SpecterOps
@specterops.io
Creators of BloodHound | Experts in Adversary Tradecraft | Leaders in Identity Attack Path Management
Pinned
SpecterOps
@specterops.io
· Dec 11
We’re excited to announce Kevin Mandia as the keynote speaker for #SOCON2026! 🎉
His keynote will focus on how the threat landscape has evolved in the face of modern adversary tradecraft.
Secure your spot ➡️ ghst.ly/socon26-bsky
His keynote will focus on how the threat landscape has evolved in the face of modern adversary tradecraft.
Secure your spot ➡️ ghst.ly/socon26-bsky
Take this basic JSON sample to help you test it quickly. ⬇️
Additional documentation can be found here: ghst.ly/4qXGB2C
🧵: 2/2
Additional documentation can be found here: ghst.ly/4qXGB2C
🧵: 2/2
January 16, 2026 at 9:11 PM
Take this basic JSON sample to help you test it quickly. ⬇️
Additional documentation can be found here: ghst.ly/4qXGB2C
🧵: 2/2
Additional documentation can be found here: ghst.ly/4qXGB2C
🧵: 2/2
Friday = #BloodHoundBasics w/ Nathan Davis!
Did you know that you can set the source type for ingested data with OpenGraph? This allows you to search using a custom object type to return all ingested nodes, as well as delete selectively from your BH instance.
🧵: 1/2
Did you know that you can set the source type for ingested data with OpenGraph? This allows you to search using a custom object type to return all ingested nodes, as well as delete selectively from your BH instance.
🧵: 1/2
January 16, 2026 at 9:11 PM
Friday = #BloodHoundBasics w/ Nathan Davis!
Did you know that you can set the source type for ingested data with OpenGraph? This allows you to search using a custom object type to return all ingested nodes, as well as delete selectively from your BH instance.
🧵: 1/2
Did you know that you can set the source type for ingested data with OpenGraph? This allows you to search using a custom object type to return all ingested nodes, as well as delete selectively from your BH instance.
🧵: 1/2
Great detections start by understanding what your telemetry doesn’t show.
Tradecraft Analysis at #SOCON2026 breaks down Windows attack techniques, telemetry layers, and the gaps where detections fail.
Join in-person & get a free conference pass 👉 ghst.ly/socon26-regb...
Tradecraft Analysis at #SOCON2026 breaks down Windows attack techniques, telemetry layers, and the gaps where detections fail.
Join in-person & get a free conference pass 👉 ghst.ly/socon26-regb...
January 15, 2026 at 10:08 PM
Great detections start by understanding what your telemetry doesn’t show.
Tradecraft Analysis at #SOCON2026 breaks down Windows attack techniques, telemetry layers, and the gaps where detections fail.
Join in-person & get a free conference pass 👉 ghst.ly/socon26-regb...
Tradecraft Analysis at #SOCON2026 breaks down Windows attack techniques, telemetry layers, and the gaps where detections fail.
Join in-person & get a free conference pass 👉 ghst.ly/socon26-regb...
SCCM admins: review your roles.
MSSQL admins: review ALTER ANY LOGIN exposure.
Chris Thompson details CVE-2025-47179 & CVE-2025-49758 and how these escalations can be identified through graph analysis.
Check out his blog post for more! ghst.ly/3YDyw7d
MSSQL admins: review ALTER ANY LOGIN exposure.
Chris Thompson details CVE-2025-47179 & CVE-2025-49758 and how these escalations can be identified through graph analysis.
Check out his blog post for more! ghst.ly/3YDyw7d
MSSQL and SCCM Elevation of Privilege Vulnerabilities - SpecterOps
While researching the MSSQL and SCCM permission models to build MSSQLHound and ConfigManBearPig, PowerShell scripts that collect information for the BloodHound attack path management software, I found permissions that allowed elevation of privileges to the MSSQL sysadmin server role and the SCCM Full Administrator security role.
ghst.ly
January 15, 2026 at 7:53 PM
SCCM admins: review your roles.
MSSQL admins: review ALTER ANY LOGIN exposure.
Chris Thompson details CVE-2025-47179 & CVE-2025-49758 and how these escalations can be identified through graph analysis.
Check out his blog post for more! ghst.ly/3YDyw7d
MSSQL admins: review ALTER ANY LOGIN exposure.
Chris Thompson details CVE-2025-47179 & CVE-2025-49758 and how these escalations can be identified through graph analysis.
Check out his blog post for more! ghst.ly/3YDyw7d
SCCM client push strikes again for hierarchy takeover!
