Reposted by Andy Robbins
Note: Work related
I do Active Directory stuff for a living. Security research to be more specific. One of my favorite niche AD topics is AdminSDHolder. It's even my vanity domain.
I wrote a 159 pg book about AdminSDHolder. I'm kinda proud of it.
specterops.io/resources/ad...
I do Active Directory stuff for a living. Security research to be more specific. One of my favorite niche AD topics is AdminSDHolder. It's even my vanity domain.
I wrote a 159 pg book about AdminSDHolder. I'm kinda proud of it.
specterops.io/resources/ad...
AdminSDHolder Misconceptions & Misconfigurations - SpecterOps
AdminSDHolder is an object and associated process in Active Directory Domain Services (AD DS) that helps protect specific sensitive and highly privileged accounts from being manipulated. This topic is...
specterops.io
October 31, 2025 at 7:47 PM
Note: Work related
I do Active Directory stuff for a living. Security research to be more specific. One of my favorite niche AD topics is AdminSDHolder. It's even my vanity domain.
I wrote a 159 pg book about AdminSDHolder. I'm kinda proud of it.
specterops.io/resources/ad...
I do Active Directory stuff for a living. Security research to be more specific. One of my favorite niche AD topics is AdminSDHolder. It's even my vanity domain.
I wrote a 159 pg book about AdminSDHolder. I'm kinda proud of it.
specterops.io/resources/ad...
Reposted by Andy Robbins
See your network shares the way attackers do. 👀
Meet ShareHound, an OpenGraph collector for BloodHound CE & Enterprise that reveals share-level attack paths at scale.
@podalirius.bsky.social unpacks all the details in our latest blog post. ghst.ly/4ogiBqt
Meet ShareHound, an OpenGraph collector for BloodHound CE & Enterprise that reveals share-level attack paths at scale.
@podalirius.bsky.social unpacks all the details in our latest blog post. ghst.ly/4ogiBqt
ShareHound: An OpenGraph Collector for Network Shares - SpecterOps
ShareHound is an OpenGraph collector for BloodHound CE and BloodHound Enterprise helping identify attack paths to network shares automatically.
ghst.ly
October 30, 2025 at 5:34 PM
See your network shares the way attackers do. 👀
Meet ShareHound, an OpenGraph collector for BloodHound CE & Enterprise that reveals share-level attack paths at scale.
@podalirius.bsky.social unpacks all the details in our latest blog post. ghst.ly/4ogiBqt
Meet ShareHound, an OpenGraph collector for BloodHound CE & Enterprise that reveals share-level attack paths at scale.
@podalirius.bsky.social unpacks all the details in our latest blog post. ghst.ly/4ogiBqt
Reposted by Andy Robbins
Incredible to see @hdm.io using BloodHound to build the new runZeroHound, connecting asset inventory data from
@runzero.com with attack path visualization.
Love seeing the community take BloodHound in new directions!
@runzero.com with attack path visualization.
Love seeing the community take BloodHound in new directions!
Just like chocolate and peanut butter, runZero and BloodHound are an amazing combination. Today we are introducing runZeroHound - an open source toolkit for bringing runZero Asset Inventory data into BloodHound attack graphs: www.runzero.com/blog/introdu...
Uncovering network attack paths with runZeroHound
runZeroHound converts runZero asset inventories into BloodHound OpenGraph imports, enabling Cypher-based analysis of real network attack paths.
www.runzero.com
October 27, 2025 at 6:06 PM
Incredible to see @hdm.io using BloodHound to build the new runZeroHound, connecting asset inventory data from
@runzero.com with attack path visualization.
Love seeing the community take BloodHound in new directions!
@runzero.com with attack path visualization.
Love seeing the community take BloodHound in new directions!
Reposted by Andy Robbins
Credential Guard was supposed to end credential dumping. It didn't.
Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.
Read for more: ghst.ly/4qtl2rm
Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.
Read for more: ghst.ly/4qtl2rm
Catching Credential Guard Off Guard - SpecterOps
Uncovering the protection mechanisms provided by modern Windows security features and identifying new methods for credential dumping.
ghst.ly
October 23, 2025 at 5:45 PM
Credential Guard was supposed to end credential dumping. It didn't.
Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.
Read for more: ghst.ly/4qtl2rm
Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.
