A relatively unknown but particularly stealthy technique to hide files on Linux hosts. On unhardened boxes, unprivileged users can conceal files from even the root user. Disk content remains in memory, hindering disk acquisition during forensic investigation. (1/7) π
13.07.2025 07:39 β π 6 π 1 π¬ 2 π 0
Andy Robbins: The Evolution of Bloodhound by Phillip Wylie Show
About The Guest:Andy Robbins is the Principal Product Architect at SpecterOps and one of the original 13 founding members of the company. He has a background in pen testing and red teaming and is the co-creator of Bloodhound, a popular open-source tool for attack path mapping in Active Directory environments.
Summary:Andy Robbins, the Principal Product Architect at SpecterOps, joins host Phillip Wylie to discuss the evolution of Bloodhound, a tool for attack path mapping in Active Directory environments. Andy shares the origin story of Bloodhound and how it was developed to solve the problem of finding attack paths in complex environments. He explains the graph theory behind Bloodhound and how it visualizes data to help practitioners and defenders understand and mitigate security risks. Andy also discusses the recent release of Bloodhound Community Edition (CE) and the improvements it brings, including faster data ingest, query times, and a friendlier user experience. He highlights the focus on practical attack primitives and abuse primitives in Bloodhound and the goal of making attack paths a non-issue for organizations. Andy concludes by sharing valuable advice for those looking to advance in the industry, emphasizing the importance of understanding and solving real problems and being loyal to people rather than companies.
Key Takeaways:
Bloodhound is a tool for attack path mapping in Active Directory environments, using graph theory to visualize data and identify security risks.
Bloodhound Community Edition (CE) brings improvements such as faster data ingest, query times, and a friendlier user experience.
Bloodhound focuses on practical attack primitives and abuse primitives to solve real security problems and make attack paths a non-issue for organizations.
Quotes:
"If we give people an excellent experience for free, then enough of those people will choose to become paying customers that we have a viable business." - Andy Robbins
"The industry as a whole is very young, but the capability of visualizing data problems and data security problems in this way is also relatively brand new." - Andy Robbins
"We focus on attack paths or risk that emerges out of a combination of the mechanics of a system, the configurations of that system, and the behaviors of users or identities in that system." - Andy Robbins
Socials and Resources:
https://twitter.com/_wald0
https://twitter.com/SpecterOps
https://specterops.io/
https://bloodhoundenterprise.io/
https://github.com/SpecterOps/BloodHound
Andy Robbins: The Evolution of Bloodhound podcasters.spotify.c...
01.07.2025 16:57 β π 4 π 1 π¬ 0 π 0
GitHub - SpecterOps/Nemesis: An offensive data enrichment pipeline
An offensive data enrichment pipeline. Contribute to SpecterOps/Nemesis development by creating an account on GitHub.
Happy Friday! @tifkin.bsky.social and I are happy to announce that we have cut the release for Nemesis 2.0.0 - check out the CHANGELOG for a (brief) summary of changes, and dive into our new docs for more detail! We're extremely proud and excited for this release github.com/SpecterOps/N...
28.06.2025 04:14 β π 11 π 7 π¬ 0 π 0
#PSConfEU 2026
26.06.2025 13:14 β π 14 π 8 π¬ 0 π 0
Sean Metcalf: Active Directory Security by Phillip Wylie Show
Summary
Β
In this episode of the Phillip Wylie Show, Sean Metcalf, an
expert in Active Directory security, discusses his journey into cybersecurity, the evolution of Active Directory and Azure AD, and the common mistakes organizations make in cloud security. He emphasizes the importance of security assessments over penetration testing and shares insights into Trimarc's unique approach to security assessments. Sean also highlights the significance of scripting in security roles and discusses the future of Active Directory in hybrid environments. The episode concludes with information about Trimarc's new product, Trimarc Vision, aimed at enhancing Active Directory security.
Β
Takeaways
Β
Sean Metcalf has assessed environments with up to 960,000
users.
Active Directory security is often overlooked in
organizations.
Many organizations are making the same security mistakes in
the cloud as they did on-premises.
