I Just documented a cool way to authenticate proxied tooling to LDAP in an AD environment using C2 payload auth context, without stealing any tickets or hashes! Keep tooling execution off-host and away from EDR on your Red Team assessments! specterops.io/blog/2025/08/2…
The CFP for #SOCON2026 is OPEN! 🙌 Have you been working on something interesting in Attack Path Management or identity-first defense? Join us in Arlington, VA (April 13–14) and share your work with the community. Submit your talk by Nov. 15 → ghst.ly/socon26-cfp
What happens when the User-Account-Restrictions property gets misconfigured? Spoiler: It's not good. From account compromise to full domain takeover, @unsigned_sh0rt breaks down why this permission set is more dangerous than most realize. ghst.ly/4mKgycH
Finally releasing Sekken-Enum, an ADWS enumeration BOF we've been using internally for a while now. Based on the research from SOAPHound/SoaPy moving away from relying on .NET execution or proxying. Output works with BOFHound for Bloodhound ingesting. github.com/Nomad0x7/sekke…
Whether you’re blue team or red team, Adversary Tactics: Detection at Specter Bash gives you hands-on experience dissecting offensive tradecraft and building quality detections - with new labs on identity-driven detection engineering and attack path analysis.
Move beyond signature-based detection to catch what traditional defenses miss. Our Detection course at Specter Bash next week will teach you to engineer detections based on adversary TTPs & behavioral analysis. There's still time to save your spot! 👉 lnkd.in/eP58JqcU
Lateral movement getting blocked by traditional methods? @werdhaihai just dropped research on a new lateral movement technique using Windows Installer Custom Action Server, complete with working BOF code. ghst.ly/4pN03PG
specterops.io
DCOM Again: Installing Trouble - SpecterOps
DCOM lateral movement BOF using Windows Installer (MSI) Custom Action Server - install ODBC drivers to load and execute DLLs
Fact: Remote service and scheduled task creation bypass firewalls on DCs and Win file servers because of SMB tunnelling. Solution: Create RPC filters that block MS-SCMR and MS-TSCH over named pipes. The latter has 3 UUIDs, so blocking the atsvc pipe is more elegant. #DSInternals
Added CRED-8 to Misconfiguration Manager, which is @unsigned_sh0rt's MP relay to dump machine policy secrets. MM link: github.com/subat0mik/Misc… Blog link: specterops.io/blog/2025/07/1…
Operating Outside the Box: NTLM Relaying Low-Privilege HTTP Auth to LDAP - @_logangoins specterops.io/blog/2025/08/2…
Check out Titanis, my new C#-based protocol library! It features implementations of SMB and various Windows RPC protocols along with Kerberos and NTLM. github.com/trustedsec/Tit…
Better late than never. I wrote a post that analyzes the Salesloft-Drift breach in the context of Attack Paths. specterops.io/blog/2025/09/2… My main takeaways: 1) Hybrid paths are not limited to two platforms owned by the same organization 2) Ad-hoc paths arise when passwords are…
Excited to present with @breakfix at #BHEU @BlackHatEvents where we'll be sharing our research on attacking System Center Operations Manager! @SpecterOps
BloodHound's OpenGraph is 🔥🚀 This is how we rapidly developed a customer specific attack primitive for BloodHound that we call "ManagerOf" 👇
New #BloodHoundBasics post from @martinsohndk‼️ Today is a demo of how BloodHound's #OpenGraph helped a customer build ManagerOfHound.ps1 - going from attack path concept to a custom "ManagerOf" edge in BloodHound. Can it fit in a thread? Let's see... 🧵 1/6
I came across a WMI Win_32 Process replacement with some extra useful functionality. specterops.io/blog/2025/09/1…
Proud to have you here @bohops & Dylan Tran #mcttp #hansesecure #meetfriends #itsecurity @HanseSecure
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-glob…
Even with HTTPS, Windows Server Update Services can be abused if attackers obtain a trusted certificate, allowing authentication relay. In our blog, @Coontzy1 explains how WSUS traffic can be found and abused, and what sparked his investigation. Read now! trustedsec.com/blog/wsus-is-s…
ICYMI: SO-CON is returning to Arlington, VA! #SOCON2026 will be bigger than before with a new third talk track. 🧑🏫 Conference: April 13-14, 2026 💻 Training: April 15-18, 2026 Sign up now to receive updates → specterops.io/so-con/
We are back with our BloodHound t-shirt fundraiser! 🙌 Grab your BloodHound 8.0 shirt today. All funds raised will go directly to @HopeforHIE, the global voice for families affected by Hypoxic Ischemic Encephalopathy. 👕: ghst.ly/bh8-tshirt
knew win10 had the dsquery.dll laying around but never knew what to do with it "rundll32.exe dsquery.dll OpenQueryWindow" will pop open a console for you and you can do some light LDAP recon you can also open with with win + ctrl + f probably useful for VDI/Citrix type tests
There's no one-size-fits-all C2 framework. That's why @its_a_feature_ spent 7 years building Mythic, & learning lessons along the way. Join Cody at @MCTTP_Con, where he will share the tips & tricks every red teamer needs to hear. Learn more: ghst.ly/4mGUBw2
United States トレンド
- 1. Columbus 175K posts
- 2. President Trump 1.16M posts
- 3. Middle East 281K posts
- 4. Brian Callahan 11.1K posts
- 5. Azzi 7,426 posts
- 6. #IndigenousPeoplesDay 12.9K posts
- 7. Titans 42.5K posts
- 8. Thanksgiving 57.1K posts
- 9. Vrabel 7,504 posts
- 10. Cape Verde 18.2K posts
- 11. Macron 226K posts
- 12. Marc 51.7K posts
- 13. #Isles 1,581 posts
- 14. Seth 51.4K posts
- 15. HAZBINTOOZ 6,413 posts
- 16. Apple TV 6,004 posts
- 17. Sabres 3,558 posts
- 18. Native Americans 14K posts
- 19. $GIGGLE 5,439 posts
- 20. Sorokin N/A
Something went wrong.
Something went wrong.