banner
LightNews
specterops.io
SpecterOps
@specterops.io
1.1K followers 61 following 390 posts
Creators of BloodHound | Experts in Adversary Tradecraft | Leaders in Identity Attack Path Management
Posts Media Videos Starter Packs
Pinned
specterops.io
SpecterOps @specterops.io · 15d
The only conference dedicated to Attack Path Management is back!

3 tracks. Real-world case studies. Hands-on BloodHound Quest lab. Join us at #SOCON2026 and advance your identity-first security strategy.

🎟️ Save 25% with early bird: specterops.io/so-con
1 3
Reposted by SpecterOps
evanmcbroom.bsky.social
Evan McBroom @evanmcbroom.bsky.social · 16h
@reconmtl.bsky.social has uploaded the majority of the 2025 talks, including my talk on LSA. You can check it out at the below link if you'd like.

Thank you again to the organizers and everyone else who helps put on the conference. I look forward to coming back!
youtu.be/G2CfMWXLU1U?...
Recon 2025 - The Finer Details of LSA Credential Recovery
YouTube video by Recon Conference
youtu.be
4 7
specterops.io
SpecterOps @specterops.io · 12h
Think you understand how LLMs work? You might be surprised. 😳

In his latest blog post, @blaisebrignac.bsky.social explains the history, challenges, and attack primitives that make securing AI systems such an extreme challenge.

Read more: ghst.ly/497pxl0
A Gentle Crash Course to LLMs - SpecterOps
This is a crash course on the evolution of Machine Learning and modem AI, Large Language Models, and the security implications that come with them.
ghst.ly
2 2
specterops.io
SpecterOps @specterops.io · 1d
Microsoft introduced nested application auth (NAA) in 2024. Researchers spotted FOCI similarities & dubbed it brokered client IDs (BroCI).

@1cemoon.bsky.social documents NAA flows and BroCI—filling a gap for research on Microsoft identity protocols. ghst.ly/3Jdhp7Z
NAA or BroCI...? Let Me Explain - SpecterOps
This writeup is a summary of knowledge and resources for nested application authentication (NAA) and brokered client IDs (BroCI)
ghst.ly
1
specterops.io
SpecterOps @specterops.io · 6d
Celebrating #BloodHoundBasics day w/ Nathan Davis!

DYK: Risk calculation in BHE findings can be based on different values—some use Exposure (inbound control), others Impact (outbound). Hover over a finding in the Attack Paths page to see which applies.
1
specterops.io
SpecterOps @specterops.io · 7d
The CFP for #SOCON2026 is OPEN! 🙌

Have you been working on something interesting in Attack Path Management or identity-first defense? Join us in Arlington, VA (April 13–14) and share your work with the community.

Submit your talk by Nov. 15 → ghst.ly/socon26-cfp
specterops.io
SpecterOps @specterops.io · 8d
Your strongest platform is only as secure as its weakest dependency. And you probably don't know what those are.

Jared Atkinson dives into the Clean Source Principle, hidden trust relationships, & why BloodHound OpenGraph changes the game. ghst.ly/4pYTtFU
The Clean Source Principle and the Future of Identity Security - SpecterOps
TL;DR Modern identity systems are deeply interconnected, and every weak dependency creates an attack path — no matter how strong any single platform appears. The Clean Source Principle and BloodHound ...
ghst.ly
5
specterops.io
SpecterOps @specterops.io · 13d
Possession of that password enables authentication as the GMSA, and potentially allows for further attack paths depending on the privileges held by the GMSA.

Read more about this edge here: ghst.ly/42lMeho

🧵: 3/3
ReadGMSAPassword - SpecterOps
This privilege allows you to read the password for a Group Managed Service Account (GMSA).
ghst.ly
1 2
specterops.io
SpecterOps @specterops.io · 13d
The ReadGMSAPassword edge indicates that a principal can request the account's current password from a Domain Controller.

🧵: 2/3
1 1
specterops.io
SpecterOps @specterops.io · 13d
It's another #BloodHoundBasics day with @andyrobbins.bsky.social!

Today we are highlighting the ReadGMSAPassword edge.

A GMSA is an Active Directory object. GMSA stands for Group-Managed Service Account - a great solution from Microsoft that we recommend organizations use!

🧵: 1/3
1 1
specterops.io
SpecterOps @specterops.io · 13d
Red teams slip past detection. Defenders adapt. The cycle continues. 🔄

John Wotton's latest on AI gated loaders shows how offensive operators are using LLMs to make shellcode execution context-aware, executing only when OPSEC policies are met. ghst.ly/4nvxsgh
AI Gated Loader: Teaching Code to Decide Before It Acts - SpecterOps
My eyes and ears when I cannot be there, AI gated loaders inspect the victim machine and wait for the right moment to execute.
ghst.ly
3
specterops.io
SpecterOps @specterops.io · 15d
The only conference dedicated to Attack Path Management is back!