Read for more: ghst.ly/4qtl2rm
Introducing PingOneHound! This OpenGraph extension for BloodHound can help you identify, analyze, execute, and remediate attack paths in PingOne organizations. Read the introductory blog post here: specterops.io/blog/2025/10...
PingOne Attack Paths - SpecterOps
You can use PingOneHound in conjunction with BloodHound Community Edition to discover, analyze, execute, and remediate identity-based attack paths in PingOne instances.
specterops.io
October 20, 2025 at 5:43 PM
Introducing PingOneHound! This OpenGraph extension for BloodHound can help you identify, analyze, execute, and remediate attack paths in PingOne organizations. Read the introductory blog post here: specterops.io/blog/2025/10...
Reposted by Andy Robbins
@reconmtl.bsky.social has uploaded the majority of the 2025 talks, including my talk on LSA. You can check it out at the below link if you'd like.
Thank you again to the organizers and everyone else who helps put on the conference. I look forward to coming back!
youtu.be/G2CfMWXLU1U?...
Thank you again to the organizers and everyone else who helps put on the conference. I look forward to coming back!
youtu.be/G2CfMWXLU1U?...
Recon 2025 - The Finer Details of LSA Credential Recovery
YouTube video by Recon Conference
youtu.be
October 16, 2025 at 3:34 PM
@reconmtl.bsky.social has uploaded the majority of the 2025 talks, including my talk on LSA. You can check it out at the below link if you'd like.
Thank you again to the organizers and everyone else who helps put on the conference. I look forward to coming back!
youtu.be/G2CfMWXLU1U?...
Thank you again to the organizers and everyone else who helps put on the conference. I look forward to coming back!
youtu.be/G2CfMWXLU1U?...
Reposted by Andy Robbins
Check out my new blog diving deeper into BroCI.
Microsoft introduced nested application auth (NAA) in 2024. Researchers spotted FOCI similarities & dubbed it brokered client IDs (BroCI).
@1cemoon.bsky.social documents NAA flows and BroCI—filling a gap for research on Microsoft identity protocols. ghst.ly/3Jdhp7Z
@1cemoon.bsky.social documents NAA flows and BroCI—filling a gap for research on Microsoft identity protocols. ghst.ly/3Jdhp7Z
NAA or BroCI...? Let Me Explain - SpecterOps
This writeup is a summary of knowledge and resources for nested application authentication (NAA) and brokered client IDs (BroCI)
ghst.ly
October 15, 2025 at 6:35 PM
Check out my new blog diving deeper into BroCI.
A little OpenGraph POC for mapping PE header imports of all .dll and .exe files in a fresh Windows install. These are all the binaries that have some kind of import chain leading to kernel32.dll
October 2, 2025 at 4:51 PM
A little OpenGraph POC for mapping PE header imports of all .dll and .exe files in a fresh Windows install. These are all the binaries that have some kind of import chain leading to kernel32.dll
Reposted by Andy Robbins
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...
One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens
While preparing for my Black Hat and DEF CON talks in July of this year, I found the most impactful Entra ID vulnerability that I will probably ever find. One that could have allowed me to compromise ...
dirkjanm.io
September 17, 2025 at 1:20 PM
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...
Reposted by Andy Robbins
Adalanche searches works way better now - it uses BFS rather than DFS which gave unnecessary long paths at times. This is available in the latest commit on GitHub.
There might be bugs with the new search - let me know if you see any strangeness. Happy hunting :-)
There might be bugs with the new search - let me know if you see any strangeness. Happy hunting :-)
September 8, 2025 at 7:26 PM
Adalanche searches works way better now - it uses BFS rather than DFS which gave unnecessary long paths at times. This is available in the latest commit on GitHub.
There might be bugs with the new search - let me know if you see any strangeness. Happy hunting :-)
There might be bugs with the new search - let me know if you see any strangeness. Happy hunting :-)
Reposted by Andy Robbins
We've got a fresh #BloodHoundBasics post from @jonas-bk.bsky.social!
Ever wondered about those obscure AD special identity groups that quietly grant permissions to every principal in your environment?
With BloodHound, you can uncover compromising permissions tied to these groups.
🧵: 1/2
Ever wondered about those obscure AD special identity groups that quietly grant permissions to every principal in your environment?
With BloodHound, you can uncover compromising permissions tied to these groups.
