blog category
Research & Tradecraft
Research & Tradecraft
An Operator’s Guide to Device-Joined Hosts and the PRT Cookie
About five years ago, Lee Chagolla-Christensen shared a blog detailing the research and development process behind...
By: matt creel
Apr 7, 2025 • 15 min read
Read Post
Research & Tradecraft
Do You Own Your Permissions, or Do Your Permissions Own You?
tl;dr: Less FPs for Owns/WriteOwner and new Owns/WriteOwnerLimitedRights edges Before we get started, if you’d prefer...
By: Chris Thompson
Mar 26, 2025 • 8 min read
Read Post
Research & Tradecraft
Getting Started with BHE — Part 2
Contextualizing Tier Zero TL;DR An accurately defined Tier Zero provides an accurate depiction of Attack Path Findings...
By: Nathan Davis
Mar 19, 2025 • 10 min read
Read Post
Research & Tradecraft
Getting Started with BHE — Part 1
Understanding Collection, Permissions, and Visibility of Your Environment TL;DR Attack Path visibility is dependent upon scope...
By: Nathan Davis
Mar 12, 2025 • 6 min read
Read Post
Research & Tradecraft
Decrypting the Forest From the Trees
TL;DR: SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If...
By: garrett foster
Mar 6, 2025 • 10 min read
Read Post
Research & Tradecraft
Don’t Touch That Object! Finding SACL Tripwires During Red Team Ops
During red team operations, stealth is a critical component. We spend a great deal of time...
By: alexander demine
Feb 20, 2025 • 17 min read
Read Post
Research & Tradecraft
Entering a Covenant: .NET Command and Control
By: Ryan Cobb
Feb 17, 2025 • 11 min read
Read Post
Research & Tradecraft
Further Adventures With CMPivot — Client Coercion
Further Adventures With CMPivot — Client Coercion Perfectly Generated AI Depiction based on Title TL:DR CMPivot queries can be used...
By: diego lomellini
Feb 3, 2025 • 8 min read
Read Post
Research & Tradecraft
Entra Connect Attacker Tradecraft: Part 2
Now that we know how to add credentials to an on-premises user, lets pose a question:...