Security assessments are crucial for identifying potential
vulnerabilities.
Trimarc uses proprietary tools for in-depth security
assessments.
Scripting knowledge, especially in PowerShell, is beneficial
for security professionals.
Active Directory is not going away anytime soon due to
legacy applications.
Organizations should conduct security assessments every
couple of years.
Trimarc's assessments provide actionable insights for
improving security.
The new Trimarc Vision product aims to enhance Active
Directory security monitoring.
Β
Sound Bites
Β
"It's been quite a year."
"I saw something change in the URL."
"We're the identity experts."
Β
Chapters
Β
00:00 Introduction to Active Directory Security
03:33 Sean Metcalf's Hacker Origin Story
06:20 The Evolution of Active Directory and Azure AD
09:31 The Importance of Specialization in Cybersecurity
12:30 Active Directory Security Challenges
15:39 The Role of Security Assessments
18:26 Comparing Trimarc and Bloodhound
20:56 Understanding Active Directory Security Assessments
22:35 Getting Started in Active Directory Security
25:30 The Importance of Scripting in Security
34:43 The Hybrid Environment: On-Prem vs Cloud
37:23 Trimarc's Unique Services and Assessments
40:17 Frequency of Active Directory Assessments
42:21 Introducing Trimarc Vision
Β
Resources
https://www.linkedin.com/in/seanmmetcalf/
https://x.com/PyroTek3
https://www.linkedin.com/company/trimarcsecurity/
https://x.com/TrimarcSecurity
https://www.trimarcsecurity.com/
https://adsecurity.org/
Β
Β
Sean Metcalf: Active Directory Security podcasters.spotify.c...
26.06.2025 17:38 β π 2 π 1 π¬ 0 π 0
Sentiment analysis models are used to assess conventional use of language, but what happens when you engage with them using l33tspeak?
@atomicchonk.bsky.social digs into what happens if we employ this in adversarial text attacks against AI models.
Read more π ghst.ly/4kW2D37
24.06.2025 19:26 β π 1 π 1 π¬ 0 π 0
Ghostwriter v6: Introducing Collaborative Editing - SpecterOps
Ghostwriter now supports real-time collaborative editing for observations, findings, and report fields using the YJS framework, Tiptap editor, and Hocuspocus server, enabling multiple users to edit si...
Ghostwriter v6's new collaborative editing feature is π₯
Alex Parrill & @printingprops.com discuss the new real-time collaborative editing for observations, findings, & report fields, enabling multiple users to edit simultaneously without overwriting each other. ghst.ly/4jVqdvG
18.06.2025 20:14 β π 7 π 2 π¬ 0 π 0
Tokenization Confusion - SpecterOps
Meta's Prompt Guard 2 aims to prevent prompt injection. This post looks at how much knowledge of ML we need to be effective at testing these LLM WAFs.
π¨ New blog post alert!
@xpnsec.com drops knowledge on LLM security w/ his latest post showing how attackers can by pass LLM WAFs by confusing the tokenization process to smuggle tokens to back-end LLMs.
Read more: ghst.ly/4koUJiz
03.06.2025 17:44 β π 10 π 5 π¬ 0 π 0
Even well-resourced orgs remain vulnerable to NTLM relay attacks. Join @tifkin.bsky.social, @harmj0y.bsky.social, & @cptjesus.bsky.social for our upcoming webinar as they discuss their research into modeling these attacks within BloodHound.
Register today! β‘οΈ ghst.ly/ntlm-web-bsky
09.04.2025 18:08 β π 6 π 3 π¬ 0 π 0
Think NTLM relay is a solved problem? Think again.
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
08.04.2025 23:00 β π 27 π 20 π¬ 1 π 2
In our latest blog post, @xpnsec.com breaks down how SQL Server Transparent Data Encryption works, shares new methods for brute-forcing database encryption keys, & reveals a default key used by ManageEngine's ADSelfService product backups.
