SpecterOps
@SpecterOps
Followers
35,521
Following
379
Media
647
Statuses
2,301
Know Your Adversary - Adversary Simulation | Detection | Resilience
Joined January 2017
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#IanxSB19xTerry
• 323435 Tweets
Rio Grande do Sul
• 123680 Tweets
Madonna
• 122345 Tweets
Boeing
• 110851 Tweets
suho
• 96797 Tweets
#MOONLIGHTOutNow
• 71740 Tweets
Özgür Özel
• 67441 Tweets
RPWP CONCEPT PHOTO 2
• 61899 Tweets
Irak
• 60580 Tweets
Nathan
• 52183 Tweets
عدنان البرش
• 34678 Tweets
#無責任でええじゃないかLOVE
• 28117 Tweets
KPLC
• 15237 Tweets
Canna
• 11795 Tweets
Ivar Jenner
• 11185 Tweets
Ernando
• 10819 Tweets
ALGS
• 10743 Tweets
Pinned Tweet
We will be at
#RSAC
in May!
Visit us at Booth 4605 in the Moscone North Expo Hall to meet with our experts and receive a demo of BHE! Learn more and schedule your demo at .
0
0
1
Here is the link to the SpecterOps Adversary Tactics: PowerShell course material:
Enjoy!
For information about our current training offerings, information can be found here:
(4/4)
17
481
909
Starting April 6th, SpecterOps will be presenting a week of webinars while we collectively work from home in response to Covid-19. Each day is a different 30 minute talk given by one of our experts from our Adversary Simulation, Detection, and Adversary Resilience teams.
15
294
624
New from
@harmj0y
- Releasing GhostPack! A few of the common tools ported to C# plus a few new ones to check out. More here:
9
302
463
Don't understand SSH tunneling? Forget where to run which commands? Want to proxy tools into a client network during an offensive security operation? Check out this detailed guide on SSH tunnels and proxies from
@Ne0nd0g
Link:
1
187
454
Despite its incredible security enhancements, PowerShell continues to be abused by adversaries. A strong knowledge of PowerShell enables defenders to effectively manage and respond to its abuse. (1/4)
9
164
451
Today,
@Haus3c
released a new post called, "Kerberosity Killed the Domain: An Offensive Kerberos Overview"
Ryan consolidates many core concepts of modern Kerberos attacks into a concise reference post.
Link:
3
193
407
A new .NET command and control platform: Covenant by
@cobbr_io
is being released today. Check it out here:
3
245
399
Check out
@harmj0y
's exhaustive and comprehensive coverage of Active Directory Domain Trust abuse!
0
185
318
In part one of a two part series,
@_wald0
demonstrates how to understand, measure, and reduce Active Directory attack surface using the Active Directory Adversary Resilience Methodology:
1
186
321
In part two,
@_wald0
demonstrates the technical details of the Active Directory Adversary Resilience methodology, using a combination of
@Neo4j
's Cypher query language and the
#BloodHound
interface:
4
170
292
We're thrilled to announce BloodHound Community Edition (CE) -- the next evolution of
#BloodHound
.
Scheduled for release on 8/8, BloodHound CE has many new features & enhancements, making it easier for users to deploy, manage, and utilize.
Learn more:
6
122
289
Check out the Modern Wireless Attacks series from
@s0lst1c3
. Part 1 is being released today, which introduces some fundamentals along with demonstration of the Evil Twin and Karma attacks with EAPHammer.
1
152
286
In this post,
@matterpreter
dissects Mimikat'z kernel mode driver, Mimidrv, and walks through some of the capabilities available to us in ring 0.
Check it out:
1
143
274
Have you ever wanted to write a better reflective loader? What about a perfect one? Learn how to do exactly that in our latest blog post from
@mcbroom_evan
:
1
94
271
New on the blog -
@matterpreter
releasing a new tool, Shhmon, which helps in evading Sysmon by targeting its driver. His post also includes defensive recommendations for detecting this technique.
Check it out:
3
146
271
How does MS Exchange on-premises compromise Active Directory?
Check out
@Jonas_B_K
's latest blog to learn what permissions Exchange has in AD that an attacker can abuse to compromise the domain & what organizations can do to prevent that.
5
112
252
Curious about the inner workings of Windows Authentication APIs?
@mhskai2017
's new blog post is your guide to demystifying the magic hidden within these APIs, empowering you to unravel the RPC implementations using IDA and the power of static analysis!
