Join SpecterOps at Black Hat USA 2024 from August 3-8! Learn more
Resources

SpecterOps Projects
Free and Open Source

Research

White Papers

Certified Pre-Owned

Explore how Active Directory Certificate Services (AD CS) poses risks, including credential theft and domain escalation, demanding awareness.

Download

An ACE Up the Sleeve

This paper offers technical insights on building backdoors through misconfigured security descriptors, including ACE enumeration, BloodHound mapping, and defensive considerations, with case studies and future research prospects.

Download

A Voyage to Uncovering Telemetry

This paper introduces capability abstraction methodology to enhance detection by dissecting attack techniques and underlying technologies, particularly noting the lack of telemetry on Remote Procedure Calls (RPC), prompting further investigation.

Download

Subverting Sysmon

This paper focuses on assessing security product effectiveness, which necessitates unbiased evaluation. Key considerations include detection coverage, resilience to bypasses, and understanding attacker motivations.

Download

A Process is No One

This paper discusses the varied definitions of hunting in information security and presents a five-step approach to hypothesis-driven hunting, demonstrated through a case study on Access Token Manipulation.

Download

Subverting Trust in Windows

This paper delves into the subjective nature of trust in computer security, emphasizing the need for organizations to meticulously evaluate technology. Understanding trust validation emerges as a pivotal factor for ensuring effective security measures.

Download
Resources

Case Studies

Free & Open Source

Affiliated Toolsets

Bloodhound Enterprise
BloodHound
Simulation

Explore

Merlin Agent
Merlin
Simulation

Explore

Ghost Manager tool simulation
GhostManager
Simulation

Explore

Covenant .NET command and control framework
Covenant
Simulation

Explore

Mythic Agents command and control platform for red teaming operations
Mythic
Simulation

Explore

Most Active
SharpChromium
Explore
WireTap
Explore
SharpRDP
Explore
SharpChromium
Explore
WireTap
Explore
SharpRDP
Explore
StayKit
Explore
MoveKit
Explore
PowerSCCM
Explore
Uproot
Explore
PowerForensics
Explore
CimSweep
Explore
ACE
Explore
SharpSploit
Explore
PowerSploit
Explore
PortPlow.io
Explore
KeeThief
Explore
Malleable C2
Explore
GhostPack
Explore
Empire
Explore
Domain Hunter
Explore
Cs2modrewrite
Explore
MythicAgents
Explore
Industry Knowledge

Vulnerability Acknowledgements

Vulnerability Participants Reference
CVE-2020-14979 Matt Hand Go to Reference CVE-2020-10747 Julian Catrambone Go to Reference CVE-2020-9913 Cody Thomas Go to Reference CVE-2020-8884 Lee Christensen Go to Reference CVE-2020-0583 Lee Christensen Go to Reference CVE-2019-18631 Lee Christensen Go to Reference CVE-2019–12757 Matt Nelson Go to Reference CVE-2019-13382 Matt Nelson Go to Reference CVE-2019–13142 Matt Nelson Go to Reference CVE-2019-0683 Will Schroeder, Lee Christensen Go to Reference CVE-2018-8200 Matt Graeber Go to Reference CVE-2018-8204 Matt Graeber, Matt Nelson Go to Reference CVE-2018-8414 Matt Nelson Go to Reference CVE-2018-0854 Matt Graeber Go to Reference CVE-2018-8222 Matt Graeber Go to Reference CVE-2018-8221 Matt Graeber Go to Reference CVE-2018-8212 Matt Nelson Go to Reference CVE-2018-8211 Matt Graeber Go to Reference CVE-2018-8126 Matt Nelson Go to Reference CVE-2018-0958 Lee Christensen Go to Reference CVE-2018-0902 Matt Nelson Go to Reference CVE-2018-0884 Lee Christensen Go to Reference CVE-2018-0827 Matt Nelson Go to Reference CVE-2017-8715 Matt Nelson Go to Reference CVE-2017-8625 Matt Nelson Go to Reference CVE-2017-0219 Matt Graeber Go to Reference CVE-2017-0218 Matt Graeber, Matt Nelson Go to Reference CVE-2017-0216 Matt Graeber Go to Reference CVE-2017-0215 Matt Nelson Go to Reference CVE-2017-0007 Matt Nelson Go to Reference CVE-2016-3346 Matt Graeber Go to Reference ADV170021 Matt Nelson Go to Reference
Resources

Datasheets

Get Started

Defend Against
Advanced Attacks

Talk to an Expert