harmj0y
@harmj0y.bsky.social
Researcher @SpecterOps. Coding towards chaotic good while living on the decision boundary. #dontbanequality
Reposted by harmj0y
Seattle politics nerds explaining the next week of ballot counting
a man is writing on a whiteboard with the words it 's simple math written below him
Alt: a man is writing on a whiteboard with the words it 's simple math written below him
media.tenor.com
November 7, 2025 at 12:07 AM
Seattle politics nerds explaining the next week of ballot counting
Reposted by harmj0y
Introducing PingOneHound! This OpenGraph extension for BloodHound can help you identify, analyze, execute, and remediate attack paths in PingOne organizations. Read the introductory blog post here: specterops.io/blog/2025/10...
PingOne Attack Paths - SpecterOps
You can use PingOneHound in conjunction with BloodHound Community Edition to discover, analyze, execute, and remediate identity-based attack paths in PingOne instances.
specterops.io
October 20, 2025 at 5:43 PM
Introducing PingOneHound! This OpenGraph extension for BloodHound can help you identify, analyze, execute, and remediate attack paths in PingOne organizations. Read the introductory blog post here: specterops.io/blog/2025/10...
Reposted by harmj0y
Someone told me recently that they think the Internet is the Great Filter and I don't know how I feel right now
September 16, 2025 at 6:24 PM
Someone told me recently that they think the Internet is the Great Filter and I don't know how I feel right now
Lots of cool new Nemesis features merging in soon from @tifkin_ and I! Development definitely didn't stop with the 2.0 release :) github.com/SpecterOps/N...
GitHub - SpecterOps/Nemesis: An offensive data enrichment pipeline
An offensive data enrichment pipeline. Contribute to SpecterOps/Nemesis development by creating an account on GitHub.
github.com
September 16, 2025 at 7:07 PM
Lots of cool new Nemesis features merging in soon from @tifkin_ and I! Development definitely didn't stop with the 2.0 release :) github.com/SpecterOps/N...
Reposted by harmj0y
HACK THE PLANET!
August 10, 2025 at 5:01 PM
HACK THE PLANET!
Reposted by harmj0y
A relatively unknown but particularly stealthy technique to hide files on Linux hosts. On unhardened boxes, unprivileged users can conceal files from even the root user. Disk content remains in memory, hindering disk acquisition during forensic investigation. (1/7) 👇
July 13, 2025 at 7:39 AM
A relatively unknown but particularly stealthy technique to hide files on Linux hosts. On unhardened boxes, unprivileged users can conceal files from even the root user. Disk content remains in memory, hindering disk acquisition during forensic investigation. (1/7) 👇
Reposted by harmj0y
Andy Robbins: The Evolution of Bloodhound podcasters.spotify.c...
Andy Robbins: The Evolution of Bloodhound by Phillip Wylie Show
About The Guest:Andy Robbins is the Principal Product Architect at SpecterOps and one of the original 13 founding members of the company. He has a background in pen testing and red teaming and is the co-creator of Bloodhound, a popular open-source tool for attack path mapping in Active Directory environments.
Summary:Andy Robbins, the Principal Product Architect at SpecterOps, joins host Phillip Wylie to discuss the evolution of Bloodhound, a tool for attack path mapping in Active Directory environments. Andy shares the origin story of Bloodhound and how it was developed to solve the problem of finding attack paths in complex environments. He explains the graph theory behind Bloodhound and how it visualizes data to help practitioners and defenders understand and mitigate security risks. Andy also discusses the recent release of Bloodhound Community Edition (CE) and the improvements it brings, including faster data ingest, query times, and a friendlier user experience. He highlights the focus on practical attack primitives and abuse primitives in Bloodhound and the goal of making attack paths a non-issue for organizations. Andy concludes by sharing valuable advice for those looking to advance in the industry, emphasizing the importance of understanding and solving real problems and being loyal to people rather than companies.
Key Takeaways:
Bloodhound is a tool for attack path mapping in Active Directory environments, using graph theory to visualize data and identify security risks.
Bloodhound Community Edition (CE) brings improvements such as faster data ingest, query times, and a friendlier user experience.