0
102
250
In this post,
@bluscreenofjeff
shows how to use valid SSL certificates for payload delivery and C2 redirectors:
0
135
229
All video and slide content from SO-CON 2020 has been posted to our website.
Check them out:
Also, YouTube playlist link:
Thank you again to all of the attendees!
0
115
228
New from
@enigma0x3
: Using the .SettingContent-ms extension to run arbitrary commands on the latest version of Windows while evading ASR and Office 2016 OLE blocks.
2
133
226
ICYMI -
@0xthirteen
released MoveKit and StayKit, a collection of aggressor scripts, .NET projects, and templates to enhance lateral movement and persistence on your engagements.
Link:
MoveKit:
StayKit:
2
107
225
New from
@slyd0g
- "Automating DLL Hijack Discovery"
In this post, Justin walks through the process of finding and automating DLL Hijacking for common applications (Slack, Teams, VS Code) for userland persistence.
Post:
Tool:
4
107
226
New from
@0xthirteen
- Revisiting Remote Desktop Lateral Movement
This post discusses RDP lateral movement by leveraging mstscax.dll. Steven also is releasing SharpRDP with corresponding detection guidance for this attack technique.
Post:
3
97
219
We are super excited to announce our first virtual conference - SO-CON 2020, Nov 16 - 20, consisting of 4 training courses (2 new) and free talks / workshops showcasing the latest work from our team.
More info at:
Register at:
2
112
216
Happy BloodHound Community Edition release day to all that celebrate! 🥳
Read
@_wald0
’s blog post on the new features.
3
95
210
Parsing for Pentesters 3 - F'awk yeah! Advanced sed/awk usage co-written by
@bluscreenofjeff
and Unity's
@Sw4mp_f0x
1
123
207
ICYMI:
@Haus3c
provides an overview of common lateral movement techniques. Check it out here:
2
90
204
Get the scoop on a lateral movement technique within the distributed component object model (DCOM) Excel application.
@GrayHatKiller
details the method in our latest blog post.
1
83
209
Another instance where
@mattifestation
encourages us to rethink our views on digital signature validation.
2
125
201
The SpecterOps talks from
#DerbyCon
have been posted. Check them out!
A Process is No One -
When Macs Come Under ATT&CK -
The Unintended Risks of Trusting Active Directory -
2
92
205
In this post,
@jaredcatkinson
talks about our approach to Detection Engineering through Capability Abstraction using Kerberoasting as an example.
Check it out:
6
95
203
As the state of security continues to evolve, we decided it was time to renew our approach to phishing during red team operations. Today, we're outlining our plans to make initial access ops more valuable to our customers.
Read more here:
5
100
202
New post from
@its_a_feature_
@n0pe_sled
and
@tifkin_
on Abusing Slack for Offensive Operations:
In this post, our team members talk about how authentication works with Slack and where to look once access is obtained.
2
83
203
Our first intern,
@0xdab0
created a project called Satellite to automate C2 traffic redirection.
In this post, he talks about some of the keying, proxying, and filtering options of the project.
Read more here:
Project link:
2
73
202
A look into the new Sysmon V9.0.
@Cyb3rWard0g
walks through his thoughts on the new release and how to create a rule with some of the new capabilities. Read more here:
2
82
197
New from
@slyd0g
: Using a new tool, TimeStomper to manipulate timestamps in Windows. Mitigating detections also included too.
Take a look:
2
101
195
Let's talk about AD CS ESC14 abuse technique.
In our latest blog post,
@Jonas_B_K
explores the variations of abuse of explicit certificate mapping in AD, what the requirements are, and how you can protect your environment against it.
2
81
188
New post from
@rrcyrus
releasing Venator for macOS hunting, with examples of how you can detect malicious persistent items in a macOS environment. Check it out:
1
83
183
Introducing Cuddlephish. Check out the open-source BitM attack tool from
@FKasler
, which allows pentesters to use the Browser-in-the-Middle technique on their campaigns & raise awareness of this attack vector for credential stealing.
0
77
187
New from
@Ne0nd0g
. An overview of OPAQUE usage in
@merlin_c2
to encrypt C2 traffic.
Check it out:
Tool link:
3
84
182
Announcing SharpHound!
@CptJesus
has been developing a C# ingestor to speed up BloodHound collection. More here:
1
112
182
"When Kirbi walks the Bifrost"
In this post,
@its_a_feature_
talks about Active Directory attacks leveraging a MacOS AD joined endpoint.
