We are experts in developing and improving security operations capabilities, increasing our client’s readiness against adversary attacks. We leverage our deep experience and knowledge of adversary techniques to support our clients, all the way from point-in-time assessments improving specific defensive capabilities, to serving as the trusted advisor and partner driving improvements across the entire security operations program.
Our experience across hundreds of government, defense industry, financial, and healthcare environments has taught us that the most vital component of a robust security posture is understanding how adversaries will operate against the organization’s enterprise environment. We build our services around that perspective, focused on analyzing and improving attack path detection capabilities and validating defensive efforts through attack simulation. We believe that technical capabilities have their place, but the human component to any security program is absolutely critical. Our objective is to train and arm our clients with the knowledge of how the effective use of the interlocking components of their security program provide a robust security posture and readiness against active directory attacks and other vulnerable system attacks.
Our assessments focus on adversary capabilities and techniques present in the “real world,” translating risk into actions an organization can achieve. Our advisory services are designed not to just help the organization install another technology, but to help improve attack path detection and response capabilities over time, keeping our clients informed of adversary capabilities and preventing effective operations of advanced threat actors.
Whether you are building new adversary detection and simulation teams or looking to mature existing competencies, we provide an effective approach focused on comprehensively integrating technical components into the overall security operations program, ensuring robust prevention, detection, and response capabilities. SpecterOps team members bring extensive security experience from finance, healthcare, military, intelligence community, and federal programs. Leveraging lessons learned building and supporting teams across these diverse environments, we tailor our approach to your capability development and maturation needs. Save the wasted effort of months of ineffective trial and error by focusing your approach on building transparent, effective, and repeatable adversary simulation and assessment capabilities that measurably improve organizational security.
It can be difficult to build out or grow a new adversary simulation and detection capability without prior experience. Whether you are trying to stand up an internal Penetration Testing, Red Team engagement, Purple Team, Threat Hunting, or Detection program, SpecterOps has the background to ensure your success. We work to ensure there are attainable goals and metrics and design a path to success. We strive to build a program that is owned and operated by you, not continually dependent on us, meeting your organization needs and avoiding common pitfalls plagued by many organizations.
SpecterOps provides a third-party adversary focused perspective of your enterprise environments. Leveraging expertise built through years of experience and assessments across industries and hundreds of environments, our operators use our understanding of advanced Tactics, Techniques, and Procedures (TTPs) to effectively assess and improve your security posture and ability to respond to today’s sophisticated attacks.
The objective of our penetration tests is to assist the organization in understanding the full impact of a potential breach and evaluate how effective security controls work to protect the most critical assets. Our team of experts will work with you to design penetration testing engagements that will achieve the greatest impact on assessing your risk visibility into your environment. Our experience enables us to execute a methodology while also assuring penetration testing is cost-effective and timely.
The difference in our penetration testing service is that we focus on impact objective driven testing. Whether we are attempting to access sensitive information, breach security boundaries, or access management systems, you can be sure that our time is efficiently spent on comprehensively testing your organization’s capability to protect critical assets.
TL;DR This post explains how to request OAuth tokens and enumerate an Entra ID tenant by using an SSO cookie from a non cloud-joined device. Introduction In this post, I’m going to cover a method for requesting Entra ID access tokens using a browser Single Sign-On (SSO) cookie. This is especially useful in scenarios where […]
TL;DR It has been one year since Misconfiguration Manager’s release and the security community has been hard at work researching new tradecraft and identifying new attack paths. Here we summarize everything that we (the community) have done over the past year and the impact it’s making on the state of SCCM security. Introduction In 2024, […]
TL;DR The ability of an attacker controlling one domain to compromise another through an Active Directory (AD) trust depends on the trust type and configuration. To better map these relationships and make it easier to identify cross-domain attack paths, we are replacing the TrustedBy edge in BloodHound with new trust edges. We are also improving […]
TL;DR The Incoming Forest Trust Builders group (not AdminSDHolder protected) can create inbound forest trusts with ticket-granting ticket (TGT) delegation enabled. This configuration causes servers to send their TGT across the trust when coerced to authenticate to a computer with unconstrained delegation. An attacker can abuse this by creating a trust to a fake domain, […]
TL;DR Sentiment analysis models are used to assess conventional use of language, but what happens when you engage with them using l33tspeak? If you’ve been in the security space for some time, you may be familiar with l33tspeak, or 1337, where you replace letters with visually similar words or symbols that resemble the original letters. […]
While LLMs can expedite parts of the technical writing/editing process, these tools still require human oversight and guidance to provide an accurate and helpful response.
TL;DR: Ghostwriter now supports real-time collaborative editing for observations, findings, and report fields using the YJS framework, Tiptap editor, and Hocuspocus server, enabling multiple users to edit simultaneously without overwriting each other. This feature integrates seamlessly with Ghostwriter’s existing GraphQL API and infrastructure while introducing modern frontend tooling, React-based components, and upgrades to Django, PostgreSQL, […]
TL;DR Microsoft will be introducing Administrator Protection into Windows 11, so I wanted to have an understanding of how this technology works and how it interacts with existing offensive tooling. While this technology is just a thin wrapper around a separate account, there are a few nuances such as who is permitted to access these […]
TL;DR The BloodHound Query Library is a community-driven collection of Cypher queries designed to help BloodHound Community Edition and BloodHound Enterprise users to unlock the full potential of the flexible BloodHound platform by creating an open query ecosystem. The library is a free tool for the community and you can start using it today at […]
TL;DR Most organizations assume they’ve implemented least privilege, but assumptions don’t stop attackers. Privilege Zones in BloodHound Enterprise lets you define and analyze real-world security boundaries to stop lateral movement and eliminate attack paths across hybrid environments. Organizations assume they have clear privilege boundaries, but those assumptions rarely match reality. Attack paths exist precisely because […]
