New #BloodHoundBasics post on edge filtering from Carlo Alcantara!
DYK: You can filter edges in BloodHound to simulate remediating attack paths? Simply use the filter to remove an edge to reveal the next shortest path. In this example, we keep filtering until no path remains.
Chrome 137+ added a CNG wrinkle to App-Bound Encryption.
@harmj0y.bsky.social & @tifkin.bsky.social share how Nemesis 2.2 handles it, automating DPAPI decryption from SYSTEM & user masterkeys through Chromekey1 to cookie/login recovery, w/ retroactive artifact linking. https://ghst.ly/3OzfkFN
Happy #BloodHoundBasics Friday from @jonas-bk.bsky.social!
Auditing group nesting is painful - until you use BloodHound πΆ
The graph makes it simple to explore group members, including nested groups.
You can use this built-in cypher query for Tier Zero groups in AD.
If a host is compromised, what risk does that data represent?
Nemesis 2.2 helps answer that.
β
Large container processing
β
Host-based reporting
β
AI-assisted triage
β
Full Chromium DPAPI handling
Read @harmj0y.bsky.social + @tifkin.bsky.social's latest blog post: https://ghst.ly/4l2DDbl
Missed the BloodHound Scentry launch webinar w/ Robby Winchester & @subat0mik.bsky.social?
Watch on demand to learn how this new service helps organizations accelerate their APM programs and reduce identity risk.
β‘οΈ https://ghst.ly/4ruLjWh
#DYK we recently launched a new subreddit? Be part of the conversation at r/SpecterOpsCommunity!
Join us this Friday for our kickoff #RedditAMA featuring TaskHound developer Robin Unglaub who will be taking your questions on the tool.
Drop your Qs here β‘οΈ https://ghst.ly/4ryInrD
BloodHound maps attack paths. But what if you graphed incident data too? π
At #SOCON2026, @olafhartong.nl explores enriched incident graphs in Kusto, combining BloodHound with telemetry to reveal powerful correlations.
Learn more & register β‘οΈ https://ghst.ly/socon26-bsky
Itβs #BloodHoundBasics day w/ @scoubi.bsky.social!
This week: Relationship Shortcuts.
Instead of listing all traversable relationships in your Cypher queries, use:
[:AD_ATTACK_PATHS] for Active Directory
[:AZ_ATTACK_PATHS] for Entra ID
[:ALL_ATTACK_PATHS] for AD & Entra
Attack paths donβt reduce themselves.
Join Robby Winchester & @subat0mik.bsky.social TOMORROW as they introduce BloodHound Scentryβexpert-led Attack Path Management designed to help teams move from visibility to continuous risk reduction.
Register β‘οΈ ghst.ly/4tJ4k94
Every Entra ID assessment ends here: βHow do I get a token without triggering Conditional Access controls?β π€
Lee Robinson built CAPSlock, an offline ROADrecon-based Conditional Access engine that simulates sign-ins & flags gaps without touching the tenant. ghst.ly/4aHUGuD
The ZIP contains all queries, ready for import to BloodHound.
1οΈβ£ Download queries(.)zip from Releases on GitHub: ghst.ly/3OmZQEH
2οΈβ£ In BloodHound: Explore β Cypher β Import OR via API: POST to /api/v2/saved-queries/import
3οΈβ£ Done! All queries instantly available.
π§΅: 3/3
The BloodHound Query Library currently has 199 Cypher queries for security work in the BloodHound graph.
It's all open source and community-maintained.
Front end: queries.specterops.io
GitHub: ghst.ly/4rKjTeI
π§΅: 2/3
Happy #BloodHoundBasics Friday w/ @martinsohn.dk!
Did you know the BloodHound Query Library now includes a ZIP of all queries in Releases on GitHub for bulk importing?
No more copying queries one by oneβgrab & import the whole collection in seconds!
π§΅: 1/3
This is your sign to save your spot in our Detection course at #SOCON2026!
Learn how to identify adversaries using TTPs, uncover telemetry gaps, and build alerts that survive real-world evasion.