Check it out:
2
87
179
Nick Powers (
@zyn3rgy
) and Steven Flores (
@0xthirteen
) uncover a mechanism of weaponizing legitimate ClickOnce and .NET applications for initial access, presenting new opportunities.
Read their blog:
0
54
178
New post from
@djhohnstein
detailing how to use the Service Control Manager and DLL hijacking for an often overlooked form of lateral movement. Discovery methodology, detections, proof of concept code, demos and more!
0
84
174
While Microsoft's User Account Control is not defined as a security boundary, bypassing UAC is still something attackers frequently do. Check out this blog post from
@enigma0x3
detailing one method for bypassing UAC using App Paths.
0
68
172
Our Adversary Resilience team just released
#BloodHound
2.0, featuring new attack primitives and plenty of cool new features. For more information, see our post here:
0
130
173
SpecterOps is proud to announce Attack Path Management, a new methodology designed to directly address the problem of Attack Paths:
1
94
174
SO-CON Talk Announcement: OffSecOps
In this talk,
@harmj0y
will discuss building an Offensive CI Pipeline, generating op-specific artifacts, and monitoring for burned artifacts - while integrating with common C2 platforms.
Sign up here:
2
61
170
.
@harmj0y
shows how to hunt for malicious object modifications using Active Directory replication metadata
0
111
164
Really great feedback and questions for
@harmj0y
’s “Kerberoasting Revisited” today:
Video:
Slides:
Stay tuned tomorrow for
@jsecurity101
’s dive into Dumping LSASS:
1
77
170
As always, we believe in releasing detections for new attacks. Our Adversary Detection team member
@Cyb3rWard0g
overview our detection approach for the new AD forest trust attack from
@harmj0y
.
Detections available here:
2
104
166
Confused about Active Directory delegation? Check out
@harmj0y
's post on his new work in resource-based constrained delegation done with
@elad_shamir
1
79
165
Check out Part 2 of the Modern Wireless Attacks series from
@s0lst1c3
covering the MANA and Known Beacon attacks. Link:
0
58
161
With another CVE under his belt,
@enigma0x3
demonstrates another
#PowerShell
constrained language mode bypass.
0
116
158
New from
@matterpreter
- Using P/Invoke to evade command line logging by interacting with the Win32 API.
Check it out:
1
66
156
@Cyb3rWard0g
@harmj0y
The attack itself is a new concept built from the premise of
@tifkin_
's printer bug.
@harmj0y
is able to demonstrate cross-forest compromise in Active Directory.
Read more here:
2
116
155
Happy to welcome Roberto Rodriguez (
@Cyb3rWard0g
) to our Adversary Detection team! Check out some of his GitHub and blog !
16
51
154
What is Tier Zero? 🤔
Read our latest blog post from
@Jonas_B_K
&
@elad_shamir
on the intricate world of critical identities and resources across Active Directory and Azure.
0
50
155
New from
@bluscreenofjeff
- Limit your chances of detection with Cobalt Strike OPSEC-safe profiles:
0
102
154
Our latest post from
@zyn3rgy
on Proxy Windows Tooling via SOCKS is now live on the blog.
Nick covers how routing your Windows tooling through SOCKS can lessen potential pain points in offensive workflows.
Read more here:
1
66
155
New Blog Post from
@Haus3c
on Azure. Ryan discusses Azure and Azure AD's components, reviews some of the attacks, and release PowerZure to help understand the attacks.
Link:
PowerZure:
0
77
152
Want to control Empire from your phone while away from your computer? Check out
@_P1CKLES_
most recent post to learn about a new addition to the Empire Project.
1
91
153
New from
@djhohnstein
: "Malware Development Pt. 1: Dynamic Module Loading in Go"
In this part 1 of this series, Dwight discusses an approach for a minimal and modular core agent design using Go.
Check it out:
0
74
152
ICYMI:
@_wald0
dropped a new blog post today: Passwordless Persistence and Privilege Escalation in Azure
You can read it here:
2
65
145
Thanks for joining
@jsecurity101
's Capability Abstraction: Dumping LSASS:
Video:
Slides:
Wrapping the week tomorrow with
@cmaddalena
's Remote Team Project Management and Reporting
1
60
148
New version of Covenant is out just in time for
#BlackHat2020
#Arsenal
. New in this release: streaming output for long running tasks, UI themes, and tabbed terminal view.
Post Link:
Tool Link:
0
66
143
ICYMI -
@_wald0
released a post called "Death from Above: Lateral Movement from Azure to On-Prem AD"
In this post, Andy describes an attack primitive that allows for on-prem Active Directory domain compromise via devices Hybrid-Joined to AzureAD.