@logangoins.bsky.social just dropped a new blog showing how WebClient doesn't need to be already running on site servers to coerce HTTP (WebDav) auth & enable NTLM relay to LDAP for SCCM takeover
Read more: ghst.ly/3Z9Gbu6
@logangoins.bsky.social just dropped a new blog showing how WebClient doesn't need to be already running on site servers to coerce HTTP (WebDav) auth & enable NTLM relay to LDAP for SCCM takeover
Read more: ghst.ly/3Z9Gbu6
Wait, Why is my WebClient Started?: SCCM Hierarchy Takeover via NTLM Relay to LDAP - SpecterOps
During automatic client push installation, an SCCM site server automatically attempts to map WebDav shares on clients, starting WebClient when installed.
ghst.ly
January 14, 2026 at 9:38 PM
SCCM client push strikes again for hierarchy takeover!
@logangoins.bsky.social just dropped a new blog showing how WebClient doesn't need to be already running on site servers to coerce HTTP (WebDav) auth & enable NTLM relay to LDAP for SCCM takeover
Read more: ghst.ly/3Z9Gbu6
@logangoins.bsky.social just dropped a new blog showing how WebClient doesn't need to be already running on site servers to coerce HTTP (WebDav) auth & enable NTLM relay to LDAP for SCCM takeover
Read more: ghst.ly/3Z9Gbu6
SCCM attack paths are messy until you can see them. 👀
ConfigManBearPig from Chris Thompson extends BloodHound with SCCM nodes + edges using OpenGraph, plus queries to surface hierarchy takeovers and escalation paths.
Check it out: ghst.ly/45FCP5G
ConfigManBearPig from Chris Thompson extends BloodHound with SCCM nodes + edges using OpenGraph, plus queries to surface hierarchy takeovers and escalation paths.
Check it out: ghst.ly/45FCP5G
Introducing ConfigManBearPig, a BloodHound OpenGraph Collector for SCCM - SpecterOps
ConfigManBearPig is a standalone PowerShell collector that adds new SCCM attack path nodes and edges to BloodHound using OpenGraph.
ghst.ly
January 13, 2026 at 6:08 PM
SCCM attack paths are messy until you can see them. 👀
ConfigManBearPig from Chris Thompson extends BloodHound with SCCM nodes + edges using OpenGraph, plus queries to surface hierarchy takeovers and escalation paths.
Check it out: ghst.ly/45FCP5G
ConfigManBearPig from Chris Thompson extends BloodHound with SCCM nodes + edges using OpenGraph, plus queries to surface hierarchy takeovers and escalation paths.
Check it out: ghst.ly/45FCP5G
Ghostwriter v6.1 includes a full-featured integration w/ BloodHound Community Edition & Enterprise.
Next week, Christopher Maddalena & Stephen Hinck will discuss the integration, improved collab tools, & what the release means for assessment workflows.
Register ➡️ ghst.ly/jan26-web-bsky
Next week, Christopher Maddalena & Stephen Hinck will discuss the integration, improved collab tools, & what the release means for assessment workflows.
Register ➡️ ghst.ly/jan26-web-bsky
January 13, 2026 at 12:15 AM
Ghostwriter v6.1 includes a full-featured integration w/ BloodHound Community Edition & Enterprise.
Next week, Christopher Maddalena & Stephen Hinck will discuss the integration, improved collab tools, & what the release means for assessment workflows.
Register ➡️ ghst.ly/jan26-web-bsky
Next week, Christopher Maddalena & Stephen Hinck will discuss the integration, improved collab tools, & what the release means for assessment workflows.
Register ➡️ ghst.ly/jan26-web-bsky
It's #BloodHoundBasics day w/ @jonas-bk.bsky.social!
Want to connect w/ other BloodHound users, or the folks building BloodHound?
Join the community Slack 👉 slack.specterops.io
Dedicated channels for:
• Active Directory
• Red Teaming
• SCCM
• Detection
...and more
Come hang with us!
Want to connect w/ other BloodHound users, or the folks building BloodHound?
Join the community Slack 👉 slack.specterops.io
Dedicated channels for:
• Active Directory
• Red Teaming
• SCCM
• Detection
...and more
Come hang with us!
January 9, 2026 at 9:43 PM
It's #BloodHoundBasics day w/ @jonas-bk.bsky.social!
Want to connect w/ other BloodHound users, or the folks building BloodHound?
Join the community Slack 👉 slack.specterops.io
Dedicated channels for:
• Active Directory
• Red Teaming
• SCCM
• Detection
...and more
Come hang with us!
