The #SOCON2026 agenda is live! 🎉
Explore talks, topics, & speakers across the Tradecraft, OpenGraph, & new Practice Track, focused on turning Attack Path Management into an operational discipline.
Check out the agenda & plan your experience: ghst.ly/socon26-tw
🧵: 1/4
If you found the above cool, then check out @sadprocessor.bsky.social's much more comprehensive OpenGraph × Star Wars demo.
specterops.io/blog/2025/09...
BloodHound's OpenGraph is 🔥🚀
This is how we rapidly developed a customer specific attack primitive for BloodHound that we call "ManagerOf" 👇
I publish two blog posts today! 📝🐫
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
Easily find and share BloodHound Cyphers on queries.specterops.io
Released with ~90 new Cypher queries, go check them out!
@joeydreijer.bsky.social and I spent many hours creating it and we hope you find it useful. All feedback is appreciated :)
Cool! Is there a way to enum Symantec assets via LPDAP? E.g. does the server/service acc have a specific SPN?
**Every** BloodHound Enterprise tenant I've checked has multiple Non Tier Zero principals with the rights required for BadSuccessor. Luckily a 2025 DC is still rare.
Often helpdesk has GenericAll, misconfig'ed to apply on the OU itself, instead of only inheriting to principals within.
Shout out (skud ud) to @embar.io
Best CTF DJ. #tdcnetctf
BloodHound has 4 new edges: 𝗖𝗼𝗲𝗿𝗰𝗲𝗔𝗻𝗱𝗥𝗲𝗹𝗮𝘆𝗡𝗧𝗟𝗠𝗧𝗼𝗦𝗠𝗕, ...𝗧𝗼𝗟𝗗𝗔𝗣, ...𝗧𝗼𝗟𝗗𝗔𝗣𝗦, ...𝗧𝗼𝗔𝗗𝗖𝗦 [ESC8]
They combine 𝗰𝗼𝗲𝗿𝗰𝗶𝗼𝗻 and 𝗿𝗲𝗹𝗮𝘆𝗶𝗻𝗴, allowing Auth. Users to compromise computers. Read this excellent post by Elad Shamir if you are unfamiliar with those terms or want to know how to mitigate.
I had a great time at @specterops.bsky.social #SOCON2025 in Arlington/DC!
I'm grateful I get to meet all you awesome people; community members and Specters. Huge thanks to the many speakers and trainers 💙
See you next year!
Butthole*... Excellent typo
In Part 1 of my Intune Attack Paths series, I discuss the fundamental components and mechanics of Intune that lead to the emergence of attack paths: posts.specterops.io/intune-attac...
Screenshot of trending topics launched on Christmas 2025. Topics trending include: Virat Kohli, Red Panda, Porzingis, Post Malone, Beyoncé, Gavin and Stacey Finale, Sixers, A Complete Unknown, King Henry, Joel Embiid, Pentatonix
Merry Christmas from us to you 🎄🎁💙 We launched Trending Topics today, and you can find it by tapping the search icon on the bottom bar of the app or the right sidebar on desktop.
The Misconfiguration Manager DETECT section has been updated with fresh guidance to help defensive operators spot the most prolific attack techniques.
Check out the blog post from @bouj33boy.bsky.social to learn more. ghst.ly/3VJ5y4F
It's that time of year again everybody! I want to know YOUR thoughts on Mythic! What did you like? What could be improved? What would you like to see next? Why do you or don't you use it? If you could change something, what would it be? www.surveymonkey.com/r/MythicPlan... I'm all ears :)
Other than securing DNS, what could prevent this technique?
Require SMB client signing? Some Kerberos hardening setting? Or only tiering (eg. Auth. Policy Silo)?
I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...
ShadowHound - brand new .ps1 SharpHound alternative that supports LDAP and ADWS
Outputs data in ldapsearch format that can be converted to BH JSON with BOFHound.
blog.fndsec.net/2024/11/25/s...
Meme template "they don't know". *infosec bsky users* me: they don't know that I had 395 followers on X
355 to go!
RCP Firewall and LDAP Firewall workshop by Sagie Dulce and Dekel Paz.
youtube.com/watch?v=hJyI...
Windows ships with insecure defaults for network shares, granting Read access to Everyone. But you can change that with "SrvsvcDefaultShareInfo" in the registry.
I made a post about it: blog.improsec.com/tech-blog/ne...
PowerHuntShares is a useful tool by Scott Sutherland (_nullbind), and the v2 looks amazing. I gotta test the experimental "Share Graph".
www.netspi.com/blog/technic...
SO-CON CFP submitted! Get yours in before tomorrow's deadline.
specterops.io/so-con/
Tier list of AD tiers
Join our webinar on Thurs when Jonas Knudsen, Lee Christensen, and I will present pt. 4 of "What Is Tier Zero", covering:
- MS Exchange On-Premises
- ADCS
- Insights from isolating Tier Zero with BloodHound Enterprise customers
Watch live or register for on-demand at ghst.ly/4eSssxL
>an explicit Deny overrules an explicit Allow.
If Deny is closer to the secureable object than the Allow, ie. explicit Allow takes precedence over inherited Deny, and parent inherited Allow > grandparent Deny.
