Don’t Touch That Object! Finding SACL Tripwires During Red Team Ops

Research & Tradecraft

Don’t Touch That Object! Finding SACL Tripwires During Red Team Ops

During red team operations, stealth is a critical component. We spend a great deal of time...

Feb 20, 2025 • 17 min read
Read Post