Want to connect w/ other BloodHound users, or the folks building BloodHound?
Join the community Slack 👉 slack.specterops.io
Dedicated channels for:
• Active Directory
• Red Teaming
• SCCM
• Detection
...and more
Come hang with us!
ICYMI: Jared Atkinson recently joined Risky Biz to unpack how BloodHound OpenGraph exposes cross-platform identity attack paths, showing how misconfigurations and permissions chain together across directories, SaaS, & cloud services.
🎧: ghst.ly/4aSxrPY
🎧: ghst.ly/4aSxrPY
January 7, 2026 at 2:33 PM
ICYMI: Jared Atkinson recently joined Risky Biz to unpack how BloodHound OpenGraph exposes cross-platform identity attack paths, showing how misconfigurations and permissions chain together across directories, SaaS, & cloud services.
🎧: ghst.ly/4aSxrPY
🎧: ghst.ly/4aSxrPY
December 26, 2025 at 7:00 PM
BloodHound Cypher query used:
MATCH p=(g:Base)-[:Owns|OwnsLimitedRights]->(:Base)
WHERE NOT g.objectid =~ "-(512|519|544)"
RETURN p
LIMIT 1000
🧵: 3/4
MATCH p=(g:Base)-[:Owns|OwnsLimitedRights]->(:Base)
WHERE NOT g.objectid =~ "-(512|519|544)"
RETURN p
LIMIT 1000
🧵: 3/4
December 26, 2025 at 7:00 PM
BloodHound Cypher query used:
MATCH p=(g:Base)-[:Owns|OwnsLimitedRights]->(:Base)
WHERE NOT g.objectid =~ "-(512|519|544)"
RETURN p
LIMIT 1000
🧵: 3/4
MATCH p=(g:Base)-[:Owns|OwnsLimitedRights]->(:Base)
WHERE NOT g.objectid =~ "-(512|519|544)"
RETURN p
LIMIT 1000
🧵: 3/4
You can find unexpected owners with BloodHound's "Owns" edge, for example:
➡️ Domain join (ex. SCCM) service account
➡️ Past admin accounts
➡️ Intune connector service accounts
🧵: 2/4
➡️ Domain join (ex. SCCM) service account
➡️ Past admin accounts
➡️ Intune connector service accounts
🧵: 2/4
December 26, 2025 at 7:00 PM
You can find unexpected owners with BloodHound's "Owns" edge, for example:
➡️ Domain join (ex. SCCM) service account
➡️ Past admin accounts
➡️ Intune connector service accounts
🧵: 2/4
➡️ Domain join (ex. SCCM) service account
➡️ Past admin accounts
➡️ Intune connector service accounts
🧵: 2/4
A very merry #BloodHoundBasics, courtesy of @martinsohn.dk!
In Active Directory, the creator of an object (user, computer, group, ...) becomes the object's owner.
What can an owner do? By default, the owner can compromise the created object.
🧵: 1/4
In Active Directory, the creator of an object (user, computer, group, ...) becomes the object's owner.
What can an owner do? By default, the owner can compromise the created object.
🧵: 1/4
December 26, 2025 at 7:00 PM
A very merry #BloodHoundBasics, courtesy of @martinsohn.dk!
In Active Directory, the creator of an object (user, computer, group, ...) becomes the object's owner.
What can an owner do? By default, the owner can compromise the created object.
🧵: 1/4
In Active Directory, the creator of an object (user, computer, group, ...) becomes the object's owner.
What can an owner do? By default, the owner can compromise the created object.
🧵: 1/4
We’re closing out 2025 and looking forward to what’s next.
Join us in the new year for the Ghostwriter v6.1 webinar, and save your spot now for #SOCON2026, where the community comes together to advance APM.
Webinar 👉 ghst.ly/jan26-web-bsky
SO-CON 👉 ghst.ly/socon26-bsky
Join us in the new year for the Ghostwriter v6.1 webinar, and save your spot now for #SOCON2026, where the community comes together to advance APM.
Webinar 👉 ghst.ly/jan26-web-bsky
SO-CON 👉 ghst.ly/socon26-bsky
December 24, 2025 at 2:19 AM
We’re closing out 2025 and looking forward to what’s next.
Join us in the new year for the Ghostwriter v6.1 webinar, and save your spot now for #SOCON2026, where the community comes together to advance APM.
Webinar 👉 ghst.ly/jan26-web-bsky
SO-CON 👉 ghst.ly/socon26-bsky
Join us in the new year for the Ghostwriter v6.1 webinar, and save your spot now for #SOCON2026, where the community comes together to advance APM.
