SpecterOps
@specterops.io
Creators of BloodHound | Experts in Adversary Tradecraft | Leaders in Identity Attack Path Management
Go to the Privilege Zone page & click “Create Selector.” Name it, add a description, and set the selector type to Cypher.
Enter your Cypher query & preview nodes via “Update Sample Results.” Happy with it? Click “Save” — done!
🧵: 2/3
Enter your Cypher query & preview nodes via “Update Sample Results.” Happy with it? Click “Save” — done!
🧵: 2/3
November 7, 2025 at 7:34 PM
Go to the Privilege Zone page & click “Create Selector.” Name it, add a description, and set the selector type to Cypher.
Enter your Cypher query & preview nodes via “Update Sample Results.” Happy with it? Click “Save” — done!
🧵: 2/3
Enter your Cypher query & preview nodes via “Update Sample Results.” Happy with it? Click “Save” — done!
🧵: 2/3
In today's #BloodHoundBasics, @sadprocessor.bsky.social
highlights a powerful new feature you might’ve missed: Cypher Selectors for Privilege Zones.
Why powerful? Unlike classic objectid selectors, Cypher selectors use complex conditions & can be created before the node exists.
🧵: 1/3
highlights a powerful new feature you might’ve missed: Cypher Selectors for Privilege Zones.
Why powerful? Unlike classic objectid selectors, Cypher selectors use complex conditions & can be created before the node exists.
🧵: 1/3
November 7, 2025 at 7:34 PM
In today's #BloodHoundBasics, @sadprocessor.bsky.social
highlights a powerful new feature you might’ve missed: Cypher Selectors for Privilege Zones.
Why powerful? Unlike classic objectid selectors, Cypher selectors use complex conditions & can be created before the node exists.
🧵: 1/3
highlights a powerful new feature you might’ve missed: Cypher Selectors for Privilege Zones.
Why powerful? Unlike classic objectid selectors, Cypher selectors use complex conditions & can be created before the node exists.
🧵: 1/3
Attackers don’t exploit tools—they exploit identities. Learn how to defend where it matters. Join operators and defenders for one of our hands-on training courses at #SOCON2026.
In-person attendees also receive a free conference pass. Save your spot ➡️ ghst.ly/socon-2026
In-person attendees also receive a free conference pass. Save your spot ➡️ ghst.ly/socon-2026
November 6, 2025 at 8:32 PM
Attackers don’t exploit tools—they exploit identities. Learn how to defend where it matters. Join operators and defenders for one of our hands-on training courses at #SOCON2026.
In-person attendees also receive a free conference pass. Save your spot ➡️ ghst.ly/socon-2026
In-person attendees also receive a free conference pass. Save your spot ➡️ ghst.ly/socon-2026
NTLM relay research is evolving!
Join Nick Powers & @tw1sm.bsky.social TOMORROW as they share new methods to enumerate EPA enforcement across MSSQL, HTTP, & more—and intro RelayInformer, expanding attacker-perspective coverage for key protocols.
Grab your spot → ghst.ly/oct-web-bsky
Join Nick Powers & @tw1sm.bsky.social TOMORROW as they share new methods to enumerate EPA enforcement across MSSQL, HTTP, & more—and intro RelayInformer, expanding attacker-perspective coverage for key protocols.
Grab your spot → ghst.ly/oct-web-bsky
October 29, 2025 at 10:25 PM
NTLM relay research is evolving!
Join Nick Powers & @tw1sm.bsky.social TOMORROW as they share new methods to enumerate EPA enforcement across MSSQL, HTTP, & more—and intro RelayInformer, expanding attacker-perspective coverage for key protocols.
Grab your spot → ghst.ly/oct-web-bsky
Join Nick Powers & @tw1sm.bsky.social TOMORROW as they share new methods to enumerate EPA enforcement across MSSQL, HTTP, & more—and intro RelayInformer, expanding attacker-perspective coverage for key protocols.
Grab your spot → ghst.ly/oct-web-bsky
From simple model to powerful platform. 💪
Elad Shamir discusses BloodHound OpenGraph's journey, the challenges of modeling adversary tradecraft, and the Clean Source Principle w/ Jared Atkinson and Justin Kohler in the latest #KnowYourAdversary.
🎧: ghst.ly/4ommfPu
Elad Shamir discusses BloodHound OpenGraph's journey, the challenges of modeling adversary tradecraft, and the Clean Source Principle w/ Jared Atkinson and Justin Kohler in the latest #KnowYourAdversary.
