Jonas Bülow Knudsen
@jonas-bk.bsky.social
Manager, Research @ SpecterOps
https://github.com/JonasBK/JonasBK/blob/main/README.md
https://github.com/JonasBK/JonasBK/blob/main/README.md
Reposted by Jonas Bülow Knudsen
The only conference dedicated to Attack Path Management is back!
3 tracks. Real-world case studies. Hands-on BloodHound Quest lab. Join us at #SOCON2026 and advance your identity-first security strategy.
🎟️ Save 25% with early bird: specterops.io/so-con
3 tracks. Real-world case studies. Hands-on BloodHound Quest lab. Join us at #SOCON2026 and advance your identity-first security strategy.
🎟️ Save 25% with early bird: specterops.io/so-con
October 1, 2025 at 5:31 PM
The only conference dedicated to Attack Path Management is back!
3 tracks. Real-world case studies. Hands-on BloodHound Quest lab. Join us at #SOCON2026 and advance your identity-first security strategy.
🎟️ Save 25% with early bird: specterops.io/so-con
3 tracks. Real-world case studies. Hands-on BloodHound Quest lab. Join us at #SOCON2026 and advance your identity-first security strategy.
🎟️ Save 25% with early bird: specterops.io/so-con
Reposted by Jonas Bülow Knudsen
We've got a fresh #BloodHoundBasics post from @jonas-bk.bsky.social!
Ever wondered about those obscure AD special identity groups that quietly grant permissions to every principal in your environment?
With BloodHound, you can uncover compromising permissions tied to these groups.
🧵: 1/2
Ever wondered about those obscure AD special identity groups that quietly grant permissions to every principal in your environment?
With BloodHound, you can uncover compromising permissions tied to these groups.
🧵: 1/2
September 5, 2025 at 6:28 PM
We've got a fresh #BloodHoundBasics post from @jonas-bk.bsky.social!
Ever wondered about those obscure AD special identity groups that quietly grant permissions to every principal in your environment?
With BloodHound, you can uncover compromising permissions tied to these groups.
🧵: 1/2
Ever wondered about those obscure AD special identity groups that quietly grant permissions to every principal in your environment?
With BloodHound, you can uncover compromising permissions tied to these groups.
🧵: 1/2
Reposted by Jonas Bülow Knudsen
DEF CON releases, PDQ SmartDeploy creds (@unsigned_sh0rt), FortiSIEM root command injection (@SinSinology), a cat themed loader (@vxunderground), fine-tune LLMs for offsec (@kyleavery_), juicing NTDS.DIT (@MGrafnetter), and more!
blog.badsectorlabs.com/last-week-in...
blog.badsectorlabs.com/last-week-in...
Last Week in Security (LWiS) - 2025-08-18
DEF CON releases, PDQ SmartDeploy creds (@unsigned_sh0rt), FortiSIEM root command injection (@SinSinology), a cat themed loader (@vxunderground), fine-tune LLMs for offsec (@kyleavery_), juicing NTDS....
blog.badsectorlabs.com
August 19, 2025 at 6:30 PM
DEF CON releases, PDQ SmartDeploy creds (@unsigned_sh0rt), FortiSIEM root command injection (@SinSinology), a cat themed loader (@vxunderground), fine-tune LLMs for offsec (@kyleavery_), juicing NTDS.DIT (@MGrafnetter), and more!
blog.badsectorlabs.com/last-week-in...
blog.badsectorlabs.com/last-week-in...
Reposted by Jonas Bülow Knudsen
One of the results of the joined research with @dirkjanm.io is entrascopes.com
Basically the yellow pages for Microsoft first party apps.
#TROOPERS25
Basically the yellow pages for Microsoft first party apps.
#TROOPERS25
June 26, 2025 at 9:48 AM
One of the results of the joined research with @dirkjanm.io is entrascopes.com
Basically the yellow pages for Microsoft first party apps.