Bloodhound focuses on practical attack primitives and abuse primitives to solve real security problems and make attack paths a non-issue for organizations.
Quotes:
"If we give people an excellent experience for free, then enough of those people will choose to become paying customers that we have a viable business." - Andy Robbins
"The industry as a whole is very young, but the capability of visualizing data problems and data security problems in this way is also relatively brand new." - Andy Robbins
"We focus on attack paths or risk that emerges out of a combination of the mechanics of a system, the configurations of that system, and the behaviors of users or identities in that system." - Andy Robbins
Socials and Resources:
https://twitter.com/_wald0
https://twitter.com/SpecterOps
https://specterops.io/
https://bloodhoundenterprise.io/
https://github.com/SpecterOps/BloodHound
podcasters.spotify.com
July 1, 2025 at 4:58 PM
Andy Robbins: The Evolution of Bloodhound podcasters.spotify.c...
Happy Friday! @tifkin.bsky.social and I are happy to announce that we have cut the release for Nemesis 2.0.0 - check out the CHANGELOG for a (brief) summary of changes, and dive into our new docs for more detail! We're extremely proud and excited for this release github.com/SpecterOps/N...
GitHub - SpecterOps/Nemesis: An offensive data enrichment pipeline
An offensive data enrichment pipeline. Contribute to SpecterOps/Nemesis development by creating an account on GitHub.
github.com
June 28, 2025 at 4:14 AM
Happy Friday! @tifkin.bsky.social and I are happy to announce that we have cut the release for Nemesis 2.0.0 - check out the CHANGELOG for a (brief) summary of changes, and dive into our new docs for more detail! We're extremely proud and excited for this release github.com/SpecterOps/N...
Reposted by harmj0y
I publish two blog posts today! 📝🐫
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
Good Fences Make Good Neighbors: New AD Trusts Attack Paths in BloodHound - SpecterOps
The ability of an attacker controlling one domain to compromise another through an Active Directory (AD) trust depends on the trust type and configuration. To better map these relationships and make i...
specterops.io
June 25, 2025 at 10:14 AM
I publish two blog posts today! 📝🐫
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
Reposted by harmj0y
Reposted by harmj0y
Sean Metcalf: Active Directory Security podcasters.spotify.c...
Sean Metcalf: Active Directory Security by Phillip Wylie Show
Summary
In this episode of the Phillip Wylie Show, Sean Metcalf, an
expert in Active Directory security, discusses his journey into cybersecurity, the evolution of Active Directory and Azure AD, and the common mistakes organizations make in cloud security. He emphasizes the importance of security assessments over penetration testing and shares insights into Trimarc's unique approach to security assessments. Sean also highlights the significance of scripting in security roles and discusses the future of Active Directory in hybrid environments. The episode concludes with information about Trimarc's new product, Trimarc Vision, aimed at enhancing Active Directory security.
Takeaways
Sean Metcalf has assessed environments with up to 960,000
users.
Active Directory security is often overlooked in
organizations.
Many organizations are making the same security mistakes in
the cloud as they did on-premises.
Security assessments are crucial for identifying potential
vulnerabilities.
Trimarc uses proprietary tools for in-depth security
assessments.
Scripting knowledge, especially in PowerShell, is beneficial
for security professionals.
Active Directory is not going away anytime soon due to
legacy applications.
Organizations should conduct security assessments every
couple of years.
Trimarc's assessments provide actionable insights for
improving security.
The new Trimarc Vision product aims to enhance Active
Directory security monitoring.
Sound Bites
"It's been quite a year."
"I saw something change in the URL."
"We're the identity experts."
Chapters
00:00 Introduction to Active Directory Security
03:33 Sean Metcalf's Hacker Origin Story
06:20 The Evolution of Active Directory and Azure AD
09:31 The Importance of Specialization in Cybersecurity
12:30 Active Directory Security Challenges
15:39 The Role of Security Assessments
18:26 Comparing Trimarc and Bloodhound
20:56 Understanding Active Directory Security Assessments
22:35 Getting Started in Active Directory Security
25:30 The Importance of Scripting in Security
34:43 The Hybrid Environment: On-Prem vs Cloud
37:23 Trimarc's Unique Services and Assessments
40:17 Frequency of Active Directory Assessments
42:21 Introducing Trimarc Vision
Resources
https://www.linkedin.com/in/seanmmetcalf/
https://x.com/PyroTek3
https://www.linkedin.com/company/trimarcsecurity/
https://x.com/TrimarcSecurity
https://www.trimarcsecurity.com/
https://adsecurity.org/
podcasters.spotify.com
June 26, 2025 at 5:38 PM
Sean Metcalf: Active Directory Security podcasters.spotify.c...
