SpecterOps
@specterops.io
Creators of BloodHound | Experts in Adversary Tradecraft | Leaders in Identity Attack Path Management
Pinned
SpecterOps
@specterops.io
· 17d
We’re excited to announce Kevin Mandia as the keynote speaker for #SOCON2026! 🎉
His keynote will focus on how the threat landscape has evolved in the face of modern adversary tradecraft.
Secure your spot ➡️ ghst.ly/socon26-bsky
His keynote will focus on how the threat landscape has evolved in the face of modern adversary tradecraft.
Secure your spot ➡️ ghst.ly/socon26-bsky
A very merry #BloodHoundBasics, courtesy of @martinsohn.dk!
In Active Directory, the creator of an object (user, computer, group, ...) becomes the object's owner.
What can an owner do? By default, the owner can compromise the created object.
🧵: 1/4
In Active Directory, the creator of an object (user, computer, group, ...) becomes the object's owner.
What can an owner do? By default, the owner can compromise the created object.
🧵: 1/4
December 26, 2025 at 7:00 PM
A very merry #BloodHoundBasics, courtesy of @martinsohn.dk!
In Active Directory, the creator of an object (user, computer, group, ...) becomes the object's owner.
What can an owner do? By default, the owner can compromise the created object.
🧵: 1/4
In Active Directory, the creator of an object (user, computer, group, ...) becomes the object's owner.
What can an owner do? By default, the owner can compromise the created object.
🧵: 1/4
We’re closing out 2025 and looking forward to what’s next.
Join us in the new year for the Ghostwriter v6.1 webinar, and save your spot now for #SOCON2026, where the community comes together to advance APM.
Webinar 👉 ghst.ly/jan26-web-bsky
SO-CON 👉 ghst.ly/socon26-bsky
Join us in the new year for the Ghostwriter v6.1 webinar, and save your spot now for #SOCON2026, where the community comes together to advance APM.
Webinar 👉 ghst.ly/jan26-web-bsky
SO-CON 👉 ghst.ly/socon26-bsky
December 24, 2025 at 2:19 AM
We’re closing out 2025 and looking forward to what’s next.
Join us in the new year for the Ghostwriter v6.1 webinar, and save your spot now for #SOCON2026, where the community comes together to advance APM.
Webinar 👉 ghst.ly/jan26-web-bsky
SO-CON 👉 ghst.ly/socon26-bsky
Join us in the new year for the Ghostwriter v6.1 webinar, and save your spot now for #SOCON2026, where the community comes together to advance APM.
Webinar 👉 ghst.ly/jan26-web-bsky
SO-CON 👉 ghst.ly/socon26-bsky
“Deception is a good lie.”
When there’s no legitimate use for deception artifacts, interaction becomes high-fidelity signal. In his latest post, Ben Schroeder explains how BloodHound OpenGraph helps defenders plan & implement effective deception. ghst.ly/4b1nu2P
When there’s no legitimate use for deception artifacts, interaction becomes high-fidelity signal. In his latest post, Ben Schroeder explains how BloodHound OpenGraph helps defenders plan & implement effective deception. ghst.ly/4b1nu2P
Mapping Deception with BloodHound OpenGraph - SpecterOps
Explore how to design and visualize high-fidelity cyber deception using BloodHound OpenGraph to map realistic attack paths across Active Directory and third-party technologies. Learn practical techniques, tools, and real-world examples for deploying believable deceptions that improve detection, context, and defender advantage.
ghst.ly
December 23, 2025 at 10:07 PM
“Deception is a good lie.”
When there’s no legitimate use for deception artifacts, interaction becomes high-fidelity signal. In his latest post, Ben Schroeder explains how BloodHound OpenGraph helps defenders plan & implement effective deception. ghst.ly/4b1nu2P
When there’s no legitimate use for deception artifacts, interaction becomes high-fidelity signal. In his latest post, Ben Schroeder explains how BloodHound OpenGraph helps defenders plan & implement effective deception. ghst.ly/4b1nu2P
Credential Guard was meant to end credential dumping. Nearly a decade later, Valdemar Carøe tested what’s actually possible.
