The only conference dedicated to Attack Path Management is back! 3 tracks. Real-world case studies. Hands-on BloodHound Quest lab. Join us at #SOCON2026 and advance your identity-first security strategy. 🎟️ Save 25% with early bird: specterops.io/so-con

We've got a fresh #BloodHoundBasics post from @jonas-bk.bsky.social! Ever wondered about those obscure AD special identity groups that quietly grant permissions to every principal in your environment? With BloodHound, you can uncover compromising permissions tied to these groups. 🧵: 1/2

DEF CON releases, PDQ SmartDeploy creds (@unsigned_sh0rt), FortiSIEM root command injection (@SinSinology), a cat themed loader (@vxunderground), fine-tune LLMs for offsec (@kyleavery_), juicing NTDS.DIT (@MGrafnetter), and more! blog.badsectorlabs.com/last-week-in...

One of the results of the joined research with @dirkjanm.io is entrascopes.com Basically the yellow pages for Microsoft first party apps. #TROOPERS25

I publish two blog posts today! 📝🐫 First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06... Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06... Hope you enjoy the read 🥳

Introducing the BloodHound Query Library! 📚 @martinsohn.dk & @joeydreijer.bsky.social explore the new collection of Cypher queries designed to help BloodHound users to unlock the full potential of the BloodHound platform by creating an open query ecosystem. ghst.ly/4jTgRQQ

Received the news today that my talk "Advanced Active Directory to Entra ID lateral movement techniques" was also accepted for @defcon.bsky.social 🎉 hope to see everyone there!

New tricks, same impact posts.specterops.io/update-dumpi...

It's #BloodHoundBasics day! 🙌 The docs got a fresh new look and live at bloodhound.specterops.io — now back in the GitHub repo too, so PRs are welcome! s/o @jonas-bk.bsky.social

Getting started w/ Mythic? We've got you covered. @its-a-feature.bsky.social walks through the web UI basics, login process, & how to configure your default username/password. Check it out! ▶️ ghst.ly/user-interface Watch the full series: ghst.ly/mythic-op

Thrilled to be speaking at @wearetroopers.bsky.social again this year - can’t wait to be back! 🥳

Highly recommend this one. It's a good read :)

Had a blast at #SOCON2025! It was great to meet up with colleagues and friends 💜 The slides from my presentation are available here: github.com/JonasBK/Pres...

That's all folks! 👋 Thank you to everyone who attended & presented talks during our #SOCON2025 conference days. Our training courses kickoff tomorrow at 9AM back at Convene.

Excited to be at @specterops.bsky.social SO-CON this week!! If you're around, I'll be presenting "Abusing AUs, Confusing the SOC" tomorrow bright & early:

If you missed the session on NTLM at #SOCON2025, you're in luck! Join @tifkin.bsky.social, @cptjesus.bsky.social, and @harmj0y.bsky.social on April 17 for a webinar discussing their research into modeling NTLM relay attacks within BloodHound. Register today! ➡️ ghst.ly/ntlm-web

Day 1 at #SOCON2025 has wrapped! 👊 We will see you right back here tomorrow for even more great content from our speakers. Check out the agenda for Day 2 at specterops.io/so-con.

It’s #BloodHoundBasics Day! 🎉 Want to find relationships cross AD domains? Use this Cypher query: MATCH p = (x:Base)-->(y:Base) WHERE x.domain <> y.domain AND NOT COALESCE(x.system_tags, '') CONTAINS 'admin_tier_0' RETURN p LIMIT 100 (1/2)

Active Directory isn't going anywhere, but security pros lack key knowledge. 🧠 Join @jimsycurity.adminsdholder.com & Darryl Baker at @bsidescharm.bsky.social for their AD Security 101 training, which aims to give you tools to find & fix misconfigurations attackers exploit. bsidescharm.org

The query excludes Tier Zero control to filter out legit permissions granted to groups such as Enterprise Admins. The screenshot is redacted, but can you guess the name of the group in the middle? Hint: It has something to do with emails. s/o @jonas-bk.bsky.social (2/2)

Accurately see what permissions are exploitable in your AD environment. Chris Thompson discusses a recent update in BloodHound that shows fewer false positives for Owns/WriteOwner edges, & introduces the new Owns/WriteOwnerLimitedRights edges. Read more: ghst.ly/3QORQdF

Next.js auth bypass (@zhero___ + @inzo____), ServiceNow for red teamers (@__invictus_), Veeam RCE - again! (@chudyPB), ArgFuscator (@Wietze), and more! blog.badsectorlabs.com/last-week-in...

Before locking in for the OSCP exam, it’s highly recommended to complete the practical lab networks. @anam0x.bsky.social shares his tips on how to maximize the lab experience in Part 3 of his blog series: ghst.ly/4iDWjML 🧵: 1/4

What's the purpose of the x-ms-DeviceCredential header if the device id claim is already included in the user access token? It seems redundant

Happy #BloodHoundBasics day! This week we are looking at how BloodHound classifies Tier Zero. Q: Why is not just the DA group Tier Zero but also all members? A: BloodHound classifies a few default Tier Zero assets, then adds more w/ logic from known attack techniques. 1/8

Super excited to be speaking at SO‑CON 2025 on March 31st with my coworker Lance Cain. We’re diving into an example attack path from real-life red team assessments by Lance Cain, Dan Mayer, myself, and the entire @specterops.bsky.social crew. specterops.io/so-con/ #SOCON2025 #redteam

On PTO and bored, so playing around with MCP by exposing Mythic APIs to Claude and seeing what the result. Attempting to have it emulate threat actors while operating Apollo in a lab... would make a good sparring partner :D www.youtube.com/watch?v=ZooT...