Reposted by harmj0y
Sentiment analysis models are used to assess conventional use of language, but what happens when you engage with them using l33tspeak?
@atomicchonk.bsky.social digs into what happens if we employ this in adversarial text attacks against AI models.
Read more 👉 ghst.ly/4kW2D37
@atomicchonk.bsky.social digs into what happens if we employ this in adversarial text attacks against AI models.
Read more 👉 ghst.ly/4kW2D37
June 24, 2025 at 7:26 PM
Sentiment analysis models are used to assess conventional use of language, but what happens when you engage with them using l33tspeak?
@atomicchonk.bsky.social digs into what happens if we employ this in adversarial text attacks against AI models.
Read more 👉 ghst.ly/4kW2D37
@atomicchonk.bsky.social digs into what happens if we employ this in adversarial text attacks against AI models.
Read more 👉 ghst.ly/4kW2D37
Reposted by harmj0y
Ghostwriter v6's new collaborative editing feature is 🔥
Alex Parrill & @printingprops.com discuss the new real-time collaborative editing for observations, findings, & report fields, enabling multiple users to edit simultaneously without overwriting each other. ghst.ly/4jVqdvG
Alex Parrill & @printingprops.com discuss the new real-time collaborative editing for observations, findings, & report fields, enabling multiple users to edit simultaneously without overwriting each other. ghst.ly/4jVqdvG
Ghostwriter v6: Introducing Collaborative Editing - SpecterOps
Ghostwriter now supports real-time collaborative editing for observations, findings, and report fields using the YJS framework, Tiptap editor, and Hocuspocus server, enabling multiple users to edit si...
ghst.ly
June 18, 2025 at 8:14 PM
Ghostwriter v6's new collaborative editing feature is 🔥
Alex Parrill & @printingprops.com discuss the new real-time collaborative editing for observations, findings, & report fields, enabling multiple users to edit simultaneously without overwriting each other. ghst.ly/4jVqdvG
Alex Parrill & @printingprops.com discuss the new real-time collaborative editing for observations, findings, & report fields, enabling multiple users to edit simultaneously without overwriting each other. ghst.ly/4jVqdvG
Reposted by harmj0y
🚨 New blog post alert!
@xpnsec.com drops knowledge on LLM security w/ his latest post showing how attackers can by pass LLM WAFs by confusing the tokenization process to smuggle tokens to back-end LLMs.
Read more: ghst.ly/4koUJiz
@xpnsec.com drops knowledge on LLM security w/ his latest post showing how attackers can by pass LLM WAFs by confusing the tokenization process to smuggle tokens to back-end LLMs.
Read more: ghst.ly/4koUJiz
Tokenization Confusion - SpecterOps
Meta's Prompt Guard 2 aims to prevent prompt injection. This post looks at how much knowledge of ML we need to be effective at testing these LLM WAFs.
ghst.ly
June 3, 2025 at 5:44 PM
🚨 New blog post alert!
@xpnsec.com drops knowledge on LLM security w/ his latest post showing how attackers can by pass LLM WAFs by confusing the tokenization process to smuggle tokens to back-end LLMs.
Read more: ghst.ly/4koUJiz
@xpnsec.com drops knowledge on LLM security w/ his latest post showing how attackers can by pass LLM WAFs by confusing the tokenization process to smuggle tokens to back-end LLMs.
Read more: ghst.ly/4koUJiz
Reposted by harmj0y
Even well-resourced orgs remain vulnerable to NTLM relay attacks. Join @tifkin.bsky.social, @harmj0y.bsky.social, & @cptjesus.bsky.social for our upcoming webinar as they discuss their research into modeling these attacks within BloodHound.