🧵: 1/2
September 5, 2025 at 6:28 PM
We've got a fresh #BloodHoundBasics post from @jonas-bk.bsky.social!
Ever wondered about those obscure AD special identity groups that quietly grant permissions to every principal in your environment?
With BloodHound, you can uncover compromising permissions tied to these groups.
🧵: 1/2
Ever wondered about those obscure AD special identity groups that quietly grant permissions to every principal in your environment?
With BloodHound, you can uncover compromising permissions tied to these groups.
🧵: 1/2
Reposted by Andy Robbins
BloodHound isn't just for Active Directory anymore. 🤯
@sadprocessor.bsky.social dives into the BloodHound OpenGraph functionality & demonstrates the new PowerShell cmdlets added to the BloodHound Operator module to work with the OpenGraph feature. ghst.ly/4peTTrB
@sadprocessor.bsky.social dives into the BloodHound OpenGraph functionality & demonstrates the new PowerShell cmdlets added to the BloodHound Operator module to work with the OpenGraph feature. ghst.ly/4peTTrB
BloodHound Operator: The Six Degrees Of Master Yoda - SpecterOps
A Technical Dive Into BloodHound OpenGraph With BloodHound Operator & Master Yoda… TL;DR: The latest version of BloodHound introduces BloodHound OpenGraph. This new feature allows for ingestion of any...
ghst.ly
September 4, 2025 at 7:49 PM
BloodHound isn't just for Active Directory anymore. 🤯
@sadprocessor.bsky.social dives into the BloodHound OpenGraph functionality & demonstrates the new PowerShell cmdlets added to the BloodHound Operator module to work with the OpenGraph feature. ghst.ly/4peTTrB
@sadprocessor.bsky.social dives into the BloodHound OpenGraph functionality & demonstrates the new PowerShell cmdlets added to the BloodHound Operator module to work with the OpenGraph feature. ghst.ly/4peTTrB
From November 2016:
This is how I used to design BloodHound's entity panels. Just a text editor to list out what I as a red-teamer wanted to see, with the corresponding (then new) cypher queries listed as well.
Simple, VERY low-fidelity mockup, but really helped during the design phase.
This is how I used to design BloodHound's entity panels. Just a text editor to list out what I as a red-teamer wanted to see, with the corresponding (then new) cypher queries listed as well.
Simple, VERY low-fidelity mockup, but really helped during the design phase.
September 4, 2025 at 3:17 PM
From November 2016:
This is how I used to design BloodHound's entity panels. Just a text editor to list out what I as a red-teamer wanted to see, with the corresponding (then new) cypher queries listed as well.
Simple, VERY low-fidelity mockup, but really helped during the design phase.
This is how I used to design BloodHound's entity panels. Just a text editor to list out what I as a red-teamer wanted to see, with the corresponding (then new) cypher queries listed as well.
Simple, VERY low-fidelity mockup, but really helped during the design phase.
🚨 New #BloodHound shirt alert 🚨
✅ - Unisex adult/child and ladies sizes available
✅ - Cool design :)
✅ - ALL profits go to charity
This time we are supporting Hope for HIE, which supports families suffering the effects of hypoxic ischemic encephalopathy
Get your shirt here: ghst.ly/bh8-tshirt
✅ - Unisex adult/child and ladies sizes available
✅ - Cool design :)
✅ - ALL profits go to charity
This time we are supporting Hope for HIE, which supports families suffering the effects of hypoxic ischemic encephalopathy
Get your shirt here: ghst.ly/bh8-tshirt
BloodHound 8.0 T-Shirt Fundraiser, Supporting Hope for HIE
Hope for HIE is the global voice for families affected by Hypoxic Ischemic Encephalopathy. As the world’s largest HIE support network, Hope for HIE offers personalized resources, education, and a deep...
ghst.ly
August 27, 2025 at 8:21 PM
🚨 New #BloodHound shirt alert 🚨
✅ - Unisex adult/child and ladies sizes available
✅ - Cool design :)
✅ - ALL profits go to charity
This time we are supporting Hope for HIE, which supports families suffering the effects of hypoxic ischemic encephalopathy
Get your shirt here: ghst.ly/bh8-tshirt
✅ - Unisex adult/child and ladies sizes available
✅ - Cool design :)
✅ - ALL profits go to charity
This time we are supporting Hope for HIE, which supports families suffering the effects of hypoxic ischemic encephalopathy
Get your shirt here: ghst.ly/bh8-tshirt
Reposted by Andy Robbins
Check out my new blog on nested app authentication.