3 tracks. Real-world case studies. Hands-on BloodHound Quest lab. Join us at #SOCON2026 and advance your identity-first security strategy.

🎟️ Save 25% with early bird: specterops.io/so-con
1 3
specterops.io
SpecterOps @specterops.io · 17d
Lateral movement getting blocked by traditional methods?

@werdhaihai.bsky.social just dropped research on a new lateral movement technique using Windows Installer Custom Action Server, complete with working BOF code. ghst.ly/4pN03PG
DCOM Again: Installing Trouble - SpecterOps
DCOM lateral movement BOF using Windows Installer (MSI) Custom Action Server - install ODBC drivers to load and execute DLLs
ghst.ly
3 9
specterops.io
SpecterOps @specterops.io · 20d
6️⃣ Give the query a Name (and a description if you want) and click Save.

🧵: 5/5
specterops.io
SpecterOps @specterops.io · 20d
5️⃣ Your instance of BH will open and the query will run automatically. You can now click on Save.

🧵: 4/5
1
specterops.io
SpecterOps @specterops.io · 20d
3️⃣ Enter your instance's URL
4️⃣ Click on Play/Your URL

🧵: 3/5
1
specterops.io
SpecterOps @specterops.io · 20d
1️⃣ Head to queries.specterops.io
2️⃣ Click on Run Query

🧵: 2/5
1
specterops.io
SpecterOps @specterops.io · 20d
Happy #BloodHoundBasics Day from @scoubi.bsky.social!

By now, you've probably heard about our Query Library. But did you know you can run any query in your own instance of BHE/BHCE and then save the query to your Personal Library?

Follow the steps threaded below!

🧵: 1/5
1 2 1
specterops.io
SpecterOps @specterops.io · 22d
It's time to change how you think about SaaS integrations.

The Salesloft attack shows how GitHub → AWS → Drift → Salesforce created an attack highway defenders never saw coming.

Jared Atkinson's analysis details the patterns we should look out for. ghst.ly/4ngDQrD
The Salesloft–Drift Breach: An Attack Path Case Study - SpecterOps
This post analyzes the Salesloft–Drift incident through an attack path lens, showing how violations of the clean source principle, identities in transit, and hidden hybrid paths combined to turn a sin...
ghst.ly
1 1
specterops.io
SpecterOps @specterops.io · 23d
Learn to detect adversary TTPs through behavioral analysis, not just malware signatures. Our Detection course at Specter Bash teaches you to engineer detections based on attacker tactics and techniques.

Register & save your spot ➡️ ghst.ly/specter-bash-2025
specterops.io
SpecterOps @specterops.io · 24d
🎙️ NEW PODCAST: #KnowYourAdversary

Jared Atkinson & Justin Kohler explore identity security from the attacker's perspective. Real stories, real tactics, real insights.

Check out our first three episodes now 👉 ghst.ly/kya-podcast
2
specterops.io
SpecterOps @specterops.io · 27d
Which organization-specific attack paths exist in your infrastructure? Are you assessing risk w/ them in mind?

ManagerOfHound.ps1 is open-source on GitHub: ghst.ly/46A5usH

Discover more BloodHound OpenGraph extensions: ghst.ly/4mt0r34

🧵 6/6
1
specterops.io
SpecterOps @specterops.io · 27d
The JSON can then be ingested by BloodHound CE & Enterprise. Security teams can now search for organization-specific attack paths involving ManagerOf, for example, validating that no subordinate is a higher tier than their manager.

🧵 5/6
1
specterops.io
SpecterOps @specterops.io · 27d
Vibe-coding a collector (ManagerOfHound.ps1) that will:

✅ Get User objects with managers
✅ Get the manager User objects
✅ Create an OpenGraph JSON structure with the ManagerOf edge

🧵 4/6
1 1
specterops.io
SpecterOps @specterops.io · 27d
We create this attack graph model in arrows.app

@andyrobbins.bsky.social has written extensively about model design: ghst.ly/46tAkmO

A shorter version is in the BloodHound OpenGraph docs: ghst.ly/48vo0EW

🧵 3/6
1
specterops.io
SpecterOps @specterops.io · 27d
First, some background: the customer has a portal where managers can reset passwords of their subordinates. In Active Directory, a subordinate's 'Manager' attribute is populated with the manager's 'DistinguishedName' attribute.

🧵 2/6
1