Ghostwriter is a part of your team. It helps you manage clients, projects, reports, and infrastructure in one application.

Prior Work

Learn how to identify AD problems with high-privilege Kerberos users, domain control object ownership, and domain users using BloodHound FOSS.

When we coined the term “Attack Path Management” (APM) in our post ‘The Attack Path Manifesto’ in May of 2021, we set out to bring…

3 Foundational Pillars for Attack Path Management: Pillar 2 — Empirical Impact Assessment Attack Paths are the chains of abusable privileges and user behaviors that create direct and indirect connections between Active Directory Users and Computers. The unintended…

Introducing BloodHound 4.1 — The Three Headed Hound Prior Work Analyzing Active Directory attack paths using graph theory is not a new concept. Prior work includes the following: Heat-ray by John Dunagan, Alice Zheng, and Daniel R. Simon (2009) Airbus BTA…

Attack Path Management Pillars: Part 3 —Practical AD Security Remediation Guidance Historically, Identity Attack Paths are a double edge sword; remediation efforts can easily break production applications or create more Attack Paths. Unfortunately, fixing…

Rethinking the way that we approach phishing as a component of red team operations

In July of 2021, we launched BloodHound Enterprise. Since then, our customers have been using BHE to easily identify and eliminate…

SpecterOps statement regarding the War in Ukraine.

Ghostwriter is a part of your team. It helps you manage clients, projects, reports, and infrastructure in one application.

Ghostwriter is changing! We have a new release candidate and a GraphQL API open for feedback.

SCCM crash course on how to prevent attacks, and invoking Automatic Client Push with SharpSCCM. How to build, test, and contribute to SharpSCCM.

Co-founder of SpecterOps. Co-creator of BloodHound.

https://t.co/rub1i3Fs9g

For the past two years I’ve been trying to get a grasp on the field of machine learning with the hopes of applying it to both offense and…

In the previous post, I went through a very brief overview of some machine learning concepts, talked about the Revoke-Obfuscation project…

In the first post in this series we covered a brief background on machine learning, the Revoke-Obfuscation approach for detecting…

Loading malicious dylibs into the Tclsh binary

EntropyCapture extracts the DPAPI optional entropy using API hooking.

One of the routine tasks operators regularly encounter on most engagements is data mining. While exactly what operators are after varies…

Ghostwriter is a part of your team. It helps you manage clients, projects, reports, and infrastructure in one application.