Andy Robbins

Gonna tell my kids this is the eras tour

Attack Graph Model Design Requirements and Examples - SpecterOps TL;DR OpenGraph makes it easy to add new nodes and edges into BloodHound, but doesn’t design your data model for you. This blog post has everything you need to get started with proper attack graph mod...

In this blog post I explain the fundamental building blocks, vocabulary, and principles of attack graph design for BloodHound: specterops.io/blog/2025/08...

Drive safe

What’s Your Secret?: Secret Scanning by DeepPass2  - SpecterOps Discover DeepPass2 - a secret scanning tool combining BERT-based model and LLMs to detect free-form passwords, and other structured tokens and secrets with high accuracy.

Red teamers know the drill: endless file churning, hunting for passwords & tokens. 🔍

Meet DeepPass2, our new secret scanning tool that goes beyond structured tokens to catch those tricky free-form passwords too. Read Neeraj Gupta's blog post for more. ghst.ly/40HLNNA

Entra Connect Attacker Tradecraft: Part 3 - SpecterOps How Entra Connect and Intune can be abused via userCertificate hijacking to bypass conditional access and compromise hybrid domains

Entra Connect sync accounts can be exploited to hijack device userCertificate properties, enabling device impersonation and conditional access bypass.

@hotnops.bsky.social explores cross-domain compromise tradecraft within the same tenant.

Read more: ghst.ly/3ISMGN9

@egyp7.bsky.social Hey dude ✌️

BloodHound v8.0 is here! 🎉

This update introduces BloodHound OpenGraph, revolutionizing Identity Attack Path Management by exposing attack paths throughout your entire tech stack, not just AD/Entra ID.

Read more from Justin Kohler: ghst.ly/bloodhoundv8

🧵: 1/7

Great minds

GitHub - SpecterOps/Nemesis: An offensive data enrichment pipeline An offensive data enrichment pipeline. Contribute to SpecterOps/Nemesis development by creating an account on GitHub.

Happy Friday! @tifkin.bsky.social and I are happy to announce that we have cut the release for Nemesis 2.0.0 - check out the CHANGELOG for a (brief) summary of changes, and dive into our new docs for more detail! We're extremely proud and excited for this release github.com/SpecterOps/N...

Requesting Entra ID Tokens with Entra ID SSO Cookies - SpecterOps Learn how to use a browser SSO cookie to request Entra ID OAuth tokens and enumerate a target tenant. This technique is useful when a device is not joined to an Entra ID tenant.

So you've compromised a host that isn’t cloud-joined. Antero Guy breaks down how to request OAuth tokens & enumerate an Entra ID tenant by using an SSO cookie from a non cloud-joined device.

Read more: ghst.ly/445tQKL

Good Fences Make Good Neighbors: New AD Trusts Attack Paths in BloodHound - SpecterOps The ability of an attacker controlling one domain to compromise another through an Active Directory (AD) trust depends on the trust type and configuration. To better map these relationships and make i...

I publish two blog posts today! 📝🐫

First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...

Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...

Hope you enjoy the read 🥳

fwd:cloudsec 2025 Speaker Bios & Abstracts | fwd:cloudsec fwd:cloudsec is a non-profit conference on cloud security. At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security...

🕵️‍♀️ I'll be presenting "I SPy: Rethinking Entra ID research for new paths to Global Admin” at fwd:cloudsec June 30-July 1, alongside some fantastic other speakers: fwdcloudsec.org/conference/n...

If you can’t make it, talks are streamed at: www.youtube.com/@fwdcloudsec

Update: Dumping Entra Connect Sync Credentials Recently, Microsoft changed the way the Entra Connect Connect Sync agent authenticates to Entra ID. These changes affect attacker tradecraft, as we can no longer export the sync account credentials…

New tricks, same impact
posts.specterops.io/update-dumpi...

Update: Dumping Entra Connect Sync Credentials - SpecterOps Recently, Microsoft changed the way the Entra Connect Connect Sync agent authenticates to Entra ID. These changes affect attacker tradecraft, as we can no longer export the sync account credentials; h...

Recently, Microsoft changed the way the Entra Connect Sync agent authenticates to Entra ID.

Check out our latest blog post from @hotnops.bsky.social to learn how the agent works now & how these changes affect attacker tradecraft. ghst.ly/3ZpMc6y

🚨 New #BloodHoundBasics courtesy of @scoubi.bsky.social!

You've successfully compromised Bob in marketing's account in an engagement. Mark it as Owned by right-clicking ➡️ "Add to Owned" ➡️ run the query "Shortest Paths from Owned objects to Tier Zero" & see your new attack paths!