#TROOPERS25
Basically the yellow pages for Microsoft first party apps.
#TROOPERS25
I publish two blog posts today! 📝🐫
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
Good Fences Make Good Neighbors: New AD Trusts Attack Paths in BloodHound - SpecterOps
The ability of an attacker controlling one domain to compromise another through an Active Directory (AD) trust depends on the trust type and configuration. To better map these relationships and make i...
specterops.io
June 25, 2025 at 10:14 AM
I publish two blog posts today! 📝🐫
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
Reposted by Jonas Bülow Knudsen
Introducing the BloodHound Query Library! 📚
@martinsohn.dk & @joeydreijer.bsky.social explore the new collection of Cypher queries designed to help BloodHound users to unlock the full potential of the BloodHound platform by creating an open query ecosystem. ghst.ly/4jTgRQQ
@martinsohn.dk & @joeydreijer.bsky.social explore the new collection of Cypher queries designed to help BloodHound users to unlock the full potential of the BloodHound platform by creating an open query ecosystem. ghst.ly/4jTgRQQ
Introducing the BloodHound Query Library - SpecterOps
The BloodHound Query Library is a community-driven collection of BloodHound Cypher available at https://queries.specterops.io
ghst.ly
June 17, 2025 at 7:14 PM
Introducing the BloodHound Query Library! 📚
@martinsohn.dk & @joeydreijer.bsky.social explore the new collection of Cypher queries designed to help BloodHound users to unlock the full potential of the BloodHound platform by creating an open query ecosystem. ghst.ly/4jTgRQQ
@martinsohn.dk & @joeydreijer.bsky.social explore the new collection of Cypher queries designed to help BloodHound users to unlock the full potential of the BloodHound platform by creating an open query ecosystem. ghst.ly/4jTgRQQ
Reposted by Jonas Bülow Knudsen
Received the news today that my talk "Advanced Active Directory to Entra ID lateral movement techniques" was also accepted for @defcon.bsky.social 🎉 hope to see everyone there!
June 10, 2025 at 12:28 PM
Received the news today that my talk "Advanced Active Directory to Entra ID lateral movement techniques" was also accepted for @defcon.bsky.social 🎉 hope to see everyone there!
Reposted by Jonas Bülow Knudsen
New tricks, same impact
posts.specterops.io/update-dumpi...
posts.specterops.io/update-dumpi...
Update: Dumping Entra Connect Sync Credentials
Recently, Microsoft changed the way the Entra Connect Connect Sync agent authenticates to Entra ID. These changes affect attacker tradecraft, as we can no longer export the sync account credentials…
posts.specterops.io
June 9, 2025 at 6:21 PM
New tricks, same impact
posts.specterops.io/update-dumpi...
posts.specterops.io/update-dumpi...
Reposted by Jonas Bülow Knudsen
It's #BloodHoundBasics day! 🙌
The docs got a fresh new look and live at bloodhound.specterops.io — now back in the GitHub repo too, so PRs are welcome!
s/o @jonas-bk.bsky.social
The docs got a fresh new look and live at bloodhound.specterops.io — now back in the GitHub repo too, so PRs are welcome!
s/o @jonas-bk.bsky.social
May 9, 2025 at 6:08 PM
It's #BloodHoundBasics day! 🙌
The docs got a fresh new look and live at bloodhound.specterops.io — now back in the GitHub repo too, so PRs are welcome!
s/o @jonas-bk.bsky.social
The docs got a fresh new look and live at bloodhound.specterops.io — now back in the GitHub repo too, so PRs are welcome!
s/o @jonas-bk.bsky.social
Reposted by Jonas Bülow Knudsen
Getting started w/ Mythic? We've got you covered.