Check out his blog post detailing new credential dumping techniques that work on fully patched Windows 11 & Server 2025 systems.
➡️ ghst.ly/cred-eoybsky
Check out his blog post detailing new credential dumping techniques that work on fully patched Windows 11 & Server 2025 systems.
➡️ ghst.ly/cred-eoybsky
December 22, 2025 at 7:54 PM
Credential Guard was meant to end credential dumping. Nearly a decade later, Valdemar Carøe tested what’s actually possible.
Check out his blog post detailing new credential dumping techniques that work on fully patched Windows 11 & Server 2025 systems.
➡️ ghst.ly/cred-eoybsky
Check out his blog post detailing new credential dumping techniques that work on fully patched Windows 11 & Server 2025 systems.
➡️ ghst.ly/cred-eoybsky
Open source and shared research remain at the core of what we do.
In 2025, we worked to make adversary tradecraft more accessible, practical, and collaborative for the community.
🧵: 1/5
In 2025, we worked to make adversary tradecraft more accessible, practical, and collaborative for the community.
🧵: 1/5
December 19, 2025 at 10:35 PM
Open source and shared research remain at the core of what we do.
In 2025, we worked to make adversary tradecraft more accessible, practical, and collaborative for the community.
🧵: 1/5
In 2025, we worked to make adversary tradecraft more accessible, practical, and collaborative for the community.
🧵: 1/5
On Christmas Eve at SpecterOps HQ,
BloodHound sniffed what attackers might do.
Through graphs and paths it traced the way,
Finding weak links before Christmas Day.
With risks in sight, defenders slept tight—
BloodHound kept watch through the silent night.
🧵: 1/2
BloodHound sniffed what attackers might do.
Through graphs and paths it traced the way,
Finding weak links before Christmas Day.
With risks in sight, defenders slept tight—
BloodHound kept watch through the silent night.
🧵: 1/2
December 19, 2025 at 9:04 PM
On Christmas Eve at SpecterOps HQ,
BloodHound sniffed what attackers might do.
Through graphs and paths it traced the way,
Finding weak links before Christmas Day.
With risks in sight, defenders slept tight—
BloodHound kept watch through the silent night.
🧵: 1/2
BloodHound sniffed what attackers might do.
Through graphs and paths it traced the way,
Finding weak links before Christmas Day.
With risks in sight, defenders slept tight—
BloodHound kept watch through the silent night.
🧵: 1/2
Released earlier this year, Certify 2.0 modernizes AD CS tradecraft with new capabilities and usability improvements, reflecting how much the attack landscape has changed since 1.0.
Read Valdemar Carøe’s deep dive 👉 ghst.ly/cert-eoybsky
Read Valdemar Carøe’s deep dive 👉 ghst.ly/cert-eoybsky
December 18, 2025 at 10:08 PM
Released earlier this year, Certify 2.0 modernizes AD CS tradecraft with new capabilities and usability improvements, reflecting how much the attack landscape has changed since 1.0.
Read Valdemar Carøe’s deep dive 👉 ghst.ly/cert-eoybsky
Read Valdemar Carøe’s deep dive 👉 ghst.ly/cert-eoybsky
ICYMI: Our new Mythic for Developers series, hosted by @its-a-feature.bsky.social, dives into tips & tricks for creating or customizing agents and anything else related to Mythic C2.
👀 Check it out: ghst.ly/mythic-dev
👀 Check it out: ghst.ly/mythic-dev
December 18, 2025 at 5:55 PM
ICYMI: Our new Mythic for Developers series, hosted by @its-a-feature.bsky.social, dives into tips & tricks for creating or customizing agents and anything else related to Mythic C2.
👀 Check it out: ghst.ly/mythic-dev
👀 Check it out: ghst.ly/mythic-dev
#SOCON2025 featured deep dives into identity attack paths, adversary tradecraft, and modern detection challenges.
Watch the full talk playlist ➡️ ghst.ly/socon25-talks
We're looking ahead now to #SOCON2026! Register and save your spot ➡️ ghst.ly/socon26-regb...
