On Detection: Tactical to Functional
Part 9: Perception vs. ConceptionThe concepts discussed in this post are related to those discussed in the 9th session of the DCP Live podcast. If you find this information interesting, I highly ...
Bloodhound Enterprise: securing Active Directory using graph theory
BloodHound Enterprise: securing Active Directory using graphsPrior to my employment at SpecterOps, I hadn’t worked in the information security industry- as a result, many security related terms and concepts that were tossed around ...
Uncovering RPC Servers through Windows API Analysis
IntroHave you ever tried to reverse a simple Win32 API? If not, let’s look at one together today! This article serves as a hand-holding walkthrough and documents in detail how I analyzed ...
Perfect Loader Implementations
Thank you to SpecterOps for supporting this research and to Lee and Sarah for proofreading and editing! Crossposted on GitHub.TLDR: You may use fuse-loader or perfect-loader as examples for extending an OS’s native ...
SCCM Hierarchy Takeover
One Site to Rule Them Alltl;dr:There is no security boundary between sites in the same hierarchy.When an administrative user is granted a security role in SCCM, such as Full Administrator or Infrastructure Administrator, ...
Ghostwriter v4: 2FA, RBAC, and Logging, Oh My!
Ghostwriter v4 is officially here! Technically, it’s been available as a release candidate for a while, but we have arrived at its final release. This major release focuses on something important to ...
Reactive Progress and Tradecraft Innovation
Detection as PredictionThe overarching goal of a security operations program is to prevent or mitigate the impact of an attacker gaining unauthorized access to an IT environment. In service of this mission, ...
What is Tier Zero — Part 2
What is Tier Zero — Part 2Round 2!This is Part 2 of our webinar and blog post series Defining the Undefined: What is Tier Zero.In Part 1, we gave an introduction to the topic and explained ...
Shadow Wizard Registry Gang: Structured Registry Querying
Why Do We Need New Tooling for Registry Collection?The Windows registry, an intricate database storing settings for both the operating system and the applications that run on it, is a treasure trove ...
Site Takeover via SCCM’s AdminService API
tl:dr: The SCCM AdminService API is vulnerable to NTLM relaying and can be abused for SCCM site takeover.Prior Work and CreditBefore I get started, I’d like to acknowledge some of the work previously ...
