Lightnews — Scholar-powered news

Reposted by Andy Robbins

Evan McBroom @evanmcbroom.bsky.social · 1d

@reconmtl.bsky.social has uploaded the majority of the 2025 talks, including my talk on LSA. You can check it out at the below link if you'd like.

Thank you again to the organizers and everyone else who helps put on the conference. I look forward to coming back!
youtu.be/G2CfMWXLU1U?...

Recon 2025 - The Finer Details of LSA Credential Recovery

YouTube video by Recon Conference

youtu.be

4 8

Reposted by Andy Robbins

Hope Walker @1cemoon.bsky.social · 2d

Check out my new blog diving deeper into BroCI.

SpecterOps @specterops.io · 2d

Microsoft introduced nested application auth (NAA) in 2024. Researchers spotted FOCI similarities & dubbed it brokered client IDs (BroCI).

@1cemoon.bsky.social documents NAA flows and BroCI—filling a gap for research on Microsoft identity protocols. ghst.ly/3Jdhp7Z

NAA or BroCI...? Let Me Explain - SpecterOps

This writeup is a summary of knowledge and resources for nested application authentication (NAA) and brokered client IDs (BroCI)

ghst.ly

1 1

Andy Robbins @andyrobbins.bsky.social · 15d

I'd also love to add calls to native Win32 APIs to this graph, the on-disk binaries themselves and the permissions against them, COM object instantiation/calling, etc.

At that point I see this graph being capable of assisting with the discovery of currently unknown "lolbin" primitives.

2

Andy Robbins @andyrobbins.bsky.social · 15d

This obviously does not guarantee that a function called from one of these binaries will land at a function in kernel32.dll. I'd love to map cross-binary function call graphs. Not sure whether there is an easy solution to that.

1 1

Andy Robbins @andyrobbins.bsky.social · 15d

A little OpenGraph POC for mapping PE header imports of all .dll and .exe files in a fresh Windows install. These are all the binaries that have some kind of import chain leading to kernel32.dll

1 3 6

Andy Robbins @andyrobbins.bsky.social · Sep 17

This is the kind of research that should invite serious conversation about the trustworthiness of cloud authentication services.

It won't. But it should.

13

Reposted by Andy Robbins

Dirk-jan @dirkjanm.io · Sep 17

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...

One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens

While preparing for my Black Hat and DEF CON talks in July of this year, I found the most impactful Entra ID vulnerability that I will probably ever find. One that could have allowed me to compromise ...

dirkjanm.io

9 38 87

Reposted by Andy Robbins

Lars Karlslund @lkarlslund.bsky.social · Sep 8

Adalanche searches works way better now - it uses BFS rather than DFS which gave unnecessary long paths at times. This is available in the latest commit on GitHub.

There might be bugs with the new search - let me know if you see any strangeness. Happy hunting :-)

1 3

Reposted by Andy Robbins

SpecterOps @specterops.io · Sep 5

We've got a fresh #BloodHoundBasics post from @jonas-bk.bsky.social!

Ever wondered about those obscure AD special identity groups that quietly grant permissions to every principal in your environment?

With BloodHound, you can uncover compromising permissions tied to these groups.

🧵: 1/2

1 3 3

Reposted by Andy Robbins

SpecterOps @specterops.io · Sep 4

BloodHound isn't just for Active Directory anymore. 🤯

@sadprocessor.bsky.social dives into the BloodHound OpenGraph functionality & demonstrates the new PowerShell cmdlets added to the BloodHound Operator module to work with the OpenGraph feature. ghst.ly/4peTTrB

BloodHound Operator: The Six Degrees Of Master Yoda - SpecterOps

A Technical Dive Into BloodHound OpenGraph With BloodHound Operator & Master Yoda… TL;DR: The latest version of BloodHound introduces BloodHound OpenGraph. This new feature allows for ingestion of any...

ghst.ly

1 4

Andy Robbins @andyrobbins.bsky.social · Sep 4

From November 2016:

This is how I used to design BloodHound's entity panels. Just a text editor to list out what I as a red-teamer wanted to see, with the corresponding (then new) cypher queries listed as well.

Simple, VERY low-fidelity mockup, but really helped during the design phase.

6

Andy Robbins @andyrobbins.bsky.social · Aug 27

🚨 New #BloodHound shirt alert 🚨

✅ - Unisex adult/child and ladies sizes available
✅ - Cool design :)
✅ - ALL profits go to charity

This time we are supporting Hope for HIE, which supports families suffering the effects of hypoxic ischemic encephalopathy

Get your shirt here: ghst.ly/bh8-tshirt

BloodHound 8.0 T-Shirt Fundraiser, Supporting Hope for HIE

Hope for HIE is the global voice for families affected by Hypoxic Ischemic Encephalopathy. As the world’s largest HIE support network, Hope for HIE offers personalized resources, education, and a deep...

ghst.ly

2 9

Andy Robbins @andyrobbins.bsky.social · Aug 14

Such a fantastic find and the ideal outcome. Amazing work, Katie.

