Come see us at RSA Conference San Francisco Apr 28 – May 1 at Moscone South Expo Hall – Booth #0349 Learn More
Get a Demo
blog category

Research & Tradecraft

image for The Renaissance of NTLM Relay Attacks: Everything You Need to Know
Featured

Research & Tradecraft

The Renaissance of NTLM Relay Attacks: Everything You Need to Know

NTLM relay attacks have been around for a long time. While many security practitioners think NTLM relay is a solved problem, or at least a not-so-severe one, it...

Apr 8, 2025 • 40 min read
Read Post
image for The SQL Server Crypto Detour

Research & Tradecraft

The SQL Server Crypto Detour

As part of my role as Service Architect here at SpecterOps, one of the things I’m...

Apr 8, 2025 • 12 min read
Read Post
image for An Operator’s Guide to Device-Joined Hosts and the PRT Cookie

Research & Tradecraft

An Operator’s Guide to Device-Joined Hosts and the PRT Cookie

About five years ago, Lee Chagolla-Christensen shared a blog detailing the research and development process behind...

Apr 7, 2025 • 15 min read
Read Post
image for Do You Own Your Permissions, or Do Your Permissions Own You?

Research & Tradecraft

Do You Own Your Permissions, or Do Your Permissions Own You?

tl;dr: Less FPs for Owns/WriteOwner and new Owns/WriteOwnerLimitedRights edges Before we get started, if you’d prefer...

Mar 26, 2025 • 8 min read
Read Post
image for Getting the Most Value Out of the OSCP: The PEN-200 Labs

Research & Tradecraft

Getting the Most Value Out of the OSCP: The PEN-200 Labs

How to leverage the PEN-200 simulated black-box penetration testing scenarios for maximal self-improvement and career success. Disclaimer:...

Mar 25, 2025 • 16 min read
Read Post
image for Getting Started with BHE — Part 2

Research & Tradecraft

Getting Started with BHE — Part 2

Contextualizing Tier Zero TL;DR An accurately defined Tier Zero provides an accurate depiction of Attack Path Findings...

Mar 19, 2025 • 10 min read
Read Post
image for Getting Started with BHE — Part 1

Research & Tradecraft

Getting Started with BHE — Part 1

Understanding Collection, Permissions, and Visibility of Your Environment TL;DR Attack Path visibility is dependent upon scope...

Mar 12, 2025 • 6 min read
Read Post
image for Decrypting the Forest From the Trees

Research & Tradecraft

Decrypting the Forest From the Trees

TL;DR: SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If...

Mar 6, 2025 • 10 min read
Read Post
image for Don’t Touch That Object! Finding SACL Tripwires During Red Team Ops

Research & Tradecraft

Don’t Touch That Object! Finding SACL Tripwires During Red Team Ops

During red team operations, stealth is a critical component. We spend a great deal of time...

Feb 20, 2025 • 17 min read
Read Post
image for Further Adventures With CMPivot — Client Coercion

Research & Tradecraft

Further Adventures With CMPivot — Client Coercion

Further Adventures With CMPivot — Client Coercion Perfectly Generated AI Depiction based on Title TL:DR CMPivot queries can be used...

Feb 3, 2025 • 8 min read
Read Post