harmj0y

Automated Derivative Administrator Search Intro Active Directory Domain escalation is an important part of most penetration tests and red team engagements. While gaining domain/enterprise administrator rights is not the end goal of an as…

10 years ago this week I published this blog post while @cptjesus.bsky.social, @harmj0y.bsky.social and I were working on what eventually became BloodHound: wald0.com?p=14

In today's #BloodHoundBasics, @sadprocessor.bsky.social
highlights a powerful new feature you might’ve missed: Cypher Selectors for Privilege Zones.

Why powerful? Unlike classic objectid selectors, Cypher selectors use complex conditions & can be created before the node exists.

🧵: 1/3

a man is writing on a whiteboard with the words it 's simple math written below him Alt: a man is writing on a whiteboard with the words it 's simple math written below him

Seattle politics nerds explaining the next week of ballot counting

PingOne Attack Paths - SpecterOps You can use PingOneHound in conjunction with BloodHound Community Edition to discover, analyze, execute, and remediate identity-based attack paths in PingOne instances.

Introducing PingOneHound! This OpenGraph extension for BloodHound can help you identify, analyze, execute, and remediate attack paths in PingOne organizations. Read the introductory blog post here: specterops.io/blog/2025/10...

Someone told me recently that they think the Internet is the Great Filter and I don't know how I feel right now

GitHub - SpecterOps/Nemesis: An offensive data enrichment pipeline An offensive data enrichment pipeline. Contribute to SpecterOps/Nemesis development by creating an account on GitHub.

Lots of cool new Nemesis features merging in soon from @tifkin_ and I! Development definitely didn't stop with the 2.0 release :) github.com/SpecterOps/N...

HACK THE PLANET!

A relatively unknown but particularly stealthy technique to hide files on Linux hosts. On unhardened boxes, unprivileged users can conceal files from even the root user. Disk content remains in memory, hindering disk acquisition during forensic investigation. (1/7) 👇

Andy Robbins: The Evolution of Bloodhound by Phillip Wylie Show About The Guest:Andy Robbins is the Principal Product Architect at SpecterOps and one of the original 13 founding members of the company. He has a background in pen testing and red teaming and is the co-creator of Bloodhound, a popular open-source tool for attack path mapping in Active Directory environments. Summary:Andy Robbins, the Principal Product Architect at SpecterOps, joins host Phillip Wylie to discuss the evolution of Bloodhound, a tool for attack path mapping in Active Directory environments. Andy shares the origin story of Bloodhound and how it was developed to solve the problem of finding attack paths in complex environments. He explains the graph theory behind Bloodhound and how it visualizes data to help practitioners and defenders understand and mitigate security risks. Andy also discusses the recent release of Bloodhound Community Edition (CE) and the improvements it brings, including faster data ingest, query times, and a friendlier user experience. He highlights the focus on practical attack primitives and abuse primitives in Bloodhound and the goal of making attack paths a non-issue for organizations. Andy concludes by sharing valuable advice for those looking to advance in the industry, emphasizing the importance of understanding and solving real problems and being loyal to people rather than companies. Key Takeaways: Bloodhound is a tool for attack path mapping in Active Directory environments, using graph theory to visualize data and identify security risks. Bloodhound Community Edition (CE) brings improvements such as faster data ingest, query times, and a friendlier user experience. Bloodhound focuses on practical attack primitives and abuse primitives to solve real security problems and make attack paths a non-issue for organizations. Quotes: "If we give people an excellent experience for free, then enough of those people will choose to become paying customers that we have a viable business." - Andy Robbins "The industry as a whole is very young, but the capability of visualizing data problems and data security problems in this way is also relatively brand new." - Andy Robbins "We focus on attack paths or risk that emerges out of a combination of the mechanics of a system, the configurations of that system, and the behaviors of users or identities in that system." - Andy Robbins Socials and Resources: https://twitter.com/_wald0 https://twitter.com/SpecterOps https://specterops.io/ https://bloodhoundenterprise.io/ https://github.com/SpecterOps/BloodHound

Andy Robbins: The Evolution of Bloodhound podcasters.spotify.c...

GitHub - SpecterOps/Nemesis: An offensive data enrichment pipeline An offensive data enrichment pipeline. Contribute to SpecterOps/Nemesis development by creating an account on GitHub.