Link:
0
68
139
Some really useful tips from
@joevest
@AndrewChiles
and
@001SPARTaN
on modifying Cobalt Strike malleable C2 profiles from the default settings. HINT: Defaults tend to be caught easily.
0
67
142
New from
@matterpreter
- "Methodology for Static Reverse Engineering of Windows Kernel Drivers"
In this post, Matt dives into Windows kernel driver reversing to show how to begin hunting for vulnerabilities using a simple methodology.
Check it out:
1
68
140
Our first webinar is on red and blue PowerShell tools / techniques, by
@harmj0y
and
@jaredcatkinson
. Learn more:
1
85
137
You Can Run, But You Can’t Hide — Detecting Process Reimaging Behavior -
This post explores
@jsecurity101
's approach to creating a data driven detection for the Process Reimaging technique using Sysmon.
2
68
139
Today, we are going to be linking videos from content we presented
@DerbyCon
by our team members.
We will start with a talk from
@mattifestation
called "How do I detect technique X in Windows? Applied Methodology to Definitively Answer this Question" -
0
54
137
New from
@Praga_Prag
- Detection in Depth
In this post, Josh builds on the concept of Capability Abstraction to identify functional choke points for attacks to detect similar techniques with the same intended outcome.
Check it out:
1
54
138
#BloodHound
1.4 is here! New features, improvements, bug fixes, and more. See
@CptJesus
's blog post for details:
0
104
132
ICYMI:
@Haus3c
released part 2 of his "Attacking Azure & Azure AD blog series. In this post, Ryan discusses new attack primitives:
1. Priv Esc. via Service Principals
2. Lateral Movement from Azure to On-Premise Domains
3. Abusing Azure Logic Apps
Link:
0
53
133
We're excited to announce our first SpecterOps Summit in San Antonio, TX Oct 16 - 20! We'll be offering 3 training courses, including our new 4-day Detection course. In addition, we'll be holding evening events throughout the week. Details:
#SOSummit
2
67
133
HostEnum, which allows for situational awareness on an adversary simulation exercise, gets an update. Read more here by
@AndrewChiles
:
0
88
130
New from
@slyd0g
- Understanding and Defending Against Access Token Theft: Finding Alternatives to winlogon.exe
Justin walks through the technique and shows options to modify the approach. Several detection methods are included too.
Check it out:
0
64
128
Using Microsoft.Workflow.Compiler.exe to execute arbitrary, unsigned code from
@mattifestation
. Blog link:
1
84
128
While still utilized at SpecterOps, our efforts have diversified far beyond just PowerShell. As a result, we made the decision to retire our PowerShell course. In the interest of transparency and supporting the community, we'd like to offer it up to the community for free. (3/4)
3
30
127
Check out the new post from our
@bluscreenofjeff
on building covert red team attack infrastructures
0
98
126
How can defenders reclaim control over the domain after discovering a
#cyberattack
where the adversary has domain persistence? ⚔️
@synth_nic0
&
@Praga_Prag
share how adversaries gain and sustain access within a domain as well as recovery strategies.
2
54
127
New from
@poloh4ck
- "Engineering Process Injection Detections — Part 3: Analytic Logic"
In the final part of this series, David discusses how to create a robust analytic, reducing both false positives and false negatives.
Check it out:
0
54
126
If you weren't able to make our "Catch Me If You Can" webcast, it's recorded and available on our BrightTALK channel
2
66
123
Introducing the Funnel of Fidelity. In this post,
@jaredcatkinson
discusses our approach to optimizing and applying the scarce resources of a SOC/detection capability to prioritize actions.
Check it out:
1
53
125
Our resident application whitelisting breaker/expert,
@mattifestation
shows us the steps involved in developing one of the most strict types of Device Guard code integrity policies.
0
79
120
We're excited to announce that we've secured $25M in funding to drive the next phase of expansion across the BloodHound Enterprise and FOSS platforms, security consulting services, research and more.
Read more:
3
27
124
New from
@enigma0x3
- An overview of a Local Privilege Escalation vulnerability he and our client team identified in Symantec's SEP product with CVE-2019–12757.
Check it out:
0
71
124
New blog from
@_D00mfist
- Introducing Mystikal
Leo is releasing a payload generator to help operators generate macOS payloads during the initial access phase of an operation.
Post:
Tool:
0
53
123