1 2

Reposted by Andy Robbins

Hope Walker @1cemoon.bsky.social · Aug 13

Check out my new blog on nested app authentication.

SpecterOps @specterops.io · Aug 13

Why should Microsoft's Nested App Authentication (NAA) should be on your security team's radar? @1cemoon.bsky.social breaks down NAA and shows how attackers can pivot between Azure resources using brokered authentication. ghst.ly/45h2Zw3

Going for Broke(ring) – Offensive Walkthrough for Nested App Authentication - SpecterOps

In depth walkthrough for using nested app authentication (NAA), or BroCI, for offensive engagements to access information and resources.

ghst.ly

5 6

Andy Robbins @andyrobbins.bsky.social · Aug 4

Gonna tell my kids this is the eras tour

Andy Robbins @andyrobbins.bsky.social · Aug 1

In this blog post I explain the fundamental building blocks, vocabulary, and principles of attack graph design for BloodHound: specterops.io/blog/2025/08...

Attack Graph Model Design Requirements and Examples - SpecterOps

TL;DR OpenGraph makes it easy to add new nodes and edges into BloodHound, but doesn’t design your data model for you. This blog post has everything you need to get started with proper attack graph mod...

specterops.io

4

Andy Robbins @andyrobbins.bsky.social · Aug 1

Drive safe

1

Reposted by Andy Robbins

SpecterOps @specterops.io · Jul 31

Red teamers know the drill: endless file churning, hunting for passwords & tokens. 🔍

Meet DeepPass2, our new secret scanning tool that goes beyond structured tokens to catch those tricky free-form passwords too. Read Neeraj Gupta's blog post for more. ghst.ly/40HLNNA

What’s Your Secret?: Secret Scanning by DeepPass2 - SpecterOps

Discover DeepPass2 - a secret scanning tool combining BERT-based model and LLMs to detect free-form passwords, and other structured tokens and secrets with high accuracy.

ghst.ly

4 12

Reposted by Andy Robbins

SpecterOps @specterops.io · Jul 30

Entra Connect sync accounts can be exploited to hijack device userCertificate properties, enabling device impersonation and conditional access bypass.

@hotnops.bsky.social explores cross-domain compromise tradecraft within the same tenant.

Read more: ghst.ly/3ISMGN9

Entra Connect Attacker Tradecraft: Part 3 - SpecterOps

How Entra Connect and Intune can be abused via userCertificate hijacking to bypass conditional access and compromise hybrid domains

ghst.ly

1 6 9

Andy Robbins @andyrobbins.bsky.social · Jul 30

@egyp7.bsky.social Hey dude ✌️

1

Reposted by Andy Robbins

SpecterOps @specterops.io · Jul 29

BloodHound v8.0 is here! 🎉

This update introduces BloodHound OpenGraph, revolutionizing Identity Attack Path Management by exposing attack paths throughout your entire tech stack, not just AD/Entra ID.

Read more from Justin Kohler: ghst.ly/bloodhoundv8

🧵: 1/7

1 9 13

Andy Robbins @andyrobbins.bsky.social · Jul 21

Great minds

Reposted by Andy Robbins

harmj0y @harmj0y.bsky.social · Jun 28

Happy Friday! @tifkin.bsky.social and I are happy to announce that we have cut the release for Nemesis 2.0.0 - check out the CHANGELOG for a (brief) summary of changes, and dive into our new docs for more detail! We're extremely proud and excited for this release github.com/SpecterOps/N...

GitHub - SpecterOps/Nemesis: An offensive data enrichment pipeline

An offensive data enrichment pipeline. Contribute to SpecterOps/Nemesis development by creating an account on GitHub.

github.com

6 11

Reposted by Andy Robbins

SpecterOps @specterops.io · Jun 27

So you've compromised a host that isn’t cloud-joined. Antero Guy breaks down how to request OAuth tokens & enumerate an Entra ID tenant by using an SSO cookie from a non cloud-joined device.

Read more: ghst.ly/445tQKL

Requesting Entra ID Tokens with Entra ID SSO Cookies - SpecterOps

Learn how to use a browser SSO cookie to request Entra ID OAuth tokens and enumerate a target tenant. This technique is useful when a device is not joined to an Entra ID tenant.

ghst.ly

1 7

Reposted by Andy Robbins

Jonas Bülow Knudsen @jonas-bk.bsky.social · Jun 25

I publish two blog posts today! 📝🐫

First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...

Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...

Hope you enjoy the read 🥳

Good Fences Make Good Neighbors: New AD Trusts Attack Paths in BloodHound - SpecterOps

The ability of an attacker controlling one domain to compromise another through an Active Directory (AD) trust depends on the trust type and configuration. To better map these relationships and make i...

specterops.io

11 18