I've put up the slides from my Zer0Con 2026 presentation on Administrator Protection. github.com/tyranid/info...

Time is running out ⏳ Grab your spot in our Detection course at #SOCON2026 happening next week!

In-person attendees receive a free pass to the conference days. Save your seat before registration closes TOMORROW! http://ghst.ly/socon26-regbsky

My responsible disclosure covering 16 vendors whose documentation was steering customers into critical misconfigs.

More details will be shared at my talk @ BSides Prague on April 24! www.bsidesprg.cz#program:~:te...

The #SOCON2026 agenda is live! 🎉

Explore talks, topics, & speakers across the Tradecraft, OpenGraph, & new Practice Track, focused on turning Attack Path Management into an operational discipline.

Check out the agenda & plan your experience: ghst.ly/socon26-tw

🧵: 1/4

BloodHound Operator: The Six Degrees Of Master Yoda - SpecterOps A Technical Dive Into BloodHound OpenGraph With BloodHound Operator & Master Yoda… TL;DR: The latest version of BloodHound introduces BloodHound OpenGraph. This new feature allows for ingestion of any...

If you found the above cool, then check out @sadprocessor.bsky.social's much more comprehensive OpenGraph × Star Wars demo.
specterops.io/blog/2025/09...

BloodHound's OpenGraph is 🔥🚀
This is how we rapidly developed a customer specific attack primitive for BloodHound that we call "ManagerOf" 👇

Good Fences Make Good Neighbors: New AD Trusts Attack Paths in BloodHound - SpecterOps The ability of an attacker controlling one domain to compromise another through an Active Directory (AD) trust depends on the trust type and configuration. To better map these relationships and make i...

I publish two blog posts today! 📝🐫

First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...

Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...

Hope you enjoy the read 🥳

Easily find and share BloodHound Cyphers on queries.specterops.io
Released with ~90 new Cypher queries, go check them out!

@joeydreijer.bsky.social and I spent many hours creating it and we hope you find it useful. All feedback is appreciated :)

Cool! Is there a way to enum Symantec assets via LPDAP? E.g. does the server/service acc have a specific SPN?

Understanding & Mitigating BadSuccessor - SpecterOps Understanding the impact of the BadSuccessor AD attack primitive and mitigating the abuse via targeted Deny ACEs on Organizational Units.

The blog post: specterops.io/blog/2025/05...

**Every** BloodHound Enterprise tenant I've checked has multiple Non Tier Zero principals with the rights required for BadSuccessor. Luckily a 2025 DC is still rare.
Often helpdesk has GenericAll, misconfig'ed to apply on the OU itself, instead of only inheriting to principals within.

Shout out (skud ud) to @embar.io
Best CTF DJ. #tdcnetctf

BloodHound has 4 new edges: 𝗖𝗼𝗲𝗿𝗰𝗲𝗔𝗻𝗱𝗥𝗲𝗹𝗮𝘆𝗡𝗧𝗟𝗠𝗧𝗼𝗦𝗠𝗕, ...𝗧𝗼𝗟𝗗𝗔𝗣, ...𝗧𝗼𝗟𝗗𝗔𝗣𝗦, ...𝗧𝗼𝗔𝗗𝗖𝗦 [ESC8]

They combine 𝗰𝗼𝗲𝗿𝗰𝗶𝗼𝗻 and 𝗿𝗲𝗹𝗮𝘆𝗶𝗻𝗴, allowing Auth. Users to compromise computers. Read this excellent post by Elad Shamir if you are unfamiliar with those terms or want to know how to mitigate.

I had a great time at @specterops.bsky.social #SOCON2025 in Arlington/DC!

I'm grateful I get to meet all you awesome people; community members and Specters. Huge thanks to the many speakers and trainers 💙

See you next year!

Butthole*... Excellent typo

Intune Attack Paths — Part 1 Intune is an attractive system for adversaries to target…

In Part 1 of my Intune Attack Paths series, I discuss the fundamental components and mechanics of Intune that lead to the emergence of attack paths: posts.specterops.io/intune-attac...

Screenshot of trending topics launched on Christmas 2025. Topics trending include: Virat Kohli, Red Panda, Porzingis, Post Malone, Beyoncé, Gavin and Stacey Finale, Sixers, A Complete Unknown, King Henry, Joel Embiid, Pentatonix

Merry Christmas from us to you 🎄🎁💙 We launched Trending Topics today, and you can find it by tapping the search icon on the bottom bar of the app or the right sidebar on desktop.

Misconfiguration Manager: Detection Updates TL;DR: The Misconfiguration Manager DETECT section has been updated with relevant guidance to help defensive operators identify the most…

The Misconfiguration Manager DETECT section has been updated with fresh guidance to help defensive operators spot the most prolific attack techniques.

Check out the blog post from @bouj33boy.bsky.social to learn more. ghst.ly/3VJ5y4F

a woman wearing glasses says please with her hand up ALT: a woman wearing glasses says please with her hand up

It's that time of year again everybody! I want to know YOUR thoughts on Mythic! What did you like? What could be improved? What would you like to see next? Why do you or don't you use it? If you could change something, what would it be? www.surveymonkey.com/r/MythicPlan... I'm all ears :)

Other than securing DNS, what could prevent this technique?
Require SMB client signing? Some Kerberos hardening setting? Or only tiering (eg. Auth. Policy Silo)?

I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...

ShadowHound: A SharpHound Alternative Using Native PowerShell ShadowHound is a PowerShell tool designed for mapping Active Directory environments without using known malicious binaries. It utilizes legitimate PowerShell modules for data collection through two…

ShadowHound - brand new .ps1 SharpHound alternative that supports LDAP and ADWS
Outputs data in ldapsearch format that can be converted to BH JSON with BOFHound.
blog.fndsec.net/2024/11/25/s...

Meme template "they don't know". *infosec bsky users* me: they don't know that I had 395 followers on X

355 to go!

Relaying Kerberos over SMB using krbrelayx

Awesome new addition to krbrelayx by Hugow from Synacktiv: www.synacktiv.com/publications...

DEATHcon 2024: Prevention Engineering via the RPC and LDAP Firewalls YouTube video by Zero Networks

RCP Firewall and LDAP Firewall workshop by Sagie Dulce and Dekel Paz.

youtube.com/watch?v=hJyI...

Windows ships with insecure defaults for network shares, granting Read access to Everyone. But you can change that with "SrvsvcDefaultShareInfo" in the registry.
I made a post about it: blog.improsec.com/tech-blog/ne...

Hunting SMB Shares, Again! Charts, Graphs, Passwords & LLM Magic for PowerHuntShares 2.0 Learn how to identify, understand, attack, and remediate SMB shares configured with excessive privilege in active directory environments with the help of new charts, graphs, and LLM capabilities.

PowerHuntShares is a useful tool by Scott Sutherland (_nullbind), and the v2 looks amazing. I gotta test the experimental "Share Graph".
www.netspi.com/blog/technic...

SO-CON CFP submitted! Get yours in before tomorrow's deadline.
specterops.io/so-con/

Tier list of AD tiers