We are experts in developing and improving security operations capabilities, increasing our client’s readiness against adversary attacks. We leverage our deep experience and knowledge of adversary techniques to support our clients, all the way from point-in-time assessments improving specific defensive capabilities, to serving as the trusted advisor and partner driving improvements across the entire security operations program.
Our experience across hundreds of government, defense industry, financial, and healthcare environments has taught us that the most vital component of a robust security posture is understanding how adversaries will operate against the organization’s enterprise environment. We build our services around that perspective, focused on analyzing and improving attack path detection capabilities and validating defensive efforts through attack simulation. We believe that technical capabilities have their place, but the human component to any security program is absolutely critical. Our objective is to train and arm our clients with the knowledge of how the effective use of the interlocking components of their security program provide a robust security posture and readiness against active directory attacks and other vulnerable system attacks.
Our assessments focus on adversary capabilities and techniques present in the “real world,” translating risk into actions an organization can achieve. Our advisory services are designed not to just help the organization install another technology, but to help improve attack path detection and response capabilities over time, keeping our clients informed of adversary capabilities and preventing effective operations of advanced threat actors.
Whether you are building new adversary detection and simulation teams or looking to mature existing competencies, we provide an effective approach focused on comprehensively integrating technical components into the overall security operations program, ensuring robust prevention, detection, and response capabilities. SpecterOps team members bring extensive security experience from finance, healthcare, military, intelligence community, and federal programs. Leveraging lessons learned building and supporting teams across these diverse environments, we tailor our approach to your capability development and maturation needs. Save the wasted effort of months of ineffective trial and error by focusing your approach on building transparent, effective, and repeatable adversary simulation and assessment capabilities that measurably improve organizational security.
It can be difficult to build out or grow a new adversary simulation and detection capability without prior experience. Whether you are trying to stand up an internal Penetration Testing, Red Team engagement, Purple Team, Threat Hunting, or Detection program, SpecterOps has the background to ensure your success. We work to ensure there are attainable goals and metrics and design a path to success. We strive to build a program that is owned and operated by you, not continually dependent on us, meeting your organization needs and avoiding common pitfalls plagued by many organizations.
SpecterOps provides a third-party adversary focused perspective of your enterprise environments. Leveraging expertise built through years of experience and assessments across industries and hundreds of environments, our operators use our understanding of advanced Tactics, Techniques, and Procedures (TTPs) to effectively assess and improve your security posture and ability to respond to today’s sophisticated attacks.
The objective of our penetration tests is to assist the organization in understanding the full impact of a potential breach and evaluate how effective security controls work to protect the most critical assets. Our team of experts will work with you to design penetration testing engagements that will achieve the greatest impact on assessing your risk visibility into your environment. Our experience enables us to execute a methodology while also assuring penetration testing is cost-effective and timely.
The difference in our penetration testing service is that we focus on impact objective driven testing. Whether we are attempting to access sensitive information, breach security boundaries, or access management systems, you can be sure that our time is efficiently spent on comprehensively testing your organization’s capability to protect critical assets.
TL;DR Due to new security features in Windows and the lack of existing research, we set out to find ways to extract credentials on fully patched Windows environments with modern protections enabled. This resulted in a new generation of credential dumping techniques. Credential dumping remains one of the most effective techniques used by adversaries and […]
TL;DR Kerberoasting is fundamentally a weak password problem. Stronger encryption slows down cracking, but it doesn’t eliminate the risk. If the password is weak, AES won’t save you. There’s no new, groundbreaking tradecraft here. Clients often ask us whether Kerberoastable user accounts (i.e., user accounts with a Service Principal Name [SPN]) remain at risk if […]
TL;DR – After Microsoft patched Yuval Gordon’s BadSuccessor privilege escalation technique, BadSuccessor returned with another blog from Yuval, briefly mentioning to the community that attackers can still abuse dMSAs to take over any object where we have a write primitive. This mention did not gather significant attention from the community, leaving an operational gap for […]
TL;DR: You can use PingOneHound in conjunction with BloodHound Community Edition to discover, analyze, execute, and remediate identity-based attack paths in PingOne instances. Brief A few months ago the Ping Identity Corporation reached out to us and asked if we’d work to identify abuse primitives and bring our attack path management approach to their PingOne […]
TL;DR Large Language Models (LLMs) are an evolution of a long history of turning non-mathy things into mathy things and back again with a side of rolling funky-sided dice. LLMs don’t reason but embed large quantities of word patterns into matrices to make guesses about what should come next in a sentence. As with new […]
TL;DR This writeup is a summary of knowledge and resources for nested application authentication (NAA) and brokered client IDs (BroCI). Introduction Microsoft introduced nested application authentication (NAA) in 2024 in this blog post. While this initial announcement was specifically for Teams, Outlook, and M365, we can now see it integrated into many more applications. NAA […]
TL;DR Modern identity systems are deeply interconnected, and every weak dependency creates an attack path — no matter how strong any single platform appears. The Clean Source Principle and BloodHound OpenGraph make these hidden relationships visible, empowering defenders to treat Attack Path Management as an ongoing discipline rather than a one-time project. Introduction In his 2024 blog post, The Security […]
TL;DR AI gated loaders collect telemetry, apply a policy with an LLM, and execute only when defined OPSEC rules are met. Offense and defense are always in contest. Red teams try to slip past detection while defenders adapt and refine their detections. At its core, this contest is about intelligence and timing. Payload loaders are […]
TL;DR A lot of things. The User-Account-Restrictions property grants read/write permissions to the user-account-control LDAP attribute, which can be used to manipulate account and security settings. Delegating write permissions for the property set is also typically combined with “force password reset” for domain join operations. If misconfigured, the principal with these permissions could, at a […]
TL;DR I am releasing a DCOM lateral movement beacon object file (BOF) that uses the Windows Installer Custom Action server to install and configure an ODBC driver. If you just want the code: https://github.com/werdhaihai/msi_lateral_mv Intro SpecterOps provided me with an opportunity to research the Windows Installer. In this blogpost, we’ll discuss how I went about […]
