⚔ Abuse the Power of DCOM Excel Application Discover lateral movement tactics using DCOM's 'ActivateMicrosoftApp()' method in Excel for persistence in legacy systems By Raj Patel posts.specterops.io/lateral-moveme…

ADCS attack paths in BloodHound! 🥳 This blog post breaks down the implementation of the ESC1 requirements and guides you on effectively leveraging BloodHound to identify attack paths that include ESC1 privileges. posts.specterops.io/adcs-attack-pa…

What's new with BOFHound? 🤷 Check out Matt Creel's latest blog post which delves into several new BOFs as well as an example attack path visualized using the BOFs, BOFHound, and BHCE. ghst.ly/3udnFVM

In this blog post: ● My analysis of the Midnight Blizzard breach affecting Microsoft ● Step-by-step explanation of the attack path the adversary took ● Practical, free steps ANY Azure admin can take to protect themselves posts.specterops.io/microsoft-brea…

SCCM hierarchy takeover by abusing site server high availability. In this blog, I walkthrough what active and passive site servers are and share multiple abusable scenarios that come bundled in. posts.specterops.io/sccm-hierarchy…

Join Chris Thompson and me at SpecterOps SO-CON on March 11 at 9 AM as we present our talk, Misconfiguration Manager: Overlooked and Overprivileged. Also, here's an SCCM haiku teaser to hold you over!

I'm pumped to announce the release of Misconfiguration Manager, a knowledge base and how-to for both offensive and defensive SCCM attack path management, that Duane Michael, Garrett, and I have been working on! Check it out and let us know what you think! posts.specterops.io/misconfigurati…

"Summoning RAGnarok With Your Nemesis" posts.specterops.io/summoning-ragn… I detail how we built a a Nemesis powered Retrieval-Augmented Generation (RAG) chatbot PoC, code now public at github.com/GhostPack/Ragn… ! Fun example of how to build on top of Nemesis' functionality.

Great timing on this post as we just merged our first offensive technique contribution from the community (Marshall ), ELEVATE-3!

Curious about Intune's new EPM feature? So were we. In this blog Duane Michael and I explore the internals of EPM and share some interesting findings. posts.specterops.io/getting-intune…

Tired of having to write your payload to disk to move laterally? Make a .NET Profiler DLL and load it straight from a webDAV server! Hook functions, monitor assembly loads and more as lagniappe. posts.specterops.io/lateral-moveme…

[Tool & Blog release] - smbtakeover, a technique to unbind/rebind port 445 without loading a driver, loading a module into LSASS, or rebooting the target machine. The goal is to ease exploitation of targeted NTLM relay primitives while operating over C2. Github repo is linked at

Apeman finding a path to a sensitive SSM parameter. Come check out my BH arsenal talk to see it in action

Inspired by the great talk by Duane Michael, Chris Thompson and Garrett at #Troopers24, I wrote a new SCCM reconnaissance module that implements the RECON-1 (LDAP) part of the Misconfiguration Manager. This makes it much easier to enumerate the existing SCCM infrastructure🎯

It's alive! Apeman is a graph-based tool to model AWS IAM permissions. This marks the start of a new journey to methodically identify and remediate IAM attack paths, and I look forward to learning together with y'all. github.com/hotnops/apeman

This is the last of my phishing series! It's a recap and reference for the whole thing. Hope it was as fun to read as it was to write:

I wrote a blog post about some of the intangible benefits of working as a red team operator and adversary simulation consultant at SpecterOps. It's pretty awesome here. And we're hiring! posts.specterops.io/life-at-specte…

Thanks to all the ghouls and ghosts who joined us for the chilling training sessions and spine-tingling fun at Specter Bash in Denver! 👻🎃 Our team loved sharing hacking horror stories and indulging in eerie Halloween activities. We hope you had a frightfully good time!

I'm starting to use GitHub Discussions (github.com/its-a-feature/…) and will be creating a public roadmap for Mythic too using GitHub Projects (github.com/users/its-a-fe…). Please keep an eye out and join in! :)

New blog up to cover manual AD CS enumeration using ldapsearch and the new release of bofhound 🔍 posts.specterops.io/bofhound-ad-cs…