Why should Microsoft's Nested App Authentication (NAA) should be on your security team's radar? @1cemoon.bsky.social breaks down NAA and shows how attackers can pivot between Azure resources using brokered authentication. ghst.ly/45h2Zw3
Going for Broke(ring) – Offensive Walkthrough for Nested App Authentication - SpecterOps
In depth walkthrough for using nested app authentication (NAA), or BroCI, for offensive engagements to access information and resources.
ghst.ly
August 13, 2025 at 4:43 PM
Check out my new blog on nested app authentication.
In this blog post I explain the fundamental building blocks, vocabulary, and principles of attack graph design for BloodHound: specterops.io/blog/2025/08...
Attack Graph Model Design Requirements and Examples - SpecterOps
TL;DR OpenGraph makes it easy to add new nodes and edges into BloodHound, but doesn’t design your data model for you. This blog post has everything you need to get started with proper attack graph mod...
specterops.io
August 1, 2025 at 4:21 PM
In this blog post I explain the fundamental building blocks, vocabulary, and principles of attack graph design for BloodHound: specterops.io/blog/2025/08...
Reposted by Andy Robbins
Red teamers know the drill: endless file churning, hunting for passwords & tokens. 🔍
Meet DeepPass2, our new secret scanning tool that goes beyond structured tokens to catch those tricky free-form passwords too. Read Neeraj Gupta's blog post for more. ghst.ly/40HLNNA
Meet DeepPass2, our new secret scanning tool that goes beyond structured tokens to catch those tricky free-form passwords too. Read Neeraj Gupta's blog post for more. ghst.ly/40HLNNA
What’s Your Secret?: Secret Scanning by DeepPass2 - SpecterOps
Discover DeepPass2 - a secret scanning tool combining BERT-based model and LLMs to detect free-form passwords, and other structured tokens and secrets with high accuracy.
ghst.ly
July 31, 2025 at 5:36 PM
Red teamers know the drill: endless file churning, hunting for passwords & tokens. 🔍
Meet DeepPass2, our new secret scanning tool that goes beyond structured tokens to catch those tricky free-form passwords too. Read Neeraj Gupta's blog post for more. ghst.ly/40HLNNA
Meet DeepPass2, our new secret scanning tool that goes beyond structured tokens to catch those tricky free-form passwords too. Read Neeraj Gupta's blog post for more. ghst.ly/40HLNNA
Reposted by Andy Robbins
Entra Connect sync accounts can be exploited to hijack device userCertificate properties, enabling device impersonation and conditional access bypass.
@hotnops.bsky.social explores cross-domain compromise tradecraft within the same tenant.
Read more: ghst.ly/3ISMGN9
@hotnops.bsky.social explores cross-domain compromise tradecraft within the same tenant.
Read more: ghst.ly/3ISMGN9
Entra Connect Attacker Tradecraft: Part 3 - SpecterOps
How Entra Connect and Intune can be abused via userCertificate hijacking to bypass conditional access and compromise hybrid domains
ghst.ly
July 30, 2025 at 5:01 PM
Entra Connect sync accounts can be exploited to hijack device userCertificate properties, enabling device impersonation and conditional access bypass.
@hotnops.bsky.social explores cross-domain compromise tradecraft within the same tenant.
Read more: ghst.ly/3ISMGN9
@hotnops.bsky.social explores cross-domain compromise tradecraft within the same tenant.
Read more: ghst.ly/3ISMGN9
Reposted by Andy Robbins
BloodHound v8.0 is here! 🎉
This update introduces BloodHound OpenGraph, revolutionizing Identity Attack Path Management by exposing attack paths throughout your entire tech stack, not just AD/Entra ID.
Read more from Justin Kohler: ghst.ly/bloodhoundv8
🧵: 1/7
This update introduces BloodHound OpenGraph, revolutionizing Identity Attack Path Management by exposing attack paths throughout your entire tech stack, not just AD/Entra ID.
