It's a big day- Lee Chagolla-Christensen, Max Harley, and I are proud to announce that Nemesis 1.0.0 has landed! We have a ton of awesome new features and a streamlined installation, check out the details at posts.specterops.io/nemesis-1-0-0-… and the code at github.com/SpecterOps/Nem…

Heading to #MMSMOA next month? Make sure to add this session to your schedule. Chris Thompson will be joining Kim Oppalfens (MVP) ✖️ & Tom Degreef to speak on how to secure your ConfigMgr environment & defend against publicly known attacks.

Learn more ➡️ ghst.ly/4459csL #SCCM

I just published a blog and tool for the LSA Whisperer work that was presented at the SpecterOps Conference (SOCON) back in March.

If you are interested in getting credentials from LSASS without accessing its memory, check it out!
medium.com/specter-ops-po…

ICYMI: Last week Chris Thompson released the open-source scanner MisconfigurationManager.ps1, which helps administrators more easily identify weaknesses in their SCCM environments.

Check out CSOonline to learn more. ⬇️ ghst.ly/4aWw1AV

Identify every TAKEOVER and ELEVATE attack in Misconfiguration Manager.

Check out our latest blog post from Chris Thompson to learn more about the MisconfigurationManager.ps1 script that will quickly identify risky configurations worth looking into further. ghst.ly/4aQLWAF

This PowerShell script is a quick way to audit your SCCM configuration to determine whether you have unidentified/unnecessary risks. Great stuff from Chris Thompson!

Chris Thompson did some awesome work with this! Find out where you may be at risk with SCCM with this one simple trick

I wrote a script to identify every TAKEOVER and ELEVATE attack in Misconfiguration Manager that can be run with Read-only Analyst privileges or higher in SCCM. Please share with your IT admins, defenders, clients, assessors, and friends in infosec!
posts.specterops.io/rooting-out-ri…

ADCS strikes again (sounds a lot like ESC1). Just as a reminder, despite our recommendation of alerting IT administrators of this very common dangerous misconfiguration (AT A MINIMUM via an event log). Microsoft chose not to include any additional logging in ADCS.

I'm over the moon to have this release available. I've been working toward it for years, and my team put significant work into making these features a reality over the past six months. Believe it or not, I held back features so we could get this out! We'll have more soon.

Something cool for CRED-2 from Misconfiguration Manager: You can use the hash from a compromised computer to spoof enrollment. Works with Adam Chester 🏴‍☠️ 's github.com/xpn/sccmwtf tool as well (since the http module is built around his code >_>) Kerb auth is a WIP

GIANT merge to Nemesis just published
If you've ever struggled to install Nemesis, we've made it 10x easier by getting rid of nemesis-cli and using Helm for k8s management instead
Check out the new setup guide for instructions on how to install: github.com/SpecterOps/Nem…

Here's a tale of our journey through EPM. We had a lot of fun learning about and poking some holes in it.

Great timing on this post as we just merged our first offensive technique contribution from the community (Marshall ), ELEVATE-3!

👀👀🫵💥 'SeeSeeYouExec: Windows Session Hijacking via CcmExec'

New Mandiant Red Team blog explores how SCCM's CcmExec service can be utilized for session hijacking and introduces a new tool, CcmPwn, to weaponize this technique! Defense tips included 🔵

cloud.google.com/blog/topics/th…

All slides for presentations at #SOCON2024 sponsored by SpecterOps 🇺🇦 are now live! github.com/SpecterOps/pre…

With so many high achieving people in security it’s common to feel like you never get enough work done. You should always take a step back and appreciate yourself. If you worked hard it will compound! Keep the momentum up! 💪

New blog post is up... Identity Providers for RedTeamers. This follows my #SOCON2024 talk, and provides the technicals behind the presentation, looking at other IdP's and what techniques are effective beyond Okta. blog.xpnsec.com/identity-provi…

'Summoning RAGnarok With Your Nemesis' posts.specterops.io/summoning-ragn… I detail how we built a a Nemesis powered Retrieval-Augmented Generation (RAG) chatbot PoC, code now public at github.com/GhostPack/Ragn… ! Fun example of how to build on top of Nemesis' functionality.

Today at #SOCON2024 Chris Thompson & Duane Michael announced Misconfiguration Manager, a repository w/ attacks based on faulty MCM configs that provides resources for defenders to harden their security stance. Read more from Ionut Ilascu for BleepingComputer. ghst.ly/49KSYH9