Watch the full talk playlist ➡️ ghst.ly/socon25-talks
We're looking ahead now to #SOCON2026! Register and save your spot ➡️ ghst.ly/socon26-regb...
December 18, 2025 at 2:39 PM
#SOCON2025 featured deep dives into identity attack paths, adversary tradecraft, and modern detection challenges.
Watch the full talk playlist ➡️ ghst.ly/socon25-talks
We're looking ahead now to #SOCON2026! Register and save your spot ➡️ ghst.ly/socon26-regb...
Watch the full talk playlist ➡️ ghst.ly/socon25-talks
We're looking ahead now to #SOCON2026! Register and save your spot ➡️ ghst.ly/socon26-regb...
This year @mrmurky.bsky.social & @joeydreijer.bsky.social debuted BloodHound Quest #DEFCON33, took it to #BHEU, and turned identity attack paths into a hands-on, competitive experience.
It’s not stopping there! Experience BloodHound Quest on-site at #SOCON2026.
Register 👉 ghst.ly/socon26-eoyb...
It’s not stopping there! Experience BloodHound Quest on-site at #SOCON2026.
Register 👉 ghst.ly/socon26-eoyb...
December 16, 2025 at 9:35 PM
This year @mrmurky.bsky.social & @joeydreijer.bsky.social debuted BloodHound Quest #DEFCON33, took it to #BHEU, and turned identity attack paths into a hands-on, competitive experience.
It’s not stopping there! Experience BloodHound Quest on-site at #SOCON2026.
Register 👉 ghst.ly/socon26-eoyb...
It’s not stopping there! Experience BloodHound Quest on-site at #SOCON2026.
Register 👉 ghst.ly/socon26-eoyb...
Nemesis 2.0 wasn’t an update, it was a rebuild.
Built from real operator feedback, it strips away the noise and focuses on what matters most: fast, effective file triage.
Check out the blog post from @harmj0y.bsky.social ➡️ ghst.ly/nem2-eoybsky
Built from real operator feedback, it strips away the noise and focuses on what matters most: fast, effective file triage.
Check out the blog post from @harmj0y.bsky.social ➡️ ghst.ly/nem2-eoybsky
December 15, 2025 at 10:46 PM
Nemesis 2.0 wasn’t an update, it was a rebuild.
Built from real operator feedback, it strips away the noise and focuses on what matters most: fast, effective file triage.
Check out the blog post from @harmj0y.bsky.social ➡️ ghst.ly/nem2-eoybsky
Built from real operator feedback, it strips away the noise and focuses on what matters most: fast, effective file triage.
Check out the blog post from @harmj0y.bsky.social ➡️ ghst.ly/nem2-eoybsky
PingOneHound, created in partnership with @pingidentity.com, brought BloodHound visibility into PingOne this year, helping defenders discover and remediate identity attack paths.
Check out @andyrobbins.bsky.social's post to learn more → ghst.ly/poh-eoybsky
Check out @andyrobbins.bsky.social's post to learn more → ghst.ly/poh-eoybsky
December 12, 2025 at 11:20 PM
PingOneHound, created in partnership with @pingidentity.com, brought BloodHound visibility into PingOne this year, helping defenders discover and remediate identity attack paths.
Check out @andyrobbins.bsky.social's post to learn more → ghst.ly/poh-eoybsky
Check out @andyrobbins.bsky.social's post to learn more → ghst.ly/poh-eoybsky
Happy #BloodHoundBasics day from Nathan Davis!
Did you know that with Privilege Zones, you can create custom Labels to organize asset groups? Better yet, Labels receive tags that can be used to build Cypher queries for fine-tuned Attack Path analysis!
🧵: 1/2
Did you know that with Privilege Zones, you can create custom Labels to organize asset groups? Better yet, Labels receive tags that can be used to build Cypher queries for fine-tuned Attack Path analysis!
🧵: 1/2
December 12, 2025 at 8:17 PM
Happy #BloodHoundBasics day from Nathan Davis!
Did you know that with Privilege Zones, you can create custom Labels to organize asset groups? Better yet, Labels receive tags that can be used to build Cypher queries for fine-tuned Attack Path analysis!