@its-a-feature.bsky.social walks through the web UI basics, login process, & how to configure your default username/password. Check it out! ▶️ ghst.ly/user-interface
Watch the full series: ghst.ly/mythic-op
@its-a-feature.bsky.social walks through the web UI basics, login process, & how to configure your default username/password. Check it out! ▶️ ghst.ly/user-interface
Watch the full series: ghst.ly/mythic-op
April 17, 2025 at 8:12 PM
Getting started w/ Mythic? We've got you covered.
@its-a-feature.bsky.social walks through the web UI basics, login process, & how to configure your default username/password. Check it out! ▶️ ghst.ly/user-interface
Watch the full series: ghst.ly/mythic-op
@its-a-feature.bsky.social walks through the web UI basics, login process, & how to configure your default username/password. Check it out! ▶️ ghst.ly/user-interface
Watch the full series: ghst.ly/mythic-op
Thrilled to be speaking at @wearetroopers.bsky.social again this year - can’t wait to be back! 🥳
April 17, 2025 at 4:01 PM
Thrilled to be speaking at @wearetroopers.bsky.social again this year - can’t wait to be back! 🥳
Highly recommend this one. It's a good read :)
Think NTLM relay is a solved problem? Think again.
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
April 9, 2025 at 4:27 AM
Highly recommend this one. It's a good read :)
Had a blast at #SOCON2025!
It was great to meet up with colleagues and friends 💜
The slides from my presentation are available here: github.com/JonasBK/Pres...
It was great to meet up with colleagues and friends 💜
The slides from my presentation are available here: github.com/JonasBK/Pres...
April 2, 2025 at 12:16 AM
Had a blast at #SOCON2025!
It was great to meet up with colleagues and friends 💜
The slides from my presentation are available here: github.com/JonasBK/Pres...
It was great to meet up with colleagues and friends 💜
The slides from my presentation are available here: github.com/JonasBK/Pres...
Reposted by Jonas Bülow Knudsen
That's all folks! 👋 Thank you to everyone who attended & presented talks during our #SOCON2025 conference days. Our training courses kickoff tomorrow at 9AM back at Convene.
April 1, 2025 at 11:34 PM
That's all folks! 👋 Thank you to everyone who attended & presented talks during our #SOCON2025 conference days. Our training courses kickoff tomorrow at 9AM back at Convene.
Reposted by Jonas Bülow Knudsen
Excited to be at @specterops.bsky.social SO-CON this week!! If you're around, I'll be presenting "Abusing AUs, Confusing the SOC" tomorrow bright & early:
March 31, 2025 at 2:39 PM
Excited to be at @specterops.bsky.social SO-CON this week!! If you're around, I'll be presenting "Abusing AUs, Confusing the SOC" tomorrow bright & early:
Reposted by Jonas Bülow Knudsen
If you missed the session on NTLM at #SOCON2025, you're in luck! Join @tifkin.bsky.social, @cptjesus.bsky.social, and @harmj0y.bsky.social on April 17 for a webinar discussing their research into modeling NTLM relay attacks within BloodHound.
Register today! ➡️ ghst.ly/ntlm-web
Register today! ➡️ ghst.ly/ntlm-web
March 31, 2025 at 3:14 PM
If you missed the session on NTLM at #SOCON2025, you're in luck! Join @tifkin.bsky.social, @cptjesus.bsky.social, and @harmj0y.bsky.social on April 17 for a webinar discussing their research into modeling NTLM relay attacks within BloodHound.
Register today! ➡️ ghst.ly/ntlm-web
Register today! ➡️ ghst.ly/ntlm-web
Reposted by Jonas Bülow Knudsen
Day 1 at #SOCON2025 has wrapped! 👊
We will see you right back here tomorrow for even more great content from our speakers. Check out the agenda for Day 2 at specterops.io/so-con.
We will see you right back here tomorrow for even more great content from our speakers. Check out the agenda for Day 2 at specterops.io/so-con.
March 31, 2025 at 11:42 PM
Day 1 at #SOCON2025 has wrapped! 👊
We will see you right back here tomorrow for even more great content from our speakers. Check out the agenda for Day 2 at specterops.io/so-con.
