SpecterOps
@specterops.io
Creators of BloodHound | Experts in Adversary Tradecraft | Leaders in Identity Attack Path Management
Your selector is evaluated at each ingest, tagging any node matching its conditions—even future ones. It applies to Owned & Tier0 zones in BHCE or any custom zone in BHE.
Sharing an OpenGraph model? Include Tier0 Cypher selectors to make it complete. Happy Graphing!
🧵: 3/3
Sharing an OpenGraph model? Include Tier0 Cypher selectors to make it complete. Happy Graphing!
🧵: 3/3
November 7, 2025 at 7:34 PM
Your selector is evaluated at each ingest, tagging any node matching its conditions—even future ones. It applies to Owned & Tier0 zones in BHCE or any custom zone in BHE.
Sharing an OpenGraph model? Include Tier0 Cypher selectors to make it complete. Happy Graphing!
🧵: 3/3
Sharing an OpenGraph model? Include Tier0 Cypher selectors to make it complete. Happy Graphing!
🧵: 3/3
Go to the Privilege Zone page & click “Create Selector.” Name it, add a description, and set the selector type to Cypher.
Enter your Cypher query & preview nodes via “Update Sample Results.” Happy with it? Click “Save” — done!
🧵: 2/3
Enter your Cypher query & preview nodes via “Update Sample Results.” Happy with it? Click “Save” — done!
🧵: 2/3
November 7, 2025 at 7:34 PM
Go to the Privilege Zone page & click “Create Selector.” Name it, add a description, and set the selector type to Cypher.
Enter your Cypher query & preview nodes via “Update Sample Results.” Happy with it? Click “Save” — done!
🧵: 2/3
Enter your Cypher query & preview nodes via “Update Sample Results.” Happy with it? Click “Save” — done!
🧵: 2/3
Save the JSON file and upload to BloodHound via the Quick Upload and wait a couple of minutes for the data to ingest and update. Search or query for the objects with cypher (8) that you just updated and view the new property (9).
🧵 5/5
🧵 5/5
October 17, 2025 at 6:08 PM
Save the JSON file and upload to BloodHound via the Quick Upload and wait a couple of minutes for the data to ingest and update. Search or query for the objects with cypher (8) that you just updated and view the new property (9).
🧵 5/5
🧵 5/5
Using the OpenGraph schema reference, we’ll make the simplest example we can. All we need are the object SID (5), the kind of object to update (6), and the new property to add to the object (7). ghst.ly/3IQlgbb
🧵 4/5
🧵 4/5
October 17, 2025 at 6:08 PM
Using the OpenGraph schema reference, we’ll make the simplest example we can. All we need are the object SID (5), the kind of object to update (6), and the new property to add to the object (7). ghst.ly/3IQlgbb
🧵 4/5
🧵 4/5
Enumerate the objects that this policy applies to. The information we need is the object SID (3).
The linked Gist contains a PowerShell script to gather this information and is stored in the variable $results (4). ghst.ly/4hpdHFa
🧵 3/5
The linked Gist contains a PowerShell script to gather this information and is stored in the variable $results (4). ghst.ly/4hpdHFa
🧵 3/5
October 17, 2025 at 6:08 PM
Enumerate the objects that this policy applies to. The information we need is the object SID (3).
The linked Gist contains a PowerShell script to gather this information and is stored in the variable $results (4). ghst.ly/4hpdHFa
🧵 3/5
The linked Gist contains a PowerShell script to gather this information and is stored in the variable $results (4). ghst.ly/4hpdHFa
🧵 3/5
A fine grained password policy called tierZeroPasswordPolicy (1) is currently enabled in this domain and applies to the Domain Admins group (2).
🧵 2/5
🧵 2/5
October 17, 2025 at 6:08 PM
A fine grained password policy called tierZeroPasswordPolicy (1) is currently enabled in this domain and applies to the Domain Admins group (2).
🧵 2/5
🧵 2/5
Possession of that password enables authentication as the GMSA, and potentially allows for further attack paths depending on the privileges held by the GMSA.
Read more about this edge here: ghst.ly/42lMeho
🧵: 3/3
Read more about this edge here: ghst.ly/42lMeho
🧵: 3/3
ReadGMSAPassword - SpecterOps
This privilege allows you to read the password for a Group Managed Service Account (GMSA).
ghst.ly
October 3, 2025 at 8:42 PM
Possession of that password enables authentication as the GMSA, and potentially allows for further attack paths depending on the privileges held by the GMSA.
Read more about this edge here: ghst.ly/42lMeho
🧵: 3/3
Read more about this edge here: ghst.ly/42lMeho
🧵: 3/3
The ReadGMSAPassword edge indicates that a principal can request the account's current password from a Domain Controller.
🧵: 2/3
🧵: 2/3
October 3, 2025 at 8:42 PM
The ReadGMSAPassword edge indicates that a principal can request the account's current password from a Domain Controller.
🧵: 2/3
🧵: 2/3