🎧: ghst.ly/4ommfPu
October 29, 2025 at 6:14 PM
From simple model to powerful platform. 💪
Elad Shamir discusses BloodHound OpenGraph's journey, the challenges of modeling adversary tradecraft, and the Clean Source Principle w/ Jared Atkinson and Justin Kohler in the latest #KnowYourAdversary.
🎧: ghst.ly/4ommfPu
Elad Shamir discusses BloodHound OpenGraph's journey, the challenges of modeling adversary tradecraft, and the Clean Source Principle w/ Jared Atkinson and Justin Kohler in the latest #KnowYourAdversary.
🎧: ghst.ly/4ommfPu
It's another #BloodHoundBasics day with Stephen Hinck!
Go back ⬅️, forward ➡️, & share your BloodHound view 👀. Earlier this year, we added Back button support directly through your browser. You can also copy your current URL & share it with a teammate so they see what you see.
Go back ⬅️, forward ➡️, & share your BloodHound view 👀. Earlier this year, we added Back button support directly through your browser. You can also copy your current URL & share it with a teammate so they see what you see.
October 24, 2025 at 6:27 PM
It's another #BloodHoundBasics day with Stephen Hinck!
Go back ⬅️, forward ➡️, & share your BloodHound view 👀. Earlier this year, we added Back button support directly through your browser. You can also copy your current URL & share it with a teammate so they see what you see.
Go back ⬅️, forward ➡️, & share your BloodHound view 👀. Earlier this year, we added Back button support directly through your browser. You can also copy your current URL & share it with a teammate so they see what you see.
Save the JSON file and upload to BloodHound via the Quick Upload and wait a couple of minutes for the data to ingest and update. Search or query for the objects with cypher (8) that you just updated and view the new property (9).
🧵 5/5
🧵 5/5
October 17, 2025 at 6:08 PM
Save the JSON file and upload to BloodHound via the Quick Upload and wait a couple of minutes for the data to ingest and update. Search or query for the objects with cypher (8) that you just updated and view the new property (9).
🧵 5/5
🧵 5/5
Using the OpenGraph schema reference, we’ll make the simplest example we can. All we need are the object SID (5), the kind of object to update (6), and the new property to add to the object (7). ghst.ly/3IQlgbb
🧵 4/5
🧵 4/5
October 17, 2025 at 6:08 PM
Using the OpenGraph schema reference, we’ll make the simplest example we can. All we need are the object SID (5), the kind of object to update (6), and the new property to add to the object (7). ghst.ly/3IQlgbb
🧵 4/5
🧵 4/5
Enumerate the objects that this policy applies to. The information we need is the object SID (3).
The linked Gist contains a PowerShell script to gather this information and is stored in the variable $results (4). ghst.ly/4hpdHFa
🧵 3/5
The linked Gist contains a PowerShell script to gather this information and is stored in the variable $results (4). ghst.ly/4hpdHFa
🧵 3/5
October 17, 2025 at 6:08 PM
Enumerate the objects that this policy applies to. The information we need is the object SID (3).
The linked Gist contains a PowerShell script to gather this information and is stored in the variable $results (4). ghst.ly/4hpdHFa
🧵 3/5
The linked Gist contains a PowerShell script to gather this information and is stored in the variable $results (4). ghst.ly/4hpdHFa
🧵 3/5
A fine grained password policy called tierZeroPasswordPolicy (1) is currently enabled in this domain and applies to the Domain Admins group (2).
🧵 2/5
🧵 2/5
October 17, 2025 at 6:08 PM
A fine grained password policy called tierZeroPasswordPolicy (1) is currently enabled in this domain and applies to the Domain Admins group (2).
🧵 2/5
🧵 2/5
For today’s #BloodHoundBasics from Carlo Alcantara, we explore how easy it is to use OpenGraph to enrich our existing Active Directory data in BloodHound. In this example, we will add a new attribute to AD objects that have a fine grained password policy applied to them.
🧵 1/5
🧵 1/5
October 17, 2025 at 6:08 PM
For today’s #BloodHoundBasics from Carlo Alcantara, we explore how easy it is to use OpenGraph to enrich our existing Active Directory data in BloodHound. In this example, we will add a new attribute to AD objects that have a fine grained password policy applied to them.
🧵 1/5
🧵 1/5
Celebrating #BloodHoundBasics day w/ Nathan Davis!
DYK: Risk calculation in BHE findings can be based on different values—some use Exposure (inbound control), others Impact (outbound). Hover over a finding in the Attack Paths page to see which applies.