(1/2)

Andy Robbins: The Evolution of Bloodhound by Phillip Wylie Show About The Guest:Andy Robbins is the Principal Product Architect at SpecterOps and one of the original 13 founding members of the company. He has a background in pen testing and red teaming and is the co-creator of Bloodhound, a popular open-source tool for attack path mapping in Active Directory environments. Summary:Andy Robbins, the Principal Product Architect at SpecterOps, joins host Phillip Wylie to discuss the evolution of Bloodhound, a tool for attack path mapping in Active Directory environments. Andy shares the origin story of Bloodhound and how it was developed to solve the problem of finding attack paths in complex environments. He explains the graph theory behind Bloodhound and how it visualizes data to help practitioners and defenders understand and mitigate security risks. Andy also discusses the recent release of Bloodhound Community Edition (CE) and the improvements it brings, including faster data ingest, query times, and a friendlier user experience. He highlights the focus on practical attack primitives and abuse primitives in Bloodhound and the goal of making attack paths a non-issue for organizations. Andy concludes by sharing valuable advice for those looking to advance in the industry, emphasizing the importance of understanding and solving real problems and being loyal to people rather than companies. Key Takeaways: Bloodhound is a tool for attack path mapping in Active Directory environments, using graph theory to visualize data and identify security risks. Bloodhound Community Edition (CE) brings improvements such as faster data ingest, query times, and a friendlier user experience. Bloodhound focuses on practical attack primitives and abuse primitives to solve real security problems and make attack paths a non-issue for organizations. Quotes: "If we give people an excellent experience for free, then enough of those people will choose to become paying customers that we have a viable business." - Andy Robbins "The industry as a whole is very young, but the capability of visualizing data problems and data security problems in this way is also relatively brand new." - Andy Robbins "We focus on attack paths or risk that emerges out of a combination of the mechanics of a system, the configurations of that system, and the behaviors of users or identities in that system." - Andy Robbins Socials and Resources: https://twitter.com/_wald0 https://twitter.com/SpecterOps https://specterops.io/ https://bloodhoundenterprise.io/ https://github.com/SpecterOps/BloodHound

Andy Robbins: The Evolution of Bloodhound podcasters.spotify.c...

MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectsid ENDS WITH '-516' WITH COLLECT(c1[.]name) AS dcs MATCH (c2:Computer) WHERE c2.enabled = true AND (c2.operatingsystem contains '2025') AND (c2[.]name IN dcs) RETURN c2[.]name

If this query hits, you're DA: www.akamai.com/blog/securit...

This is why "y'all" is the best word. Friendly. Inclusive. Down-to-earth.

It's #BloodHoundBasics day!

Let's talk Tier 0 inheritance. If you're trying to unravel why some of the objects in your environment show up as Tier 0, this query will demonstrate the nuances of inheritance in 2 ways: inheritance up w/ OUs, & inheritance down w/ Groups.

🧵 1/3

hi

"NTLM better stand for Nice Treats to be Licked by Me"

We are BACK with another #BloodHoundBasics post, this week courtesy of @andyrobbins.bsky.social.

ICYMI: The BloodHound BACK button is BACK. Just use your browser's BACK button to go BACK. 🔙

There are trans Americans right now looking out at this world and wondering if anyone is going to stand up for them and for their simple right to exist.

Well, I am. We are. We will.

Excited to be at @specterops.bsky.social SO-CON this week!! If you're around, I'll be presenting "Abusing AUs, Confusing the SOC" tomorrow bright & early:

👀

Introducing BloodHound CLI We created a new tool to help you install and manage BloodHound instances, BloodHound CLI!

Introducing a new tool designed to help you install & manage BloodHound instances...🥁 BloodHound CLI!

Check out @printingprops.com's blog post to learn how this tool dramatically simplifies installation and server management. ghst.ly/40zXAxI

Thank you!

Karl Madden (www.linkedin.com/in/karl-m-93...)
Corné de Jong (www.linkedin.com/in/corn%C3%A...)
Dr. Nestori Syynimaa (x.com/DrAzureAD)
Rudy Ooms (x.com/Mister_MDM)

With thanks and acknowledgement to:

Chris Thompson (x.com/_Mayyhem)
Dirk-jan Mollema (@dirkjanm.io)
Adam Chester (@xpnsec.com)
Brett Hawkins (@h4wkst3r.bsky.social)
Thibault Van Geluwe de Berlaere (www.linkedin.com/in/thibault-...)

(continues)

Intune Attack Paths — Part 1 Intune is an attractive system for adversaries to target…

In Part 1 of my Intune Attack Paths series, I discuss the fundamental components and mechanics of Intune that lead to the emergence of attack paths: posts.specterops.io/intune-attac...