Part 2 of Nathan Davis' Getting Started with BloodHound Enterprise series just dropped! Check out the latest post on understanding & contextualizing Tier Zero, & ensuring you have an accurate depiction of the Attack Paths that exist in your BHE tenant. ghst.ly/4kEebbK

Evilginx Pro (@mrgretzky.breakdev.org ), Pre-auth RCE in a CMS (@chudypb.bsky.social), GOAD ADCS, YouTube email disclosure (@brutecat.com), SAML parser bug (ulldma.bsky.social), and more! blog.badsectorlabs.com/last-week-in...

KrbRelayEx-RPC tool is out! 🎉 Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;) github.com/decoder-it/K...

Happy #BloodHoundBasics day! Tired of the old 'Enable SMB signing everywhere' rec that isn't actually practical? BloodHound can help you convert that massive IT project into a doable risk mitigation effort, focused on those systems truly vulnerable to relay attacks. 🧵: 1/2

Has anyone heard of anyone actually setting up WHFB certificate trust? it's gotta be a MS troll

#SCCM forest discovery accounts can be decrypted—even those for untrusted forests. If the site server is a managed client, all creds can be decrypted via Administration Service API. Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp

Here we go, folks... our Call for Papers, Tools, and Workshops is open for WWHF - Deadwood 2025! Submit your talk here: wkf.ms/4bA0S7T

[BLOG] I had a series in mind like "Rubeus' Hidden Secrets" or something like that. Basically, highlighting features of the tool that seem less well known. I'm starting off with a basic one for getting crackable hashes from cached service tickets. rastamouse.me/kerberoastin...

Thrilled to announce @specterops.bsky.social has raised Series B funding to tackle Identity Attack Paths! Identity security matters more now than ever. And we're just getting started. Read more: ghst.ly/seriesb-blog

We’re excited to keep pushing forward in eliminating Identity Attack Paths! As orgs grow more complex, Identity Risk is a top concern for security leaders. Proactively shutting down attack paths is the most direct way to reduce the risk of a major breach.

BIG NEWS: SpecterOps raises $75M Series B to strengthen identity security! Led by Insight Partners with Ansa Capital, M12, Ballistic Ventures, Decibel, and Cisco Investments. ghst.ly/seriesb #IdentitySecurity #CyberSecurity (1/6)

Andy Robbins: The Evolution of Bloodhound podcasters.spotify.c...

📝 Submit your feedback and share how your company employs Attack Path Management in our survey. ghst.ly/4hItRYV

⚡️ FedRAMP High authorization 👥 Community-driven improvements 🔮 Future outlook Join @davidmcguire.bsky.social, Jared Atkinson, & Justin Kohler to learn about the latest updates to BloodHound Enterprise & Community Edition! Register: ghst.ly/mar-webinar-...

It appears Microsoft quietly mitigated most of the risk of the "Intune company portal" device compliance CA bypass by restricting the scope of Azure AD graph tokens issued to this app, making them almost useless for most abuse scenarios. Thx @domchell.bsky.social for the heads up.

Normally you can't auth to Entra ID connected webapps with bearer tokens. But if Teams can open SharePoint/OneDrive with an access token, I guess so can we. roadtx now supports opening SharePoint with access tokens in the embedded browser 😀

Happy #BloodHoundBasics Day! Did you know BloodHound started with just 3 node types and a few edges? Today, it supports 36 node types and 113 edge types, uncovering a vast array of attack paths. Explore more in our docs ➡️ ghst.ly/3WSKoS7 s/o @jonas-bk.bsky.social

I’ll be talking on the second day of SO-CON 2025 (last slot), so if you’re around, consider checking out the British dude babbling on about SQL Server!

ROADtools update: I just released roadlib v1.0! This version drops the adal dependency, all auth flows are now implemented natively 🎉 This was mostly a personal goal, but it helps with adding new features, such as forcing MFA during device code auth independent of CA policies 😀

Your #cybersecurity career starts here! Join our "Hack the Hiring Process" webinar hosted by Technical Recruiting Manager Steffany Velasquez get the inside scoop on landing internships and full-time roles with our expert team. Register today! 👉 ghst.ly/febwebinar-b...

The BloodHound team is expanding! 🐶 We're searching for a passionate individual with BloodHound CE experience to take on a Product Manager role and drive the future of BloodHound CE job-boards.greenhouse.io/specterops/j...

#DYK: CMPivot queries can be used to coerce SMB authentication from #SCCM client hosts. Check out Diego Lomellini's latest blog post, which shares a simple, yet effective way to execute this. ghst.ly/4hnsA9W