Open in app

Sign In

Write

Sign In

Will Schroeder
Will Schroeder

2K Followers

Home

About

Published in

Posts By SpecterOps Team Members

·Pinned

Certified Pre-Owned

TL;DR Active Directory Certificate Services has a lot of attack potential! Check out our whitepaper “Certified Pre-Owned: Abusing Active Directory Certificate Services” for complete details. We’re also presenting this material at Black Hat USA 2021. [EDIT 06/22/21] — We’ve updated some of the details for ESC1 and ESC2 in this…

Active Directory

22 min read

Certified Pre-Owned
Certified Pre-Owned
Active Directory

22 min read


Published in

Posts By SpecterOps Team Members

·Aug 9

Hacking With Your Nemesis

In the first post in this series, On (Structured) Data, we talked about the gap area of offensive structured data and ended with the question, “If all of our offensive tools produced and worked with structured data, what would be possible?” The second post, Challenges In Post-Exploitation Workflows, covered several…

Offensive Security

18 min read

Hacking With Your Nemesis
Hacking With Your Nemesis
Offensive Security

18 min read


Published in

Posts By SpecterOps Team Members

·Aug 2

Challenges In Post-Exploitation Workflows

In our previous post, we talked about the problem of structured data in the post-exploitation community. We touched on the existing relationship between our tools and data and covered some of the domain-specific challenges that come with offensive data collection. We ended with the question “If all of our offensive…

Red Team

13 min read

Challenges In Post-Exploitation Workflows
Challenges In Post-Exploitation Workflows
Red Team

13 min read


Published in

Posts By SpecterOps Team Members

·Jul 26

On (Structured) Data

Introduction The offensive security industry is a curious one. On one hand, we are ahead in various trends (or “thought leadership,” as some would have us term it) and are used to literally “moving fast and breaking things.” On the other hand, we’re far behind similar disciplines. One major area where…

Offensive Security

9 min read

On (Structured) Data
On (Structured) Data
Offensive Security

9 min read


Published in

Posts By SpecterOps Team Members

·Nov 9, 2022

Certificates and Pwnage and Patches, Oh My!

This post was written by Will Schroeder and Lee Christensen. A lot has happened since we released the “Certified Pre-Owned” blog post and whitepaper in June of last year. While the paper details a LOT of tradecraft ranging from credential theft to domain persistence, the part that caught most people’s…

Active Directory

16 min read

Certificates and Pwnage and Patches, Oh My!
Certificates and Pwnage and Patches, Oh My!
Active Directory

16 min read


Published in

Posts By SpecterOps Team Members

·Jul 7, 2022

Koh: The Token Stealer

Edit 07/13/22: After an awesome back and forth with Clément Notin and @SteveSyfuhs on Twitter on the effects of “TokenLeakDetectDelaySecs” and “Protected Users” for mitigating token theft, I’ve updated the Koh README to reflect these mitigations. Years ago I was chatting with a few experienced red teamers and one was…

Windows

11 min read

Koh: The Token Stealer
Koh: The Token Stealer
Windows

11 min read


Published in

Posts By SpecterOps Team Members

·Jun 1, 2022

DeepPass — Finding Passwords With Deep Learning

One of the routine tasks operators regularly encounter on most engagements is data mining. While exactly what operators are after varies from environment to environment, there is one common target that everyone’s always interested in: passwords. After diving into machine learning from an adversarial perspective I started to pay attention…

Machine Learning

12 min read

DeepPass — Finding Passwords With Deep Learning
DeepPass — Finding Passwords With Deep Learning
Machine Learning

12 min read


Published in

Posts By SpecterOps Team Members

·May 4, 2022

Learning Machine Learning Part 3: Attacking Black Box Models

In the first post in this series we covered a brief background on machine learning, the Revoke-Obfuscation approach for detecting obfuscated PowerShell scripts, and my efforts to improve the dataset and models for detecting obfuscated PowerShell. …

Machine Learning

24 min read

Learning Machine Learning Part 3: Attacking Black Box Models
Learning Machine Learning Part 3: Attacking Black Box Models
Machine Learning

24 min read


Published in

Posts By SpecterOps Team Members

·Apr 26, 2022

Learning Machine Learning Part 2: Attacking White Box Models

In the previous post, I went through a very brief overview of some machine learning concepts, talked about the Revoke-Obfuscation project, and detailed my efforts at improving the dataset and models for detecting obfuscated PowerShell scripts. That resulted in three separate tuned models for obfuscated PowerShell script detection: a Logistic…

Machine Learning

25 min read

Learning Machine Learning Part 2: Attacking White Box Models
Learning Machine Learning Part 2: Attacking White Box Models
Machine Learning

25 min read


Published in

Posts By SpecterOps Team Members

·Apr 5, 2022

Learning Machine Learning Part 1: Introduction and Revoke-Obfuscation

For the past two years I’ve been trying to get a grasp on the field of machine learning with the hopes of applying it to both offense and defense. At the beginning of this journey I had no idea what Random Forests were, the tradeoffs of underfitting and overfitting, what…

Machine Learning

28 min read

Learning Machine Learning Part 1: Introduction and Revoke-Obfuscation
Learning Machine Learning Part 1: Introduction and Revoke-Obfuscation
Machine Learning

28 min read

Will Schroeder

Will Schroeder

2K Followers

Researcher @SpecterOps . Coding towards chaotic good while living on the decision boundary.

Following
  • Jonas Bülow Knudsen

    Jonas Bülow Knudsen

  • Florian Roth

    Florian Roth

  • Max Harley

    Max Harley

  • James

    James

  • Andrew Chiles

    Andrew Chiles

See all (80)

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech

Teams