🧵: 1/2
Did you know that with Privilege Zones, you can create custom Labels to organize asset groups? Better yet, Labels receive tags that can be used to build Cypher queries for fine-tuned Attack Path analysis!
🧵: 1/2
BloodHound OpenGraph isn’t just about AD anymore.
In his latest Risky Biz interview, Jared Atkinson breaks down how OpenGraph now maps attack paths across GitHub, AWS, SaaS, CI/CD, and beyond, allowing defenders to see what attackers see.
🎧: ghst.ly/4aSxrPY
In his latest Risky Biz interview, Jared Atkinson breaks down how OpenGraph now maps attack paths across GitHub, AWS, SaaS, CI/CD, and beyond, allowing defenders to see what attackers see.
🎧: ghst.ly/4aSxrPY
December 12, 2025 at 6:57 PM
BloodHound OpenGraph isn’t just about AD anymore.
In his latest Risky Biz interview, Jared Atkinson breaks down how OpenGraph now maps attack paths across GitHub, AWS, SaaS, CI/CD, and beyond, allowing defenders to see what attackers see.
🎧: ghst.ly/4aSxrPY
In his latest Risky Biz interview, Jared Atkinson breaks down how OpenGraph now maps attack paths across GitHub, AWS, SaaS, CI/CD, and beyond, allowing defenders to see what attackers see.
🎧: ghst.ly/4aSxrPY
The BloodHound Query Library, launched by @martinsohn.dk & @joeydreijer.bsky.social, democratizes tradecraft with a shared, searchable ecosystem. With 180+ Cypher queries & counting, the library is an increasingly valuable tool for the BloodHound community!
Browse ➡️ ghst.ly/bql_eoybsky
Browse ➡️ ghst.ly/bql_eoybsky
December 11, 2025 at 11:07 PM
The BloodHound Query Library, launched by @martinsohn.dk & @joeydreijer.bsky.social, democratizes tradecraft with a shared, searchable ecosystem. With 180+ Cypher queries & counting, the library is an increasingly valuable tool for the BloodHound community!
Browse ➡️ ghst.ly/bql_eoybsky
Browse ➡️ ghst.ly/bql_eoybsky
TFW the cookie expired, but the attack path didn’t. 😒
Andrew Gomez explains how BloodHound graph analysis and Azure Seamless SSO enabled pivoting into the cloud.
Read more: ghst.ly/3MwapV8
Andrew Gomez explains how BloodHound graph analysis and Azure Seamless SSO enabled pivoting into the cloud.
Read more: ghst.ly/3MwapV8
Azure Seamless SSO: When Cookie Theft Doesn’t Cut It - SpecterOps
The cookie crumbled when it expired, but the attack path didn’t. Learn how BloodHound graph analysis and Azure Seamless SSO enabled pivoting into the cloud.
ghst.ly
December 11, 2025 at 10:23 PM
TFW the cookie expired, but the attack path didn’t. 😒
Andrew Gomez explains how BloodHound graph analysis and Azure Seamless SSO enabled pivoting into the cloud.
Read more: ghst.ly/3MwapV8
Andrew Gomez explains how BloodHound graph analysis and Azure Seamless SSO enabled pivoting into the cloud.
Read more: ghst.ly/3MwapV8
We’re excited to announce Kevin Mandia as the keynote speaker for #SOCON2026! 🎉
His keynote will focus on how the threat landscape has evolved in the face of modern adversary tradecraft.
Secure your spot ➡️ ghst.ly/socon26-bsky
His keynote will focus on how the threat landscape has evolved in the face of modern adversary tradecraft.
Secure your spot ➡️ ghst.ly/socon26-bsky
December 11, 2025 at 5:43 PM
We’re excited to announce Kevin Mandia as the keynote speaker for #SOCON2026! 🎉
His keynote will focus on how the threat landscape has evolved in the face of modern adversary tradecraft.
Secure your spot ➡️ ghst.ly/socon26-bsky
His keynote will focus on how the threat landscape has evolved in the face of modern adversary tradecraft.