Read more π ghst.ly/4iXFTyF
08.04.2025 18:31 β π 11 π 6 π¬ 0 π 1
If you missed the session on NTLM at #SOCON2025, you're in luck! Join @tifkin.bsky.social, @cptjesus.bsky.social, and @harmj0y.bsky.social on April 17 for a webinar discussing their research into modeling NTLM relay attacks within BloodHound.
Register today! β‘οΈ ghst.ly/ntlm-web
31.03.2025 15:14 β π 4 π 2 π¬ 0 π 0
Itβs time! #SOCON2025 is kicking off now. π₯³
Grab your badge & t-shirt and join your fellow conference attendees for breakfast. Follow along here for todayβs schedule of events & use our hashtag to share your own updates!
31.03.2025 12:09 β π 7 π 1 π¬ 0 π 0
Do You Own Your Permissions, or Do Your Permissions Own You? - SpecterOps
tl;dr: Less FPs for Owns/WriteOwner and new Owns/WriteOwnerLimitedRights edges Before we get started, if youβd prefer to listen to a 10-minute presentation instead of or to supplement reading this pos...
Accurately see what permissions are exploitable in your AD environment. Chris Thompson discusses a recent update in BloodHound that shows fewer false positives for Owns/WriteOwner edges, & introduces the new Owns/WriteOwnerLimitedRights edges.
Read more: ghst.ly/3QORQdF
26.03.2025 18:16 β π 10 π 2 π¬ 0 π 1
Some of my starts, continued by Fortra, hit a milestone recently. They reduced non-attrib CS servers world-wide by 80% over 2 years
www.cobaltstrike.com/blog/update-...
LONG road. I partnered with Microsoft. 2018. I had TI process to track non-attrib CS servers. 2019. Fortra's novel lawfare. 2022
15.03.2025 03:57 β π 3 π 2 π¬ 1 π 0
Decrypting the Forest From the Trees - SpecterOps
TL;DR: SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If the site server is a managed client, service account credentials can be decrypted via ...
#SCCM forest discovery accounts can be decryptedβeven those for untrusted forests. If the site server is a managed client, all creds can be decrypted via Administration Service API.
Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp
06.03.2025 20:34 β π 22 π 15 π¬ 1 π 0
Kerberoasting w/o the TGS-REQ
Kerberoasting is a technique that allows an attacker to extract the encrypted part of a TGS-REP and brute force it offline to recover the plaintext password of the associated service account. The most...
[BLOG]
I had a series in mind like "Rubeus' Hidden Secrets" or something like that. Basically, highlighting features of the tool that seem less well known. I'm starting off with a basic one for getting crackable hashes from cached service tickets.
rastamouse.me/kerberoastin...
05.03.2025 16:50 β π 19 π 6 π¬ 0 π 0
SlackPirate Set Sails Again! Or: How to Send the Entire βBee Movieβ Script to Your Friends in Slack
TLDR: SlackPirate has been defunct for a few years due to a breaking change in how the Slack client interacts with the Slack API. It has aβ¦
SlackPirate sets sail again! π΄ββ οΈ
In his latest blog post, Dan Mayer intros his new PR to SlackPirate that lets you loot Slack again out of the box, a BOF to get you all the data you need to do it, & how to bee the most active slacker in your group chat. π ghst.ly/4hgwMIt
31.01.2025 16:27 β π 5 π 5 π¬ 0 π 0
Entra Connect Attacker Tradecraft: Part 2
Now that we know how to add credentials to an on-premises user, lets pose a question:
Part 2 of @hotnops.bsky.social's blog series on Entra Connect attacker tradecraft has dropped! π Check out this installment to learn more fundamentals of the Entra sync engine & how to interpret the sync rules. ghst.ly/3WqAQO4
22.01.2025 19:39 β π 11 π 6 π¬ 0 π 0
Introducing BloodHound CLI
We created a new tool to help you install and manage BloodHound instances, BloodHound CLI!
Introducing a new tool designed to help you install & manage BloodHound instances...π₯ BloodHound CLI!
