SpecterOps aspires to set the cadence for the rest of the cyber security industry and bring unique insight and training into the advanced threat actor tradecraft. Our team has deep experience built through helping hundreds of clients shut down attack paths, evaluate, and develop security operations programs, providing premier adversarial training courses to thousands of students in advanced adversary Tactics, Techniques, and Procedures (TTPs), and sponsoring numerous projects to help the security industry as a whole.
Our security team consists of some of the most sought-after industry experts, bringing deep knowledge of adversary tradecraft and years of experience in attack path management and improving threat detection and response capabilities across both commercial and government sectors.
You have likely found many of our team members speaking at industry conferences on the latest adversary tools and techniques, providing numerous research papers and posts, and developing some of the most widely used open-source tools in the industry.
Our team members are on the forefront of security research, and we are always willing to share our knowledge of attack path management, tradecraft analysis, and other adversary tactics. The objective of every solution we offer is to provide our customers with capabilities to improve their own security operations, not only while we’re there, but even after we’re gone.
We share our operational knowledge and lessons learned in the cyber security field with your team to hone their skill sets, their efficiency, and ultimately better secure your business.
Leveraging expertise built through years of experience and assessments across industries and hundreds of environments, our operators use our understanding of advanced Tactics, Techniques, and Procedures (TTPs) to effectively assess and improve your security posture and ability to respond to today’s sophisticated attacks.
Whether you are building new adversary detection and simulation teams or looking to mature existing competencies, we provide an effective approach focused on comprehensively integrating technical components into the overall security operations program, ensuring robust prevention, detection, and response capabilities.
The human component to any security program is critical. Building fundamental knowledge and perfecting the skills necessary to protect the enterprise through realistic training is essential to robust security programs. Our training courses and solutions equip participants with the skills to attack, defend, and harden their environments against advanced threat actors.
From the creators of BloodHound, an Attack Path Management solution that continuously maps and quantifies Active Directory Attack Paths. Remove millions of Attack Paths within your existing architecture and eliminate the attacker’s easiest, most reliable, and most attractive target.
Let’s dive into what makes this so exciting! There’s so much to cover that we won’t be offended if you want to look at the CHANGELOG for a quick synopsis. Introducing Customizable Fields Over the years, we’ve had many requests for database adjustments to make it easier for Ghostwriter to fit different workflows and team […]
How MS Exchange on-premises compromises Active Directory and what organizations can do to prevent that. At SpecterOps, we recommend our customers establish a security boundary around their most critical assets (i.e., Tier Zero) of Active Directory (AD). We help them find and remediate the attack paths that cross this security boundary with BloodHound Enterprise. One of […]
Zugspitze, Bavaria, Germany. Photo by Andrew Chiles Did you know that it is possible to perform every step in Entra’s OAuth 2.0 Device Code flow — including the user authentication steps — without a browser? Why that matters: Automating authentication flows enables and accelerates comprehensive and ongoing offensive research Headless authentication frees red teamers and pentesters from requiring browser or cookie access Demonstrating […]
TL;DR: Misconfiguration Manager is a central knowledge base for all known Microsoft Configuration Manager tradecraft and associated defensive and hardening guidance. We’re also presenting this material at SO-CON 2024 on March 11, 2024. We’ll update this post with a link to the recording when it becomes available. Background Suppose you’ve been following offensive security research […]
Final Steps to BloodHound Enterprise for Government— FedRAMP High Compliance Ever since SpecterOps first launched BloodHound Enterprise (BHE) in July 2021, one of our team’s biggest frustrations involved a lack of FedRAMP qualifications, which prevented us from supporting a large set of desired users; specifically in the federal space. This is why I am both proud […]
It is possible to configure an Active Directory Certificate Services (ADCS) certificate template with an issuance policy having an OID group link to a given AD group.
Spinning Webs — Unveiling Arachne for Web Shell C2 What is a web shell? A web shell is a payload that allows continued access to a remote system, just like other “shells” we refer to in computer security. What makes a web shell a little different is that it’s not beaconing out to a command-and-control (C2) server, nor is […]
ADCS Attack Paths in BloodHound — Part 1 Since Will Schroeder and Lee Christensen published the Certified Pre-Owned whitepaper, the BloodHound Enterprise team at SpecterOps has been eager to implement Active Directory Certificate Services (ADCS) attack paths in BloodHound. However, the complexity of ADCS presented challenges in creating simple-to-use BloodHound edges for covering ADCS domain escalations. That’s why […]
BloodHound Enterprise (BHE) recently saw the addition of a new, game-changing feature: open-ended Cypher searches. For those unfamiliar, Cypher is a declarative query language used for retrieving data from a graph database (in this case, Neo4j). As you’ll soon see, the nature of Cypher is one that helps drive the concept of relationships between nodes […]
Sleepy — Python Tooling for Sleep Thank you to SpecterOps for supporting this research and to Sarah, Cody, and Daniel for proofreading and editing! Crossposted on the GitHub. TL;DR: You can use sleepy to automate common tasks when working with Sleep code. Raphael Mudge created the embeddable scripting language, Sleep, in April 2002. Sleep was designed to extend Java applications […]
