Open in app

Sign In

Write

Sign In

Will Schroeder
Will Schroeder

1.8K Followers

Home

About

Published in Posts By SpecterOps Team Members

·Pinned

Certified Pre-Owned

TL;DR Active Directory Certificate Services has a lot of attack potential! Check out our whitepaper “Certified Pre-Owned: Abusing Active Directory Certificate Services” for complete details. We’re also presenting this material at Black Hat USA 2021. [EDIT 06/22/21] — We’ve updated some of the details for ESC1 and ESC2 in this…

Active Directory

22 min read

Certified Pre-Owned
Certified Pre-Owned
Active Directory

22 min read


Published in Posts By SpecterOps Team Members

·Nov 9, 2022

Certificates and Pwnage and Patches, Oh My!

This post was written by Will Schroeder and Lee Christensen. A lot has happened since we released the “Certified Pre-Owned” blog post and whitepaper in June of last year. While the paper details a LOT of tradecraft ranging from credential theft to domain persistence, the part that caught most people’s…

Active Directory

16 min read

Certificates and Pwnage and Patches, Oh My!
Certificates and Pwnage and Patches, Oh My!
Active Directory

16 min read


Published in Posts By SpecterOps Team Members

·Jul 7, 2022

Koh: The Token Stealer

Edit 07/13/22: After an awesome back and forth with Clément Notin and @SteveSyfuhs on Twitter on the effects of “TokenLeakDetectDelaySecs” and “Protected Users” for mitigating token theft, I’ve updated the Koh README to reflect these mitigations. Years ago I was chatting with a few experienced red teamers and one was…

Windows

11 min read

Koh: The Token Stealer
Koh: The Token Stealer
Windows

11 min read


Published in Posts By SpecterOps Team Members

·Jun 1, 2022

DeepPass — Finding Passwords With Deep Learning

One of the routine tasks operators regularly encounter on most engagements is data mining. While exactly what operators are after varies from environment to environment, there is one common target that everyone’s always interested in: passwords. After diving into machine learning from an adversarial perspective I started to pay attention…

Machine Learning

12 min read

DeepPass — Finding Passwords With Deep Learning
DeepPass — Finding Passwords With Deep Learning
Machine Learning

12 min read


Published in Posts By SpecterOps Team Members

·May 4, 2022

Learning Machine Learning Part 3: Attacking Black Box Models

In the first post in this series we covered a brief background on machine learning, the Revoke-Obfuscation approach for detecting obfuscated PowerShell scripts, and my efforts to improve the dataset and models for detecting obfuscated PowerShell. …

Machine Learning

24 min read

Learning Machine Learning Part 3: Attacking Black Box Models
Learning Machine Learning Part 3: Attacking Black Box Models
Machine Learning

24 min read


Published in Posts By SpecterOps Team Members

·Apr 26, 2022

Learning Machine Learning Part 2: Attacking White Box Models

In the previous post, I went through a very brief overview of some machine learning concepts, talked about the Revoke-Obfuscation project, and detailed my efforts at improving the dataset and models for detecting obfuscated PowerShell scripts. That resulted in three separate tuned models for obfuscated PowerShell script detection: a Logistic…

Machine Learning

25 min read

Learning Machine Learning Part 2: Attacking White Box Models
Learning Machine Learning Part 2: Attacking White Box Models
Machine Learning

25 min read


Published in Posts By SpecterOps Team Members

·Apr 5, 2022

Learning Machine Learning Part 1: Introduction and Revoke-Obfuscation

For the past two years I’ve been trying to get a grasp on the field of machine learning with the hopes of applying it to both offense and defense. At the beginning of this journey I had no idea what Random Forests were, the tradeoffs of underfitting and overfitting, what…

Machine Learning

28 min read

Learning Machine Learning Part 1: Introduction and Revoke-Obfuscation
Learning Machine Learning Part 1: Introduction and Revoke-Obfuscation
Machine Learning

28 min read


Jun 17, 2021

Certified Pre-Owned

TL;DR Active Directory Certificate Services has a lot of attack potential! Check out our whitepaper “Certified Pre-Owned: Abusing Active Directory Certificate Services” for complete details. We’re also presenting this material at Black Hat USA 2021. [EDIT 06/22/21] — We’ve updated some of the details for ESC1 and ESC2 in this…

23 min read

Certified Pre-Owned
Certified Pre-Owned

23 min read


Published in Posts By SpecterOps Team Members

·Feb 28, 2019

A Case Study in Wagging the Dog: Computer Takeover

Last month, Elad Shamir released a phenomenal, in depth post on abusing resource-based constrained delegation (RBCD) in Active Directory. One of the big points he discusses is that if the TrustedToAuthForDelegation UserAccountControl flag is not set, the S4U2self process will still work but the resulting TGS is not FORWARDABLE. …

Microsoft

6 min read

A Case Study in Wagging the Dog: Computer Takeover
A Case Study in Wagging the Dog: Computer Takeover
Microsoft

6 min read


Published in Posts By SpecterOps Team Members

·Feb 20, 2019

Kerberoasting Revisited

Rubeus is a C# Kerberos abuse toolkit that started as a port of @gentilkiwi‘s Kekeo toolset and has continued to evolve since then. …

Microsoft

12 min read

Kerberoasting Revisited
Kerberoasting Revisited
Microsoft

12 min read

Will Schroeder

Will Schroeder

1.8K Followers

Researcher @SpecterOps . Coding towards chaotic good while living on the decision boundary.

Following
  • Jonathan Johnson

    Jonathan Johnson

  • Leo Pitt

    Leo Pitt

  • Andy Robbins

    Andy Robbins

  • Florian Roth

    Florian Roth

  • Thiago Mayllart

    Thiago Mayllart

See all (75)

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech