🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

Have you ever wondered how RODCs work and whether compromising one would necessarily allow for privilege escalation? The answers are in my new post: At the Edge of Tier Zero: The Curious Case of the RODC posts.specterops.io/at-the-edge-of…

Yesterday Daniel Heinsen and I gave a talk at fwd:cloudsec about abusing Cloud Kerberos Trust to gain Domain Admin on-prem. You can watch the talk at: youtu.be/JCphc30kFSw?t=… The slide deck is available at: eladshamir.com/uploads/fwdclo… Demos: youtu.be/cs8ATpuIuzw

This will be an interesting one. We're running a webinar about defining Tier Zero at the same time (ghst.ly/42iswQy), so I won't be able to attend. But if anyone wants to see both webinars, ours will be available on demand later on.

A few months ago, I delivered a webinar on the topic of Kerberos abuse. It covers all the basics and some more advanced topics. It is now on YouTube if you missed it or want to watch it again: youtu.be/9SUXifUp9ZY

My heart breaks hearing and seeing the atrocities committed by the demonic terrorists against Israelis simply for being Jews. Brutal murders. Mutilation. Entire families burned alive. Kidnap of the elderly, women, and children. Rapes. Beheadings. It is not fake news. We saw the

It's a big day- Lee Chagolla-Christensen, Max Harley, and I are proud to announce that Nemesis 1.0.0 has landed! We have a ton of awesome new features and a streamlined installation, check out the details at posts.specterops.io/nemesis-1-0-0-… and the code at github.com/SpecterOps/Nem…

My On Detection series is back! In this edition I explore how the same behavior (operation chain) can be implemented using several different execution modalities and the implications of this for detection engineers. posts.specterops.io/behavior-vs-ex…

I've released another post in my On Detection series. This edition builds on the previous post where I introduced "execution modalities." Here we look at how modalities, like behavior, can impact detection efficacy and how we can deal with that fact. posts.specterops.io/part-13-415c4d…

My On Detection series continues. In part 14 I look at a “special” subset of operations that require a bit more detail to facilitate accurate detection. While this topic is more focused on the model, I finish the post by analyzing one of the variants of PoolParty Injection!

Kicking this week off with a new blog post from Elad Shamir introducing our new Identity-Driven Offensive Tradecraft training and the principle behind the course framework, the Clean Source Principle. Read more: ghst.ly/4fgfuuq

Check out my latest blog post, "The Security Principle Every Attacker Needs to Follow", in which I lay the foundation for a framework for discovering attack paths, including those that BloodHound can't find yet. posts.specterops.io/the-security-p…

Yesterday, I wrote a thread describing the ESXi vulnerability and how you can use BloodHound's Attack Path Management approach to quantify the impact of such a group. However, it's useful to understand our exposure to the vulnerability as well. x.com/jaredcatkinson…

New blog post just dropped! 😎 In this installment of our blog series on Identity-Driven Offensive Tradecraft, Elad Shamir shares a framework he developed for discovering known & unknown Attack Paths. posts.specterops.io/navigating-the…

If you liked RTO from SpecterOps or have attack/defense experience, check out the continuation, Identity-driven Offensive Tradecraft. I got a preview and it's PACKED with techniques that work against well-defended targets. Virtual or in Denver w/ Elad Shamir and Adam Chester 🏴‍☠️ Oct 7-10

The CFP for #SOCON2025 is now open! 🙌 If you have an idea for a talk delving into the complexities of identifying, executing & protecting against modern Attack Paths, we invite you to submit your presentation before the November 15 deadline. Submit ➡️ ghst.ly/cfp-socon25

Attended this remotely for Identity-Driven Offensive Tradecraft from Elad Shamir. 10/10 course, the SpecterOps team had insane levels of knowledge on the topics 🔥🔥

Think NTLM relay is a solved problem? Think again. Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31

NTLM relay is still a major threat and is now even easier to abuse. We just added new NTLM relay edges to BloodHound to help defenders fix and attackers think in graphs. Read my detailed post - the most comprehensive guide on NTLM relay & the new edges: ghst.ly/4lv3E31

I'm super happy to announce an operationally weaponized version of Yuval Gordon's BadSuccessor in .NET format! With a minimum of "CreateChild" privileges over any OU it allows for automatic escalation to Domain Admin (DA). Enjoy your inline .NET execution! github.com/logangoins/Sha…