Register today! ➡️ ghst.ly/ntlm-web-bsky
Register today! ➡️ ghst.ly/ntlm-web-bsky
April 9, 2025 at 6:08 PM
Even well-resourced orgs remain vulnerable to NTLM relay attacks. Join @tifkin.bsky.social, @harmj0y.bsky.social, & @cptjesus.bsky.social for our upcoming webinar as they discuss their research into modeling these attacks within BloodHound.
Register today! ➡️ ghst.ly/ntlm-web-bsky
Register today! ➡️ ghst.ly/ntlm-web-bsky
Reposted by harmj0y
Think NTLM relay is a solved problem? Think again.
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
April 8, 2025 at 11:00 PM
Think NTLM relay is a solved problem? Think again.
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
Reposted by harmj0y
In our latest blog post, @xpnsec.com breaks down how SQL Server Transparent Data Encryption works, shares new methods for brute-forcing database encryption keys, & reveals a default key used by ManageEngine's ADSelfService product backups.
Read more 👉 ghst.ly/4iXFTyF
Read more 👉 ghst.ly/4iXFTyF
April 8, 2025 at 6:31 PM
In our latest blog post, @xpnsec.com breaks down how SQL Server Transparent Data Encryption works, shares new methods for brute-forcing database encryption keys, & reveals a default key used by ManageEngine's ADSelfService product backups.
Read more 👉 ghst.ly/4iXFTyF
Read more 👉 ghst.ly/4iXFTyF
Reposted by harmj0y
If you missed the session on NTLM at #SOCON2025, you're in luck! Join @tifkin.bsky.social, @cptjesus.bsky.social, and @harmj0y.bsky.social on April 17 for a webinar discussing their research into modeling NTLM relay attacks within BloodHound.
Register today! ➡️ ghst.ly/ntlm-web
Register today! ➡️ ghst.ly/ntlm-web
March 31, 2025 at 3:14 PM
If you missed the session on NTLM at #SOCON2025, you're in luck! Join @tifkin.bsky.social, @cptjesus.bsky.social, and @harmj0y.bsky.social on April 17 for a webinar discussing their research into modeling NTLM relay attacks within BloodHound.
Register today! ➡️ ghst.ly/ntlm-web
Register today! ➡️ ghst.ly/ntlm-web
Reposted by harmj0y
It’s time! #SOCON2025 is kicking off now. 🥳
Grab your badge & t-shirt and join your fellow conference attendees for breakfast. Follow along here for today’s schedule of events & use our hashtag to share your own updates!
Grab your badge & t-shirt and join your fellow conference attendees for breakfast. Follow along here for today’s schedule of events & use our hashtag to share your own updates!
March 31, 2025 at 12:09 PM
It’s time! #SOCON2025 is kicking off now. 🥳
Grab your badge & t-shirt and join your fellow conference attendees for breakfast. Follow along here for today’s schedule of events & use our hashtag to share your own updates!
Grab your badge & t-shirt and join your fellow conference attendees for breakfast. Follow along here for today’s schedule of events & use our hashtag to share your own updates!
Reposted by harmj0y
Accurately see what permissions are exploitable in your AD environment. Chris Thompson discusses a recent update in BloodHound that shows fewer false positives for Owns/WriteOwner edges, & introduces the new Owns/WriteOwnerLimitedRights edges.
Read more: ghst.ly/3QORQdF
Read more: ghst.ly/3QORQdF
Do You Own Your Permissions, or Do Your Permissions Own You? - SpecterOps
tl;dr: Less FPs for Owns/WriteOwner and new Owns/WriteOwnerLimitedRights edges Before we get started, if you’d prefer to listen to a 10-minute presentation instead of or to supplement reading this pos...
ghst.ly
March 26, 2025 at 6:16 PM
Accurately see what permissions are exploitable in your AD environment. Chris Thompson discusses a recent update in BloodHound that shows fewer false positives for Owns/WriteOwner edges, & introduces the new Owns/WriteOwnerLimitedRights edges.
Read more: ghst.ly/3QORQdF
Read more: ghst.ly/3QORQdF
Reposted by harmj0y
Some of my starts, continued by Fortra, hit a milestone recently. They reduced non-attrib CS servers world-wide by 80% over 2 years
www.cobaltstrike.com/blog/update-...