Check out @printingprops.com's blog post to learn how this tool dramatically simplifies installation and server management. ghst.ly/40zXAxI
17.01.2025 16:33 β π 12 π 4 π¬ 0 π 0
Intune Attack PathsβββPart 1
Intune is an attractive system for adversaries to targetβ¦
In Part 1 of my Intune Attack Paths series, I discuss the fundamental components and mechanics of Intune that lead to the emergence of attack paths: posts.specterops.io/intune-attac...
15.01.2025 17:33 β π 41 π 19 π¬ 2 π 0
Part 16: Tool Description
Why it is Difficult to Say What a Tool Does
Why it is difficult to say what a tool does? π€
In Part 16 of his On Detection blog series, Jared Atkinson unpacks two examples demonstrating this problem and why it exists. ghst.ly/3C9uA6u
13.01.2025 22:40 β π 13 π 6 π¬ 0 π 0
If you're on here and not following @subtee.bsky.social you should be!
12.01.2025 06:26 β π 7 π 1 π¬ 1 π 0
So you want to exploit ADCS ESC8 with only netexec and ntlmrelayx ? Fear not my friend, I will show you how to do it π
NetExec now supports "Pass-the-Cert" as an authentication method, thanks to @dirkjanm.io original work on PKINITtools β±οΈ
06.01.2025 20:33 β π 15 π 7 π¬ 0 π 0
Congrats Dirk-jan, absolutely well deserved!
07.01.2025 17:31 β π 0 π 0 π¬ 1 π 0
Finally redid my laptop sticker game
02.12.2024 01:46 β π 21 π 0 π¬ 0 π 0
Relaying Kerberos over SMB using krbrelayx
Awesome new addition to krbrelayx by Hugow from Synacktiv: www.synacktiv.com/publications...
20.11.2024 16:02 β π 30 π 14 π¬ 0 π 0
Add key vault cryptographic op funcs Β· BloodHoundAD/BARK@e1c82a1
I couldn't find any PowerShell examples of encrypting/decrypting data w/ Azure Key Vault keys, so I made some:
Protect-StringWithAzureKeyVaultKey
Unprotect-StringWithAzureKeyVaultKey
github.com/BloodHoundAD...
Explanatory blog post coming soon.
19.11.2024 00:24 β π 17 π 6 π¬ 1 π 0
Adversary Simulation @ SpecterOps
AdSim Consultant @ SpecterOps π»
Corgi dad πΆ
Cat servant π±
Tattoo collector πΌοΈ
Runner ππ»
Manager, Research @ SpecterOps
https://github.com/JonasBK/JonasBK/blob/main/README.md
I like to make things | http://keybase.io/cmaddalena | Author of Printing Props (http://printingprops.com)
Sometimes I help stop bad people from doing bad things on the internet.
Just a dude that Ioves infosec, video games, music, and cartoons. HACK THE PLANET! My opinions are my own.
CEO @specterops.bsky.social
π»πππ ππππα΅Κ·αΆ¦α΅α΅α΅Κ³ α΄Ώα΅αΆ α΅α΅α΅α΅
https://skoisirius.mixlr.com
https://hearthis.at/skoisirius
Principal Consultant at SpecterOps. All opinions are my own.
Adversary Simulation, Red Team Lead, Security Research @ LFI
Posts are my own
He/Him
#redteam #offsec #malware #cybersecurity
https://secdsm.org
I use my real name. The trick is figuring out my handles
@natesubra@infosec.exchange
A mountain man with an Internet connection and a professional interest in malware.
Self Hating Red Teamer - Legitimate Business Practice
π¦: @4lex
Former Pentester
Engineer at SpecterOps
Author of BloodHound
Red Team & Offensive Security Research @amberwolfsec.bsky.social
Just doing my undue diligence.
BACKUP ACCOUNT. Main: @tychotithonus@infosec.exchange
ISP vet, password cracker (Team Hashcat), security demi-boffin, YubiKey stan, public-interest technologist, AK license plate geek.
All the latest motorsport news, videos and podcasts - both on track and online with F1, Formula E, MotoGP, IndyCar, esports and more.
[bridged from https://the-race.com/ on the web: https://fed.brid.gy/web/the-race.com ]
Broadcaster, NYT Best Selling Author and voice artist.