We will see you right back here tomorrow for even more great content from our speakers. Check out the agenda for Day 2 at specterops.io/so-con.
Reposted by Jonas Bülow Knudsen
It’s #BloodHoundBasics Day! 🎉
Want to find relationships cross AD domains? Use this Cypher query:
MATCH p = (x:Base)-->(y:Base)
WHERE x.domain <> y.domain
AND NOT COALESCE(x.system_tags, '') CONTAINS 'admin_tier_0'
RETURN p
LIMIT 100
(1/2)
Want to find relationships cross AD domains? Use this Cypher query:
MATCH p = (x:Base)-->(y:Base)
WHERE x.domain <> y.domain
AND NOT COALESCE(x.system_tags, '') CONTAINS 'admin_tier_0'
RETURN p
LIMIT 100
(1/2)
March 28, 2025 at 6:18 PM
It’s #BloodHoundBasics Day! 🎉
Want to find relationships cross AD domains? Use this Cypher query:
MATCH p = (x:Base)-->(y:Base)
WHERE x.domain <> y.domain
AND NOT COALESCE(x.system_tags, '') CONTAINS 'admin_tier_0'
RETURN p
LIMIT 100
(1/2)
Want to find relationships cross AD domains? Use this Cypher query:
MATCH p = (x:Base)-->(y:Base)
WHERE x.domain <> y.domain
AND NOT COALESCE(x.system_tags, '') CONTAINS 'admin_tier_0'
RETURN p
LIMIT 100
(1/2)
Reposted by Jonas Bülow Knudsen
Active Directory isn't going anywhere, but security pros lack key knowledge. 🧠
Join @jimsycurity.adminsdholder.com & Darryl Baker at @bsidescharm.bsky.social for their AD Security 101 training, which aims to give you tools to find & fix misconfigurations attackers exploit. bsidescharm.org
Join @jimsycurity.adminsdholder.com & Darryl Baker at @bsidescharm.bsky.social for their AD Security 101 training, which aims to give you tools to find & fix misconfigurations attackers exploit. bsidescharm.org
March 28, 2025 at 3:19 PM
Active Directory isn't going anywhere, but security pros lack key knowledge. 🧠
Join @jimsycurity.adminsdholder.com & Darryl Baker at @bsidescharm.bsky.social for their AD Security 101 training, which aims to give you tools to find & fix misconfigurations attackers exploit. bsidescharm.org
Join @jimsycurity.adminsdholder.com & Darryl Baker at @bsidescharm.bsky.social for their AD Security 101 training, which aims to give you tools to find & fix misconfigurations attackers exploit. bsidescharm.org
Reposted by Jonas Bülow Knudsen
The query excludes Tier Zero control to filter out legit permissions granted to groups such as Enterprise Admins.
The screenshot is redacted, but can you guess the name of the group in the middle? Hint: It has something to do with emails.
s/o @jonas-bk.bsky.social
(2/2)
The screenshot is redacted, but can you guess the name of the group in the middle? Hint: It has something to do with emails.
s/o @jonas-bk.bsky.social
(2/2)
March 28, 2025 at 6:18 PM
The query excludes Tier Zero control to filter out legit permissions granted to groups such as Enterprise Admins.
The screenshot is redacted, but can you guess the name of the group in the middle? Hint: It has something to do with emails.
s/o @jonas-bk.bsky.social
(2/2)
The screenshot is redacted, but can you guess the name of the group in the middle? Hint: It has something to do with emails.
s/o @jonas-bk.bsky.social
(2/2)
Reposted by Jonas Bülow Knudsen
Accurately see what permissions are exploitable in your AD environment. Chris Thompson discusses a recent update in BloodHound that shows fewer false positives for Owns/WriteOwner edges, & introduces the new Owns/WriteOwnerLimitedRights edges.