Secure your spot ➡️ ghst.ly/socon26-bsky
Identity Attack Path Management took a major step forward in 2025. The APM Maturity Model + CISO Guide give teams clear frameworks to assess posture and put APM into practice.
Maturity Model → ghst.ly/mm-eoybsky
CISO Guide → ghst.ly/ciso-eoybsky
Maturity Model → ghst.ly/mm-eoybsky
CISO Guide → ghst.ly/ciso-eoybsky
December 10, 2025 at 10:42 PM
Identity Attack Path Management took a major step forward in 2025. The APM Maturity Model + CISO Guide give teams clear frameworks to assess posture and put APM into practice.
Maturity Model → ghst.ly/mm-eoybsky
CISO Guide → ghst.ly/ciso-eoybsky
Maturity Model → ghst.ly/mm-eoybsky
CISO Guide → ghst.ly/ciso-eoybsky
Wanting more from today's #BHEU talk on SCOM? Check out this two part blog series!
1️⃣ @unsignedsh0rt.bsky.social maps SCOM’s roles, accounts, & trust boundaries, then shows how attackers can chain insecure defaults into full management group compromise. ghst.ly/3MBPeAW
🧵: 1/2
1️⃣ @unsignedsh0rt.bsky.social maps SCOM’s roles, accounts, & trust boundaries, then shows how attackers can chain insecure defaults into full management group compromise. ghst.ly/3MBPeAW
🧵: 1/2
SCOMmand and Conquer - Attacking System Center Operations Manager (Part 1) - SpecterOps
TL:DR; SCOM suffers from similar insecure default configurations as its SCCM counterpart, enabling attackers to escalate privileges, harvest credentials, and ultimately compromise the entire management group and its monitored infrastructure.
ghst.ly
December 10, 2025 at 5:43 PM
Wanting more from today's #BHEU talk on SCOM? Check out this two part blog series!
1️⃣ @unsignedsh0rt.bsky.social maps SCOM’s roles, accounts, & trust boundaries, then shows how attackers can chain insecure defaults into full management group compromise. ghst.ly/3MBPeAW
🧵: 1/2
1️⃣ @unsignedsh0rt.bsky.social maps SCOM’s roles, accounts, & trust boundaries, then shows how attackers can chain insecure defaults into full management group compromise. ghst.ly/3MBPeAW
🧵: 1/2
Day 1 at #BHEU is off to a great start! 🙌
Stop by booth 409 today and tomorrow to chat with our team about the latest in Identity Attack Path Management & see BloodHound Enterprise in action.
Stop by booth 409 today and tomorrow to chat with our team about the latest in Identity Attack Path Management & see BloodHound Enterprise in action.
December 10, 2025 at 1:48 PM
Day 1 at #BHEU is off to a great start! 🙌
Stop by booth 409 today and tomorrow to chat with our team about the latest in Identity Attack Path Management & see BloodHound Enterprise in action.
Stop by booth 409 today and tomorrow to chat with our team about the latest in Identity Attack Path Management & see BloodHound Enterprise in action.
SCOM is one of the most deployed, but least researched, System Center products.
Zach Stein breaks down how it works + how to build a lab to test new tradecraft. ghst.ly/3Ymzfcw
Zach Stein breaks down how it works + how to build a lab to test new tradecraft. ghst.ly/3Ymzfcw
Git SCOMmit - Putting the Ops in OpsMgr - SpecterOps
Yet another System Center Ludus configuration for your collection. https://github.com/Synzack/ludus_scom
ghst.ly
December 9, 2025 at 8:54 PM
SCOM is one of the most deployed, but least researched, System Center products.
Zach Stein breaks down how it works + how to build a lab to test new tradecraft. ghst.ly/3Ymzfcw
Zach Stein breaks down how it works + how to build a lab to test new tradecraft. ghst.ly/3Ymzfcw
Our first State of Attack Path Management Report dropped this year, highlighting why #IdentitySecurity is getting more complex, and why Attack Path Management is essential. It’s the clearest view yet of the adversary’s perspective.
Read → ghst.ly/sapm-eoybsky
Read → ghst.ly/sapm-eoybsky
December 9, 2025 at 6:32 PM
Our first State of Attack Path Management Report dropped this year, highlighting why #IdentitySecurity is getting more complex, and why Attack Path Management is essential. It’s the clearest view yet of the adversary’s perspective.