DYK: Risk calculation in BHE findings can be based on different values—some use Exposure (inbound control), others Impact (outbound). Hover over a finding in the Attack Paths page to see which applies.
October 10, 2025 at 6:28 PM
Celebrating #BloodHoundBasics day w/ Nathan Davis!
DYK: Risk calculation in BHE findings can be based on different values—some use Exposure (inbound control), others Impact (outbound). Hover over a finding in the Attack Paths page to see which applies.
DYK: Risk calculation in BHE findings can be based on different values—some use Exposure (inbound control), others Impact (outbound). Hover over a finding in the Attack Paths page to see which applies.
The CFP for #SOCON2026 is OPEN! 🙌
Have you been working on something interesting in Attack Path Management or identity-first defense? Join us in Arlington, VA (April 13–14) and share your work with the community.
Submit your talk by Nov. 15 → ghst.ly/socon26-cfp
Have you been working on something interesting in Attack Path Management or identity-first defense? Join us in Arlington, VA (April 13–14) and share your work with the community.
Submit your talk by Nov. 15 → ghst.ly/socon26-cfp
October 9, 2025 at 5:40 PM
The CFP for #SOCON2026 is OPEN! 🙌
Have you been working on something interesting in Attack Path Management or identity-first defense? Join us in Arlington, VA (April 13–14) and share your work with the community.
Submit your talk by Nov. 15 → ghst.ly/socon26-cfp
Have you been working on something interesting in Attack Path Management or identity-first defense? Join us in Arlington, VA (April 13–14) and share your work with the community.
Submit your talk by Nov. 15 → ghst.ly/socon26-cfp
The only conference dedicated to Attack Path Management is back!
3 tracks. Real-world case studies. Hands-on BloodHound Quest lab. Join us at #SOCON2026 and advance your identity-first security strategy.
🎟️ Save 25% with early bird: specterops.io/so-con
3 tracks. Real-world case studies. Hands-on BloodHound Quest lab. Join us at #SOCON2026 and advance your identity-first security strategy.
🎟️ Save 25% with early bird: specterops.io/so-con
October 1, 2025 at 5:31 PM
The only conference dedicated to Attack Path Management is back!
3 tracks. Real-world case studies. Hands-on BloodHound Quest lab. Join us at #SOCON2026 and advance your identity-first security strategy.
🎟️ Save 25% with early bird: specterops.io/so-con
3 tracks. Real-world case studies. Hands-on BloodHound Quest lab. Join us at #SOCON2026 and advance your identity-first security strategy.
🎟️ Save 25% with early bird: specterops.io/so-con
6️⃣ Give the query a Name (and a description if you want) and click Save.
🧵: 5/5
🧵: 5/5
September 26, 2025 at 6:18 PM
6️⃣ Give the query a Name (and a description if you want) and click Save.
🧵: 5/5
🧵: 5/5
5️⃣ Your instance of BH will open and the query will run automatically. You can now click on Save.
🧵: 4/5
🧵: 4/5
September 26, 2025 at 6:18 PM
5️⃣ Your instance of BH will open and the query will run automatically. You can now click on Save.
🧵: 4/5
🧵: 4/5
3️⃣ Enter your instance's URL
4️⃣ Click on Play/Your URL
🧵: 3/5
4️⃣ Click on Play/Your URL
🧵: 3/5
September 26, 2025 at 6:18 PM
3️⃣ Enter your instance's URL
4️⃣ Click on Play/Your URL
🧵: 3/5
4️⃣ Click on Play/Your URL
🧵: 3/5
September 26, 2025 at 6:18 PM
Learn to detect adversary TTPs through behavioral analysis, not just malware signatures. Our Detection course at Specter Bash teaches you to engineer detections based on attacker tactics and techniques.
Register & save your spot ➡️ ghst.ly/specter-bash-2025
Register & save your spot ➡️ ghst.ly/specter-bash-2025
September 23, 2025 at 9:15 PM
Learn to detect adversary TTPs through behavioral analysis, not just malware signatures. Our Detection course at Specter Bash teaches you to engineer detections based on attacker tactics and techniques.
Register & save your spot ➡️ ghst.ly/specter-bash-2025
Register & save your spot ➡️ ghst.ly/specter-bash-2025
🎙️ NEW PODCAST: #KnowYourAdversary
Jared Atkinson & Justin Kohler explore identity security from the attacker's perspective. Real stories, real tactics, real insights.