LONG road. I partnered with Microsoft. 2018. I had TI process to track non-attrib CS servers. 2019. Fortra's novel lawfare. 2022
www.cobaltstrike.com/blog/update-...
LONG road. I partnered with Microsoft. 2018. I had TI process to track non-attrib CS servers. 2019. Fortra's novel lawfare. 2022
March 15, 2025 at 3:57 AM
Some of my starts, continued by Fortra, hit a milestone recently. They reduced non-attrib CS servers world-wide by 80% over 2 years
www.cobaltstrike.com/blog/update-...
LONG road. I partnered with Microsoft. 2018. I had TI process to track non-attrib CS servers. 2019. Fortra's novel lawfare. 2022
www.cobaltstrike.com/blog/update-...
LONG road. I partnered with Microsoft. 2018. I had TI process to track non-attrib CS servers. 2019. Fortra's novel lawfare. 2022
Reposted by harmj0y
#SCCM forest discovery accounts can be decrypted—even those for untrusted forests. If the site server is a managed client, all creds can be decrypted via Administration Service API.
Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp
Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp
Decrypting the Forest From the Trees - SpecterOps
TL;DR: SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If the site server is a managed client, service account credentials can be decrypted via ...
ghst.ly
March 6, 2025 at 8:34 PM
#SCCM forest discovery accounts can be decrypted—even those for untrusted forests. If the site server is a managed client, all creds can be decrypted via Administration Service API.
Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp
Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp
Reposted by harmj0y
[BLOG]
I had a series in mind like "Rubeus' Hidden Secrets" or something like that. Basically, highlighting features of the tool that seem less well known. I'm starting off with a basic one for getting crackable hashes from cached service tickets.
rastamouse.me/kerberoastin...
I had a series in mind like "Rubeus' Hidden Secrets" or something like that. Basically, highlighting features of the tool that seem less well known. I'm starting off with a basic one for getting crackable hashes from cached service tickets.
rastamouse.me/kerberoastin...
Kerberoasting w/o the TGS-REQ
Kerberoasting is a technique that allows an attacker to extract the encrypted part of a TGS-REP and brute force it offline to recover the plaintext password of the associated service account. The most...
rastamouse.me
March 5, 2025 at 4:50 PM
[BLOG]
I had a series in mind like "Rubeus' Hidden Secrets" or something like that. Basically, highlighting features of the tool that seem less well known. I'm starting off with a basic one for getting crackable hashes from cached service tickets.
rastamouse.me/kerberoastin...
I had a series in mind like "Rubeus' Hidden Secrets" or something like that. Basically, highlighting features of the tool that seem less well known. I'm starting off with a basic one for getting crackable hashes from cached service tickets.
rastamouse.me/kerberoastin...
Reposted by harmj0y
SlackPirate sets sail again! 🏴☠️
In his latest blog post, Dan Mayer intros his new PR to SlackPirate that lets you loot Slack again out of the box, a BOF to get you all the data you need to do it, & how to bee the most active slacker in your group chat. 🐝 ghst.ly/4hgwMIt
In his latest blog post, Dan Mayer intros his new PR to SlackPirate that lets you loot Slack again out of the box, a BOF to get you all the data you need to do it, & how to bee the most active slacker in your group chat. 🐝 ghst.ly/4hgwMIt
SlackPirate Set Sails Again! Or: How to Send the Entire “Bee Movie” Script to Your Friends in Slack
TLDR: SlackPirate has been defunct for a few years due to a breaking change in how the Slack client interacts with the Slack API. It has a…
ghst.ly
January 31, 2025 at 4:27 PM
SlackPirate sets sail again! 🏴☠️
In his latest blog post, Dan Mayer intros his new PR to SlackPirate that lets you loot Slack again out of the box, a BOF to get you all the data you need to do it, & how to bee the most active slacker in your group chat. 🐝 ghst.ly/4hgwMIt
In his latest blog post, Dan Mayer intros his new PR to SlackPirate that lets you loot Slack again out of the box, a BOF to get you all the data you need to do it, & how to bee the most active slacker in your group chat. 🐝 ghst.ly/4hgwMIt