Read → ghst.ly/sapm-eoybsky
Read → ghst.ly/sapm-eoybsky
Wrapping up 2025 with a look at the work that shaped the year. 🎁
BloodHound OpenGraph expanded visibility across AWS, GCP, GitHub & more, and sparked projects like PingOneHound, JamfHound, ShareHound & MSSQLHound.
Explore OpenGraph → ghst.ly/bhog-bsky
BloodHound OpenGraph expanded visibility across AWS, GCP, GitHub & more, and sparked projects like PingOneHound, JamfHound, ShareHound & MSSQLHound.
Explore OpenGraph → ghst.ly/bhog-bsky
December 8, 2025 at 6:43 PM
Wrapping up 2025 with a look at the work that shaped the year. 🎁
BloodHound OpenGraph expanded visibility across AWS, GCP, GitHub & more, and sparked projects like PingOneHound, JamfHound, ShareHound & MSSQLHound.
Explore OpenGraph → ghst.ly/bhog-bsky
BloodHound OpenGraph expanded visibility across AWS, GCP, GitHub & more, and sparked projects like PingOneHound, JamfHound, ShareHound & MSSQLHound.
Explore OpenGraph → ghst.ly/bhog-bsky
It's #BloodHoundBasics day w/ @andyrobbins.bsky.social! 🎉
"Traversable"? "Non-Traversable"? These are terms you may see in BloodHound documentation & discussions, but what do they mean?
We wrote this page to hopefully clear up the confusion w/ these terms: ghst.ly/48OOuSe
"Traversable"? "Non-Traversable"? These are terms you may see in BloodHound documentation & discussions, but what do they mean?
We wrote this page to hopefully clear up the confusion w/ these terms: ghst.ly/48OOuSe
Traversable and Non-Traversable Edge Types - SpecterOps
Details on traversable and non-traversable edge types in BloodHound
ghst.ly
December 5, 2025 at 11:42 PM
It's #BloodHoundBasics day w/ @andyrobbins.bsky.social! 🎉
"Traversable"? "Non-Traversable"? These are terms you may see in BloodHound documentation & discussions, but what do they mean?
We wrote this page to hopefully clear up the confusion w/ these terms: ghst.ly/48OOuSe
"Traversable"? "Non-Traversable"? These are terms you may see in BloodHound documentation & discussions, but what do they mean?
We wrote this page to hopefully clear up the confusion w/ these terms: ghst.ly/48OOuSe
Ghostwriter v6.1 is out!
🐕 Full BloodHound integration
📝 Collaborative project notes
📑 Improved caption editor
🌙 Dark mode support
🔐 SSO/MFA & usability upgrades
@printingprops.com breaks down how 6.1 streamlines assessment + reporting. ghst.ly/gwv61-bsky
🐕 Full BloodHound integration
📝 Collaborative project notes
📑 Improved caption editor
🌙 Dark mode support
🔐 SSO/MFA & usability upgrades
@printingprops.com breaks down how 6.1 streamlines assessment + reporting. ghst.ly/gwv61-bsky
Ghostwriter v6.1 — Playing Fetch with BloodHound - SpecterOps
Ghostwriter v6.1 introduces a full-featured BloodHound integration that lets you import BloodHound data and findings directly within your projects, alongside new collaborative project notes, upgraded ...
ghst.ly
December 5, 2025 at 9:08 PM
Ghostwriter v6.1 is out!
🐕 Full BloodHound integration
📝 Collaborative project notes
📑 Improved caption editor
🌙 Dark mode support
🔐 SSO/MFA & usability upgrades
@printingprops.com breaks down how 6.1 streamlines assessment + reporting. ghst.ly/gwv61-bsky
🐕 Full BloodHound integration
📝 Collaborative project notes
📑 Improved caption editor
🌙 Dark mode support
🔐 SSO/MFA & usability upgrades
@printingprops.com breaks down how 6.1 streamlines assessment + reporting. ghst.ly/gwv61-bsky