Attend in person & get a free conf. pass π ghst.ly/socon26-regbsky
Building an Attack Path Management program is hard. Sustaining one is harder.
Join Robby Winchester & @subat0mik.bsky.social as they introduce BloodHound Scentry, an advisory service to scale APM visibility, remediation & protection across Security, Identity & IT.
β‘οΈ ghst.ly/4tJ4k94
Introducing BloodHound Scentry: BloodHound Enterprise + SpecterOps experts working alongside your team to eliminate attack paths and accelerate APM.
Level 0 β Level 3 maturity in ~6 months. Not theory. Tradecraft. π―
Learn more β‘οΈ ghst.ly/bhscentry-bsky
Happy #BloodHoundBasics from @andyrobbins.bsky.social!
Want to see attack paths in your own environment? Install BloodHound CE with three commands:
1οΈβ£ wget ghst.ly/3NTWRmY
2οΈβ£ tar -xvzf bloodhound-cli-linux-amd64.tar.gz
3οΈβ£ ./bloodhound-cli install
More info here: ghst.ly/3NMjhqn
Design goals:
β
No Azure mgmt APIs from agents
β
Per-agent containers (agent-*)
β
Container-scoped SAS tokens
Read more: ghst.ly/4bLIGKT
New from Andrew Gomez + Allen DeMoura: azureBlob, a Mythic C2 profile that uses Azure Blob Storage as transport.Supported Agents:
π Medusa
πͺ½ Pegasus (new test agent)
β€οΈ Your fav agent (with simple integration guide)
ghst.ly/4bLIGKT
Identity security in restricted environments shouldnβt be limited to periodic reviews.
BloodHound Enterprise on-premises enables continuous Identity Attack Path Management without cloud connectivity.
Learn more β‘οΈ ghst.ly/4kadAi0
The new Practice Track puts Attack Path Management into action with proven frameworks and real-world case studies. Plus, participate in a hands-on BloodHound Quest lab designed to turn identity risk into measurable outcomes.
π§΅: 4/4
The OpenGraph Track advances Attack Path Management through deep research on identity graphs, hybrid attack paths, and emerging threats.
From hybrid and federated environments to AI & non-human identities, this track pushes the boundaries of identity security research.
π§΅: 3/4
The Tradecraft Track dives into breaking and detecting real adversary behavior through cutting-edge offensive and defensive tradecraft.
Learn how real attackers abuse identity, how those paths evolve, and how defenders can detect and disrupt them in practice.
π§΅: 2/4
The #SOCON2026 agenda is live! π
Explore talks, topics, & speakers across the Tradecraft, OpenGraph, & new Practice Track, focused on turning Attack Path Management into an operational discipline.
Check out the agenda & plan your experience: ghst.ly/socon26-tw
π§΅: 1/4
You can enable this functionality in your tenant by going to Administration > BloodHound Configuration > Citrix RDP Support.
π§΅: 4/4
So when BHE sees that group, it understands Citrix is in control of access. It understands RDP would not lead to interactive desktop compromise and it removes misleading CanRDP edges that would otherwise overstate risk.
π§΅: 3/4
The Citrix "Direct Access Users" group exists specifically to prevent users from RDPing directly into the VDAβs Windows session unless theyβre explicitly allowed. The Citrix "Direct Access Users" group is a deny-by-default control.
π§΅: 2/4
A very happy #BloodHoundBasics day from @psionicjake.github.io!
In BloodHound Enterprise, CanRDP normally means:
"If I compromise this user, I can RDP directly to this machine and land inside Windows."
But Citrix changes what "RDP access" actually means.
π§΅: 1/4
Still running MDT? As of Jan 6, 2026, itβs unsupported and unpatched. In this post, @unsignedsh0rt.bsky.social shows how attackers can locate MDT/WDS (even unauthenticated) and chain issues into credential risk. Defenses included.
Read more: ghst.ly/3LYAuw6
New MSSQLHound updates from Chris Thompson π₯
Now includes EPA-based NTLM relay scanning, CVE-2025-49758 patch detection, and BloodHound Cypher queries to map + remediate MSSQL attack paths.
Check it out! ghst.ly/4pZqzVe