Webinar 👉 ghst.ly/jan26-web-bsky
SO-CON 👉 ghst.ly/socon26-bsky
“Deception is a good lie.”
When there’s no legitimate use for deception artifacts, interaction becomes high-fidelity signal. In his latest post, Ben Schroeder explains how BloodHound OpenGraph helps defenders plan & implement effective deception. ghst.ly/4b1nu2P
When there’s no legitimate use for deception artifacts, interaction becomes high-fidelity signal. In his latest post, Ben Schroeder explains how BloodHound OpenGraph helps defenders plan & implement effective deception. ghst.ly/4b1nu2P
Mapping Deception with BloodHound OpenGraph - SpecterOps
Explore how to design and visualize high-fidelity cyber deception using BloodHound OpenGraph to map realistic attack paths across Active Directory and third-party technologies. Learn practical techniques, tools, and real-world examples for deploying believable deceptions that improve detection, context, and defender advantage.
ghst.ly
December 23, 2025 at 10:07 PM
“Deception is a good lie.”
When there’s no legitimate use for deception artifacts, interaction becomes high-fidelity signal. In his latest post, Ben Schroeder explains how BloodHound OpenGraph helps defenders plan & implement effective deception. ghst.ly/4b1nu2P
When there’s no legitimate use for deception artifacts, interaction becomes high-fidelity signal. In his latest post, Ben Schroeder explains how BloodHound OpenGraph helps defenders plan & implement effective deception. ghst.ly/4b1nu2P
Credential Guard was meant to end credential dumping. Nearly a decade later, Valdemar Carøe tested what’s actually possible.
Check out his blog post detailing new credential dumping techniques that work on fully patched Windows 11 & Server 2025 systems.
➡️ ghst.ly/cred-eoybsky
Check out his blog post detailing new credential dumping techniques that work on fully patched Windows 11 & Server 2025 systems.
➡️ ghst.ly/cred-eoybsky
December 22, 2025 at 7:54 PM
Credential Guard was meant to end credential dumping. Nearly a decade later, Valdemar Carøe tested what’s actually possible.
Check out his blog post detailing new credential dumping techniques that work on fully patched Windows 11 & Server 2025 systems.
➡️ ghst.ly/cred-eoybsky
Check out his blog post detailing new credential dumping techniques that work on fully patched Windows 11 & Server 2025 systems.
➡️ ghst.ly/cred-eoybsky
Have questions or feedback on these, or any of our other open source projects?
Join the BloodHound Gang Slack Community and chat directly with the creators: slack.specterops.io
🧵: 5/5
Join the BloodHound Gang Slack Community and chat directly with the creators: slack.specterops.io
🧵: 5/5
December 19, 2025 at 10:35 PM
Have questions or feedback on these, or any of our other open source projects?
Join the BloodHound Gang Slack Community and chat directly with the creators: slack.specterops.io
🧵: 5/5
Join the BloodHound Gang Slack Community and chat directly with the creators: slack.specterops.io
🧵: 5/5
Want to see Ghostwriter v6.1 in action?
Join @printingprops.com & Stephen Hinck in the new year for our webinar on how teams can quickly configure and consume BloodHound data, and how v6.1’s collaboration enhancements streamline assessment writing.
👉 ghst.ly/jan26-web-bsky
🧵: 4/5
Join @printingprops.com & Stephen Hinck in the new year for our webinar on how teams can quickly configure and consume BloodHound data, and how v6.1’s collaboration enhancements streamline assessment writing.
👉 ghst.ly/jan26-web-bsky
🧵: 4/5
December 19, 2025 at 10:35 PM
Want to see Ghostwriter v6.1 in action?
Join @printingprops.com & Stephen Hinck in the new year for our webinar on how teams can quickly configure and consume BloodHound data, and how v6.1’s collaboration enhancements streamline assessment writing.
👉 ghst.ly/jan26-web-bsky
🧵: 4/5
Join @printingprops.com & Stephen Hinck in the new year for our webinar on how teams can quickly configure and consume BloodHound data, and how v6.1’s collaboration enhancements streamline assessment writing.
👉 ghst.ly/jan26-web-bsky
🧵: 4/5
We also continued applying community feedback to evolve Ghostwriter.
Ghostwriter v6.1 includes full BloodHound integration & powerful collaboration features designed for real-world team workflows.
@printingprops.com shared the deets 👉 ghst.ly/ghst61-eoybsky
🧵: 3/5
Ghostwriter v6.1 includes full BloodHound integration & powerful collaboration features designed for real-world team workflows.