Check out our first three episodes now 👉 ghst.ly/kya-podcast
Jared Atkinson & Justin Kohler explore identity security from the attacker's perspective. Real stories, real tactics, real insights.
Check out our first three episodes now 👉 ghst.ly/kya-podcast
September 22, 2025 at 7:17 PM
🎙️ NEW PODCAST: #KnowYourAdversary
Jared Atkinson & Justin Kohler explore identity security from the attacker's perspective. Real stories, real tactics, real insights.
Check out our first three episodes now 👉 ghst.ly/kya-podcast
Jared Atkinson & Justin Kohler explore identity security from the attacker's perspective. Real stories, real tactics, real insights.
Check out our first three episodes now 👉 ghst.ly/kya-podcast
The JSON can then be ingested by BloodHound CE & Enterprise. Security teams can now search for organization-specific attack paths involving ManagerOf, for example, validating that no subordinate is a higher tier than their manager.
🧵 5/6
🧵 5/6
September 19, 2025 at 6:24 PM
The JSON can then be ingested by BloodHound CE & Enterprise. Security teams can now search for organization-specific attack paths involving ManagerOf, for example, validating that no subordinate is a higher tier than their manager.
🧵 5/6
🧵 5/6
Vibe-coding a collector (ManagerOfHound.ps1) that will:
✅ Get User objects with managers
✅ Get the manager User objects
✅ Create an OpenGraph JSON structure with the ManagerOf edge
🧵 4/6
✅ Get User objects with managers
✅ Get the manager User objects
✅ Create an OpenGraph JSON structure with the ManagerOf edge
🧵 4/6
September 19, 2025 at 6:24 PM
Vibe-coding a collector (ManagerOfHound.ps1) that will:
✅ Get User objects with managers
✅ Get the manager User objects
✅ Create an OpenGraph JSON structure with the ManagerOf edge
🧵 4/6
✅ Get User objects with managers
✅ Get the manager User objects
✅ Create an OpenGraph JSON structure with the ManagerOf edge
🧵 4/6
We create this attack graph model in arrows.app
@andyrobbins.bsky.social has written extensively about model design: ghst.ly/46tAkmO
A shorter version is in the BloodHound OpenGraph docs: ghst.ly/48vo0EW
🧵 3/6
@andyrobbins.bsky.social has written extensively about model design: ghst.ly/46tAkmO
A shorter version is in the BloodHound OpenGraph docs: ghst.ly/48vo0EW
🧵 3/6
September 19, 2025 at 6:24 PM
We create this attack graph model in arrows.app
@andyrobbins.bsky.social has written extensively about model design: ghst.ly/46tAkmO
A shorter version is in the BloodHound OpenGraph docs: ghst.ly/48vo0EW
🧵 3/6
@andyrobbins.bsky.social has written extensively about model design: ghst.ly/46tAkmO
A shorter version is in the BloodHound OpenGraph docs: ghst.ly/48vo0EW
🧵 3/6
First, some background: the customer has a portal where managers can reset passwords of their subordinates. In Active Directory, a subordinate's 'Manager' attribute is populated with the manager's 'DistinguishedName' attribute.
🧵 2/6
🧵 2/6
September 19, 2025 at 6:24 PM
First, some background: the customer has a portal where managers can reset passwords of their subordinates. In Active Directory, a subordinate's 'Manager' attribute is populated with the manager's 'DistinguishedName' attribute.
🧵 2/6
🧵 2/6
New #BloodHoundBasics post from @martinsohn.dk ‼️
Today is a demo of how BloodHound's #OpenGraph helped a customer build ManagerOfHound.ps1 - going from attack path concept to a custom "ManagerOf" edge in BloodHound. Can it fit in a thread? Let's see...
🧵 1/6
Today is a demo of how BloodHound's #OpenGraph helped a customer build ManagerOfHound.ps1 - going from attack path concept to a custom "ManagerOf" edge in BloodHound. Can it fit in a thread? Let's see...
🧵 1/6
September 19, 2025 at 6:24 PM
New #BloodHoundBasics post from @martinsohn.dk ‼️
Today is a demo of how BloodHound's #OpenGraph helped a customer build ManagerOfHound.ps1 - going from attack path concept to a custom "ManagerOf" edge in BloodHound. Can it fit in a thread? Let's see...
🧵 1/6
Today is a demo of how BloodHound's #OpenGraph helped a customer build ManagerOfHound.ps1 - going from attack path concept to a custom "ManagerOf" edge in BloodHound. Can it fit in a thread? Let's see...
🧵 1/6