Read more: ghst.ly/3QORQdF
Read more: ghst.ly/3QORQdF
Do You Own Your Permissions, or Do Your Permissions Own You? - SpecterOps
tl;dr: Less FPs for Owns/WriteOwner and new Owns/WriteOwnerLimitedRights edges Before we get started, if you’d prefer to listen to a 10-minute presentation instead of or to supplement reading this pos...
ghst.ly
March 26, 2025 at 6:16 PM
Accurately see what permissions are exploitable in your AD environment. Chris Thompson discusses a recent update in BloodHound that shows fewer false positives for Owns/WriteOwner edges, & introduces the new Owns/WriteOwnerLimitedRights edges.
Read more: ghst.ly/3QORQdF
Read more: ghst.ly/3QORQdF
Reposted by Jonas Bülow Knudsen
Next.js auth bypass (@zhero___ + @inzo____), ServiceNow for red teamers (@__invictus_), Veeam RCE - again! (@chudyPB), ArgFuscator (@Wietze), and more!
blog.badsectorlabs.com/last-week-in...
blog.badsectorlabs.com/last-week-in...
Last Week in Security (LWiS) - 2025-03-24
Next.js auth bypass (@zhero___ + @inzo____), ServiceNow for red teamers (@__invictus_), Veeam RCE - again! (@chudyPB), ArgFuscator (@Wietze), and more!
blog.badsectorlabs.com
March 25, 2025 at 4:02 PM
Next.js auth bypass (@zhero___ + @inzo____), ServiceNow for red teamers (@__invictus_), Veeam RCE - again! (@chudyPB), ArgFuscator (@Wietze), and more!
blog.badsectorlabs.com/last-week-in...
blog.badsectorlabs.com/last-week-in...
Reposted by Jonas Bülow Knudsen
Before locking in for the OSCP exam, it’s highly recommended to complete the practical lab networks. @anam0x.bsky.social shares his tips on how to maximize the lab experience in Part 3 of his blog series: ghst.ly/4iDWjML
🧵: 1/4
🧵: 1/4
Getting the Most Value Out of the OSCP: The PEN-200 Labs - SpecterOps
How to leverage the PEN-200 simulated black-box penetration testing scenarios for maximal self-improvement and career success. Disclaimer: All opinions expressed in this article are solely my own. I h...
ghst.ly
March 25, 2025 at 5:05 PM
Before locking in for the OSCP exam, it’s highly recommended to complete the practical lab networks. @anam0x.bsky.social shares his tips on how to maximize the lab experience in Part 3 of his blog series: ghst.ly/4iDWjML
🧵: 1/4
🧵: 1/4
Reposted by Jonas Bülow Knudsen
What's the purpose of the x-ms-DeviceCredential header if the device id claim is already included in the user access token? It seems redundant
March 21, 2025 at 5:48 PM
What's the purpose of the x-ms-DeviceCredential header if the device id claim is already included in the user access token? It seems redundant
Reposted by Jonas Bülow Knudsen
Happy #BloodHoundBasics day! This week we are looking at how BloodHound classifies Tier Zero.
Q: Why is not just the DA group Tier Zero but also all members?
A: BloodHound classifies a few default Tier Zero assets, then adds more w/ logic from known attack techniques.
1/8
Q: Why is not just the DA group Tier Zero but also all members?
A: BloodHound classifies a few default Tier Zero assets, then adds more w/ logic from known attack techniques.
1/8
March 21, 2025 at 6:36 PM
Happy #BloodHoundBasics day! This week we are looking at how BloodHound classifies Tier Zero.
Q: Why is not just the DA group Tier Zero but also all members?
A: BloodHound classifies a few default Tier Zero assets, then adds more w/ logic from known attack techniques.
1/8
Q: Why is not just the DA group Tier Zero but also all members?
A: BloodHound classifies a few default Tier Zero assets, then adds more w/ logic from known attack techniques.
1/8