@printingprops.com shared the deets 👉 ghst.ly/ghst61-eoybsky
🧵: 3/5
December 19, 2025 at 10:35 PM
We also continued applying community feedback to evolve Ghostwriter.
Ghostwriter v6.1 includes full BloodHound integration & powerful collaboration features designed for real-world team workflows.
@printingprops.com shared the deets 👉 ghst.ly/ghst61-eoybsky
🧵: 3/5
Ghostwriter v6.1 includes full BloodHound integration & powerful collaboration features designed for real-world team workflows.
@printingprops.com shared the deets 👉 ghst.ly/ghst61-eoybsky
🧵: 3/5
This year, we released two Mythic video series, hosted by @its-a-feature.bsky.social, to share tips, tricks, and features with operators and developers.
🧠 Mythic Operator Series: ghst.ly/mythic-op
🛠️ Mythic for Developers: ghst.ly/mythic-dev
🧵: 2/5
🧠 Mythic Operator Series: ghst.ly/mythic-op
🛠️ Mythic for Developers: ghst.ly/mythic-dev
🧵: 2/5
December 19, 2025 at 10:35 PM
This year, we released two Mythic video series, hosted by @its-a-feature.bsky.social, to share tips, tricks, and features with operators and developers.
🧠 Mythic Operator Series: ghst.ly/mythic-op
🛠️ Mythic for Developers: ghst.ly/mythic-dev
🧵: 2/5
🧠 Mythic Operator Series: ghst.ly/mythic-op
🛠️ Mythic for Developers: ghst.ly/mythic-dev
🧵: 2/5
Open source and shared research remain at the core of what we do.
In 2025, we worked to make adversary tradecraft more accessible, practical, and collaborative for the community.
🧵: 1/5
In 2025, we worked to make adversary tradecraft more accessible, practical, and collaborative for the community.
🧵: 1/5
December 19, 2025 at 10:35 PM
Open source and shared research remain at the core of what we do.
In 2025, we worked to make adversary tradecraft more accessible, practical, and collaborative for the community.
🧵: 1/5
In 2025, we worked to make adversary tradecraft more accessible, practical, and collaborative for the community.
🧵: 1/5
December 19, 2025 at 9:04 PM
On Christmas Eve at SpecterOps HQ,
BloodHound sniffed what attackers might do.
Through graphs and paths it traced the way,
Finding weak links before Christmas Day.
With risks in sight, defenders slept tight—
BloodHound kept watch through the silent night.
🧵: 1/2
BloodHound sniffed what attackers might do.
Through graphs and paths it traced the way,
Finding weak links before Christmas Day.
With risks in sight, defenders slept tight—
BloodHound kept watch through the silent night.
🧵: 1/2
December 19, 2025 at 9:04 PM
On Christmas Eve at SpecterOps HQ,
BloodHound sniffed what attackers might do.
Through graphs and paths it traced the way,
Finding weak links before Christmas Day.
With risks in sight, defenders slept tight—
BloodHound kept watch through the silent night.
🧵: 1/2
BloodHound sniffed what attackers might do.
Through graphs and paths it traced the way,
Finding weak links before Christmas Day.
With risks in sight, defenders slept tight—
BloodHound kept watch through the silent night.
🧵: 1/2
Released earlier this year, Certify 2.0 modernizes AD CS tradecraft with new capabilities and usability improvements, reflecting how much the attack landscape has changed since 1.0.
Read Valdemar Carøe’s deep dive 👉 ghst.ly/cert-eoybsky
Read Valdemar Carøe’s deep dive 👉 ghst.ly/cert-eoybsky
December 18, 2025 at 10:08 PM
Released earlier this year, Certify 2.0 modernizes AD CS tradecraft with new capabilities and usability improvements, reflecting how much the attack landscape has changed since 1.0.
Read Valdemar Carøe’s deep dive 👉 ghst.ly/cert-eoybsky
Read Valdemar Carøe’s deep dive 👉 ghst.ly/cert-eoybsky
ICYMI: Our new Mythic for Developers series, hosted by @its-a-feature.bsky.social, dives into tips & tricks for creating or customizing agents and anything else related to Mythic C2.
👀 Check it out: ghst.ly/mythic-dev
👀 Check it out: ghst.ly/mythic-dev
December 18, 2025 at 5:55 PM
ICYMI: Our new Mythic for Developers series, hosted by @its-a-feature.bsky.social, dives into tips & tricks for creating or customizing agents and anything else related to Mythic C2.
👀 Check it out: ghst.ly/mythic-dev
👀 Check it out: ghst.ly/mythic-dev