Read more from Justin Kohler: ghst.ly/bloodhoundv8
🧵: 1/7
July 29, 2025 at 1:13 PM
BloodHound v8.0 is here! 🎉
This update introduces BloodHound OpenGraph, revolutionizing Identity Attack Path Management by exposing attack paths throughout your entire tech stack, not just AD/Entra ID.
Read more from Justin Kohler: ghst.ly/bloodhoundv8
🧵: 1/7
This update introduces BloodHound OpenGraph, revolutionizing Identity Attack Path Management by exposing attack paths throughout your entire tech stack, not just AD/Entra ID.
Read more from Justin Kohler: ghst.ly/bloodhoundv8
🧵: 1/7
Reposted by Andy Robbins
Happy Friday! @tifkin.bsky.social and I are happy to announce that we have cut the release for Nemesis 2.0.0 - check out the CHANGELOG for a (brief) summary of changes, and dive into our new docs for more detail! We're extremely proud and excited for this release github.com/SpecterOps/N...
GitHub - SpecterOps/Nemesis: An offensive data enrichment pipeline
An offensive data enrichment pipeline. Contribute to SpecterOps/Nemesis development by creating an account on GitHub.
github.com
June 28, 2025 at 4:14 AM
Happy Friday! @tifkin.bsky.social and I are happy to announce that we have cut the release for Nemesis 2.0.0 - check out the CHANGELOG for a (brief) summary of changes, and dive into our new docs for more detail! We're extremely proud and excited for this release github.com/SpecterOps/N...
Reposted by Andy Robbins
So you've compromised a host that isn’t cloud-joined. Antero Guy breaks down how to request OAuth tokens & enumerate an Entra ID tenant by using an SSO cookie from a non cloud-joined device.
Read more: ghst.ly/445tQKL
Read more: ghst.ly/445tQKL
Requesting Entra ID Tokens with Entra ID SSO Cookies - SpecterOps
Learn how to use a browser SSO cookie to request Entra ID OAuth tokens and enumerate a target tenant. This technique is useful when a device is not joined to an Entra ID tenant.
ghst.ly
June 27, 2025 at 8:31 PM
So you've compromised a host that isn’t cloud-joined. Antero Guy breaks down how to request OAuth tokens & enumerate an Entra ID tenant by using an SSO cookie from a non cloud-joined device.
Read more: ghst.ly/445tQKL
Read more: ghst.ly/445tQKL
Reposted by Andy Robbins
I publish two blog posts today! 📝🐫
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
Good Fences Make Good Neighbors: New AD Trusts Attack Paths in BloodHound - SpecterOps
The ability of an attacker controlling one domain to compromise another through an Active Directory (AD) trust depends on the trust type and configuration. To better map these relationships and make i...
specterops.io
June 25, 2025 at 10:14 AM
I publish two blog posts today! 📝🐫
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
Reposted by Andy Robbins
🕵️♀️ I'll be presenting "I SPy: Rethinking Entra ID research for new paths to Global Admin” at fwd:cloudsec June 30-July 1, alongside some fantastic other speakers: fwdcloudsec.org/conference/n...
If you can’t make it, talks are streamed at: www.youtube.com/@fwdcloudsec
If you can’t make it, talks are streamed at: www.youtube.com/@fwdcloudsec
fwd:cloudsec 2025 Speaker Bios & Abstracts | fwd:cloudsec
fwd:cloudsec is a non-profit conference on cloud security. At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security...
fwdcloudsec.org
June 17, 2025 at 12:54 PM
🕵️♀️ I'll be presenting "I SPy: Rethinking Entra ID research for new paths to Global Admin” at fwd:cloudsec June 30-July 1, alongside some fantastic other speakers: fwdcloudsec.org/conference/n...
If you can’t make it, talks are streamed at: www.youtube.com/@fwdcloudsec
If you can’t make it, talks are streamed at: www.youtube.com/@fwdcloudsec
Reposted by Andy Robbins
New tricks, same impact
posts.specterops.io/update-dumpi...
posts.specterops.io/update-dumpi...
Update: Dumping Entra Connect Sync Credentials
Recently, Microsoft changed the way the Entra Connect Connect Sync agent authenticates to Entra ID. These changes affect attacker tradecraft, as we can no longer export the sync account credentials…
posts.specterops.io
June 9, 2025 at 6:21 PM
New tricks, same impact
posts.specterops.io/update-dumpi...
posts.specterops.io/update-dumpi...