DCOM Again: Installing Trouble - SpecterOps
DCOM lateral movement BOF using Windows Installer (MSI) Custom Action Server - install ODBC drivers to load and execute DLLs
Lateral movement getting blocked by traditional methods?
@werdhaihai.bsky.social just dropped research on a new lateral movement technique using Windows Installer Custom Action Server, complete with working BOF code. ghst.ly/4pN03PG
29.09.2025 19:00 β π 9 π 3 π¬ 0 π 0
Entra Connect Attacker Tradecraft: PartΒ 3 - SpecterOps
How Entra Connect and Intune can be abused via userCertificate hijacking to bypass conditional access and compromise hybrid domains
Entra Connect sync accounts can be exploited to hijack device userCertificate properties, enabling device impersonation and conditional access bypass.
@hotnops.bsky.social explores cross-domain compromise tradecraft within the same tenant.
Read more: ghst.ly/3ISMGN9
30.07.2025 17:01 β π 9 π 6 π¬ 1 π 0
Think NTLM relay is a solved problem? Think again.
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
08.04.2025 23:00 β π 27 π 20 π¬ 1 π 2
An Operatorβs Guide to Device-Joined Hosts and the PRT Cookie
Introduction
Nothing new, but formalized some operator notes on Entra ID/Azure tradecraft I've found to be exceptionally useful on ops. Overlooked this myself for quite some time and thought others in the same boat might find it worth a read! π
medium.com/specter-ops-...
07.04.2025 16:34 β π 5 π 2 π¬ 0 π 0
Super excited to be speaking at SOβCON 2025 on March 31st with my coworker Lance Cain. Weβre diving into an example attack path from real-life red team assessments by Lance Cain, Dan Mayer, myself, and the entire @specterops.bsky.social crew. specterops.io/so-con/ #SOCON2025 #redteam
22.03.2025 17:38 β π 4 π 1 π¬ 0 π 0
a man with a surprised look on his face is standing in front of the word awesome
ALT: a man with a surprised look on his face is standing in front of the word awesome
The Mythic family continues to grow! Another cool Windows agent written in C that already has COFF execution! Be sure to check it out and their blog series on it c0rnbread.com/creating-myt...
x.com/0xC0rnbread/...
12.03.2025 13:35 β π 5 π 3 π¬ 0 π 0
Decrypting the Forest From the Trees - SpecterOps
TL;DR: SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If the site server is a managed client, service account credentials can be decrypted via ...
#SCCM forest discovery accounts can be decryptedβeven those for untrusted forests. If the site server is a managed client, all creds can be decrypted via Administration Service API.
Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp
06.03.2025 20:34 β π 22 π 15 π¬ 1 π 0
BIG NEWS: SpecterOps raises $75M Series B to strengthen identity security! Led by Insight Partners with Ansa Capital, M12, Ballistic Ventures, Decibel, and Cisco Investments. ghst.ly/seriesb
#IdentitySecurity #CyberSecurity
(1/6)
05.03.2025 17:33 β π 16 π 9 π¬ 1 π 1
dwight schrute from the office is holding a business card in his hand .
ALT: dwight schrute from the office is holding a business card in his hand .
Many in the Mythic Community have asked for a way to standardize BOF/.NET execution within Mythic Agents. Today I'm releasing Forge, a new Mythic container to do just that: posts.specterops.io/forging-a-be...
We're starting off with default support for Apollo and Athena. Check it out! :)
05.02.2025 15:10 β π 11 π 4 π¬ 0 π 1
I have done this π€¦
31.01.2025 02:11 β π 0 π 0 π¬ 0 π 0
Entra Connect Attacker Tradecraft: Part 2
Now that we know how to add credentials to an on-premises user, lets pose a question:
This post goes more into Entra Connect tradecraft and how partially synced objects can be hijacked for cross domain attacks.
posts.specterops.io/entra-connec...
22.01.2025 17:43 β π 5 π 1 π¬ 0 π 0
Life at SpecterOps Part II: From Dream to Reality
Weβre hiring consultants; Check out this overview of our recruiting process!
What does the road to becoming a Specter look like? In his latest blog post, @subat0mik.bsky.social provides a high level overview of how we approach recruiting consultants, demystifying the process along the way from application review through interviews. ghst.ly/3PQeuSh
21.01.2025 17:47 β π 4 π 1 π¬ 1 π 0
Aight, who dcsyn'd today?
23.11.2024 05:42 β π 2 π 0 π¬ 1 π 0
Following my prev tweet, my Kerberos MITM relay/forwarder is almost finished! It targets for example insecure DNS updates in AD, allowing DNS name forgery. It intercepts, relays, and forwards traffic, with the client unaware. Currently supporting smb->smb and smb->http (adcs)
20.11.2024 11:21 β π 36 π 14 π¬ 1 π 0
16.11.2024 03:18 β π 4 π 0 π¬ 0 π 0
Was doing some digging "What's New" in Server2025 learn.microsoft.com/en-us/window... specifically the changes to pre-2k machines. Oddvar and I had spoken previously about the changes being solid and demonstrated pre-created machines in ADUC could no longer be set with a default password.
15.11.2024 05:25 β π 10 π 5 π¬ 1 π 0
SO-CON 2025 Call for Presenters Closes November 15
The CFP for #SOCON2025 closes TOMORROW!
We are accepting talks focused on identity-based security and Attack Paths. Submit yours today!
β‘οΈ ghst.ly/cfp-socon25
14.11.2024 22:33 β π 0 π 1 π¬ 0 π 0
top notch engineering
13.11.2024 20:23 β π 1 π 0 π¬ 0 π 0
Anyone read Cory Doctorow's Red Team Blues yet? Curious to hear thoughts and opinions on it.
07.11.2024 16:05 β π 2 π 0 π¬ 0 π 0
Adversary Simulation @specterops.io
Official Account of DEF CON's Unofficial Welcome Party
Always Thursday of DEFCON
Still in the same place as always ;-)
(36.0636, -115.1178)
Telco / mobile and IoT security.
Surfing the information super highway one keystroke at a time.
https://haxrob.net
North Pole Security account. We make Santa https://github.com/northpolesec/santa
Riding around in the breeze. Security Thinker. Hacker. USAF Veteran. https://aff-wg.org
Manager, Research @ SpecterOps
https://github.com/JonasBK/JonasBK/blob/main/README.md
Tech enthusiasts, offensive cybersecurity professional, AI student
Offsec at OpenAI
Former Bishop Fox Red Team
Building a resilient digital society through highly specialised digital security consulting.
Former Pentester
Engineer at SpecterOps
Author of BloodHound
CEO @specterops.bsky.social
Senior Security Researcher at SpecterOps. All opinions are my own.
Pentest & Windows security research
Hardware / software necromancer
collector of Weird Stuff
maker of Death Generators.
she/they
Trend Zero Day Initiativeβ’ (ZDI) is a program designed to reward security researchers for responsibly disclosing vulnerabilities.
CTO at the UK's National Cyber Security Center
Cybersecurity Specialist, Public Speaker, Ex-Hacker.
https://marcushutchins.com