Happy Friday! @tifkin.bsky.social and I are happy to announce that we have cut the release for Nemesis 2.0.0 - check out the CHANGELOG for a (brief) summary of changes, and dive into our new docs for more detail! We're extremely proud and excited for this release github.com/SpecterOps/N...

Good Fences Make Good Neighbors: New AD Trusts Attack Paths in BloodHound - SpecterOps The ability of an attacker controlling one domain to compromise another through an Active Directory (AD) trust depends on the trust type and configuration. To better map these relationships and make i...

I publish two blog posts today! 📝🐫

First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...

Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...

Hope you enjoy the read 🥳

#PSConfEU 2026

Sean Metcalf: Active Directory Security by Phillip Wylie Show Summary   In this episode of the Phillip Wylie Show, Sean Metcalf, an expert in Active Directory security, discusses his journey into cybersecurity, the evolution of Active Directory and Azure AD, and the common mistakes organizations make in cloud security. He emphasizes the importance of security assessments over penetration testing and shares insights into Trimarc's unique approach to security assessments. Sean also highlights the significance of scripting in security roles and discusses the future of Active Directory in hybrid environments. The episode concludes with information about Trimarc's new product, Trimarc Vision, aimed at enhancing Active Directory security.   Takeaways   Sean Metcalf has assessed environments with up to 960,000 users. Active Directory security is often overlooked in organizations. Many organizations are making the same security mistakes in the cloud as they did on-premises. Security assessments are crucial for identifying potential vulnerabilities. Trimarc uses proprietary tools for in-depth security assessments. Scripting knowledge, especially in PowerShell, is beneficial for security professionals. Active Directory is not going away anytime soon due to legacy applications. Organizations should conduct security assessments every couple of years. Trimarc's assessments provide actionable insights for improving security. The new Trimarc Vision product aims to enhance Active Directory security monitoring.   Sound Bites   "It's been quite a year." "I saw something change in the URL." "We're the identity experts."   Chapters   00:00 Introduction to Active Directory Security 03:33 Sean Metcalf's Hacker Origin Story 06:20 The Evolution of Active Directory and Azure AD 09:31 The Importance of Specialization in Cybersecurity 12:30 Active Directory Security Challenges 15:39 The Role of Security Assessments 18:26 Comparing Trimarc and Bloodhound 20:56 Understanding Active Directory Security Assessments 22:35 Getting Started in Active Directory Security 25:30 The Importance of Scripting in Security 34:43 The Hybrid Environment: On-Prem vs Cloud 37:23 Trimarc's Unique Services and Assessments 40:17 Frequency of Active Directory Assessments 42:21 Introducing Trimarc Vision   Resources https://www.linkedin.com/in/seanmmetcalf/ https://x.com/PyroTek3 https://www.linkedin.com/company/trimarcsecurity/ https://x.com/TrimarcSecurity https://www.trimarcsecurity.com/ https://adsecurity.org/    

Sean Metcalf: Active Directory Security podcasters.spotify.c...

Sentiment analysis models are used to assess conventional use of language, but what happens when you engage with them using l33tspeak?

@atomicchonk.bsky.social digs into what happens if we employ this in adversarial text attacks against AI models.

Read more 👉 ghst.ly/4kW2D37

Ghostwriter v6: Introducing Collaborative Editing - SpecterOps Ghostwriter now supports real-time collaborative editing for observations, findings, and report fields using the YJS framework, Tiptap editor, and Hocuspocus server, enabling multiple users to edit si...

Ghostwriter v6's new collaborative editing feature is 🔥

Alex Parrill & @printingprops.com discuss the new real-time collaborative editing for observations, findings, & report fields, enabling multiple users to edit simultaneously without overwriting each other. ghst.ly/4jVqdvG

Tokenization Confusion - SpecterOps Meta's Prompt Guard 2 aims to prevent prompt injection. This post looks at how much knowledge of ML we need to be effective at testing these LLM WAFs.

🚨 New blog post alert!

@xpnsec.com drops knowledge on LLM security w/ his latest post showing how attackers can by pass LLM WAFs by confusing the tokenization process to smuggle tokens to back-end LLMs.

