Getting Started with BHE — Part 2
Getting Started with BHE — Part 2Contextualizing Tier ZeroTL;DRAn accurately defined Tier Zero provides an accurate depiction of Attack Path Findings in your BHE tenant.Different principals (groups, GPOs, OUs, etc.) have different implications when Tier Zero is ...
Getting Started with BHE — Part 1
Getting Started with BHE — Part 1Understanding Collection, Permissions, and Visibility of Your EnvironmentTL;DRAttack Path visibility is dependent upon scope of collection; complete collection is dependent upon appropriate permissions.Your collection strategy benefits from tiering just ...
Decrypting the Forest From the Trees
TL;DR: SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If the site server is a managed client, service account credentials can be decrypted via the Administration ...
Fueling the Fight Against Identity Attacks
When we founded SpecterOps, one of our core principles was to build a company which brought unique insight into high-capability adversary tradecraft, constantly innovating in research and tooling. We aspired to set ...
Getting the Most Value Out of the OSCP: The PEN-200 Course
In this second post of a five-part series, I provide advice on how to best utilize the PEN-200 course material for a successful career in ethical hacking.Disclaimer:All opinions expressed in this article are ...
Don’t Touch That Object! Finding SACL Tripwires During Red Team Ops
During red team operations, stealth is a critical component. We spend a great deal of time ensuring our payloads will evade any endpoint detection and response (EDR) solution, our traffic is obfuscated ...
Getting the Most Value out of the OSCP: Pre-Course Prep
The first post in a five-part practical guide series on maximizing the professional, educational, and financial value of the OffSec certification pursuit for a successful career in offensive cybersecurity consultingDisclaimer:All opinions expressed ...
Enhancements for BloodHound v7.0 Provide Fresh User Experience and Attack Path Risk Optimizations
General Availability of Improved Analysis Algorithm and Security Posture Management ImprovementsThe BloodHound team previewed several concepts in the last couple of releases that made it easier for customers to visualize attack paths ...
Forging a Better Operator Quality of Life
A new Mythic add-on for Windows AgentsMythic provides flexibility to agent developers for how they want to describe and execute techniques. While this is great, it also means that when operators hop from ...
Further Adventures With CMPivot — Client Coercion
Further Adventures With CMPivot — Client CoercionPerfectly Generated AI Depiction based on TitleTL:DRCMPivot queries can be used to coerce SMB authentication from SCCM client hostsIntroductionCMPivot is a component part of the Configuration Manager framework. With the rise ...