Read more: ghst.ly/4koUJiz

Even well-resourced orgs remain vulnerable to NTLM relay attacks. Join @tifkin.bsky.social, @harmj0y.bsky.social, & @cptjesus.bsky.social for our upcoming webinar as they discuss their research into modeling these attacks within BloodHound.

Register today! ➡️ ghst.ly/ntlm-web-bsky

Think NTLM relay is a solved problem? Think again.

Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31

In our latest blog post, @xpnsec.com breaks down how SQL Server Transparent Data Encryption works, shares new methods for brute-forcing database encryption keys, & reveals a default key used by ManageEngine's ADSelfService product backups.

Read more 👉 ghst.ly/4iXFTyF

If you missed the session on NTLM at #SOCON2025, you're in luck! Join @tifkin.bsky.social, @cptjesus.bsky.social, and @harmj0y.bsky.social on April 17 for a webinar discussing their research into modeling NTLM relay attacks within BloodHound.

Register today! ➡️ ghst.ly/ntlm-web

It’s time! #SOCON2025 is kicking off now. 🥳

Grab your badge & t-shirt and join your fellow conference attendees for breakfast. Follow along here for today’s schedule of events & use our hashtag to share your own updates!

Do You Own Your Permissions, or Do Your Permissions Own You? - SpecterOps tl;dr: Less FPs for Owns/WriteOwner and new Owns/WriteOwnerLimitedRights edges Before we get started, if you’d prefer to listen to a 10-minute presentation instead of or to supplement reading this pos...

Accurately see what permissions are exploitable in your AD environment. Chris Thompson discusses a recent update in BloodHound that shows fewer false positives for Owns/WriteOwner edges, & introduces the new Owns/WriteOwnerLimitedRights edges.

Read more: ghst.ly/3QORQdF

Some of my starts, continued by Fortra, hit a milestone recently. They reduced non-attrib CS servers world-wide by 80% over 2 years

www.cobaltstrike.com/blog/update-...

LONG road. I partnered with Microsoft. 2018. I had TI process to track non-attrib CS servers. 2019. Fortra's novel lawfare. 2022

Decrypting the Forest From the Trees - SpecterOps TL;DR: SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If the site server is a managed client, service account credentials can be decrypted via ...

#SCCM forest discovery accounts can be decrypted—even those for untrusted forests. If the site server is a managed client, all creds can be decrypted via Administration Service API.

Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp

Kerberoasting w/o the TGS-REQ Kerberoasting is a technique that allows an attacker to extract the encrypted part of a TGS-REP and brute force it offline to recover the plaintext password of the associated service account. The most...

[BLOG]
I had a series in mind like "Rubeus' Hidden Secrets" or something like that. Basically, highlighting features of the tool that seem less well known. I'm starting off with a basic one for getting crackable hashes from cached service tickets.

rastamouse.me/kerberoastin...

SlackPirate Set Sails Again! Or: How to Send the Entire “Bee Movie” Script to Your Friends in Slack TLDR: SlackPirate has been defunct for a few years due to a breaking change in how the Slack client interacts with the Slack API. It has a…

SlackPirate sets sail again! 🏴‍☠️

In his latest blog post, Dan Mayer intros his new PR to SlackPirate that lets you loot Slack again out of the box, a BOF to get you all the data you need to do it, & how to bee the most active slacker in your group chat. 🐝 ghst.ly/4hgwMIt

Entra Connect Attacker Tradecraft: Part 2 Now that we know how to add credentials to an on-premises user, lets pose a question:

Part 2 of @hotnops.bsky.social's blog series on Entra Connect attacker tradecraft has dropped! 🙌 Check out this installment to learn more fundamentals of the Entra sync engine & how to interpret the sync rules. ghst.ly/3WqAQO4

Introducing BloodHound CLI We created a new tool to help you install and manage BloodHound instances, BloodHound CLI!

Introducing a new tool designed to help you install & manage BloodHound instances...🥁 BloodHound CLI!

Check out @printingprops.com's blog post to learn how this tool dramatically simplifies installation and server management. ghst.ly/40zXAxI

Intune Attack Paths — Part 1 Intune is an attractive system for adversaries to target…

In Part 1 of my Intune Attack Paths series, I discuss the fundamental components and mechanics of Intune that lead to the emergence of attack paths: posts.specterops.io/intune-attac...