Automated Derivative Administrator Search Intro Active Directory Domain escalation is an important part of most penetration tests and red team engagements. While gaining domain/enterprise administrator rights is not the end goal of an as…

10 years ago this week I published this blog post while @cptjesus.bsky.social, @harmj0y.bsky.social and I were working on what eventually became BloodHound: wald0.com?p=14

Next week I'll be speaking at WWHF Mile High in Denver about Abusing Backup Operators with @trustedsec.com's Titanis.

web.cvent.com/event/1dbf78...

Introducing ConfigManBearPig, a BloodHound OpenGraph Collector for SCCM - SpecterOps ConfigManBearPig is a standalone PowerShell collector that adds new SCCM attack path nodes and edges to BloodHound using OpenGraph.

SCCM attack paths are messy until you can see them. 👀

ConfigManBearPig from Chris Thompson extends BloodHound with SCCM nodes + edges using OpenGraph, plus queries to surface hierarchy takeovers and escalation paths.

Check it out: ghst.ly/45FCP5G

AdminSDHolder Misconceptions & Misconfigurations - SpecterOps AdminSDHolder is an object and associated process in Active Directory Domain Services (AD DS) that helps protect specific sensitive and highly privileged accounts from being manipulated. This topic is...

Note: Work related

I do Active Directory stuff for a living. Security research to be more specific. One of my favorite niche AD topics is AdminSDHolder. It's even my vanity domain.

I wrote a 159 pg book about AdminSDHolder. I'm kinda proud of it.

specterops.io/resources/ad...

ShareHound: An OpenGraph Collector for Network Shares - SpecterOps ShareHound is an OpenGraph collector for BloodHound CE and BloodHound Enterprise helping identify attack paths to network shares automatically.

See your network shares the way attackers do. 👀

Meet ShareHound, an OpenGraph collector for BloodHound CE & Enterprise that reveals share-level attack paths at scale.
@podalirius.bsky.social unpacks all the details in our latest blog post. ghst.ly/4ogiBqt

Incredible to see @hdm.io using BloodHound to build the new runZeroHound, connecting asset inventory data from
@runzero.com with attack path visualization.

Love seeing the community take BloodHound in new directions!

Catching Credential Guard Off Guard - SpecterOps Uncovering the protection mechanisms provided by modern Windows security features and identifying new methods for credential dumping.

Credential Guard was supposed to end credential dumping. It didn't.

Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.

Read for more: ghst.ly/4qtl2rm

PingOne Attack Paths - SpecterOps You can use PingOneHound in conjunction with BloodHound Community Edition to discover, analyze, execute, and remediate identity-based attack paths in PingOne instances.

Introducing PingOneHound! This OpenGraph extension for BloodHound can help you identify, analyze, execute, and remediate attack paths in PingOne organizations. Read the introductory blog post here: specterops.io/blog/2025/10...

Recon 2025 - The Finer Details of LSA Credential Recovery YouTube video by Recon Conference

@reconmtl.bsky.social has uploaded the majority of the 2025 talks, including my talk on LSA. You can check it out at the below link if you'd like.

Thank you again to the organizers and everyone else who helps put on the conference. I look forward to coming back!
youtu.be/G2CfMWXLU1U?...

Check out my new blog diving deeper into BroCI.

I'd also love to add calls to native Win32 APIs to this graph, the on-disk binaries themselves and the permissions against them, COM object instantiation/calling, etc.

At that point I see this graph being capable of assisting with the discovery of currently unknown "lolbin" primitives.

This obviously does not guarantee that a function called from one of these binaries will land at a function in kernel32.dll. I'd love to map cross-binary function call graphs. Not sure whether there is an easy solution to that.

A little OpenGraph POC for mapping PE header imports of all .dll and .exe files in a fresh Windows install. These are all the binaries that have some kind of import chain leading to kernel32.dll

This is the kind of research that should invite serious conversation about the trustworthiness of cloud authentication services.

It won't. But it should.

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...

Adalanche searches works way better now - it uses BFS rather than DFS which gave unnecessary long paths at times. This is available in the latest commit on GitHub.

There might be bugs with the new search - let me know if you see any strangeness. Happy hunting :-)

We've got a fresh #BloodHoundBasics post from @jonas-bk.bsky.social!

Ever wondered about those obscure AD special identity groups that quietly grant permissions to every principal in your environment?

With BloodHound, you can uncover compromising permissions tied to these groups.

🧵: 1/2

BloodHound Operator: The Six Degrees Of Master Yoda - SpecterOps A Technical Dive Into BloodHound OpenGraph With BloodHound Operator & Master Yoda… TL;DR: The latest version of BloodHound introduces BloodHound OpenGraph. This new feature allows for ingestion of any...

BloodHound isn't just for Active Directory anymore. 🤯

@sadprocessor.bsky.social dives into the BloodHound OpenGraph functionality & demonstrates the new PowerShell cmdlets added to the BloodHound Operator module to work with the OpenGraph feature. ghst.ly/4peTTrB

From November 2016:

This is how I used to design BloodHound's entity panels. Just a text editor to list out what I as a red-teamer wanted to see, with the corresponding (then new) cypher queries listed as well.

Simple, VERY low-fidelity mockup, but really helped during the design phase.

BloodHound 8.0 T-Shirt Fundraiser, Supporting Hope for HIE Hope for HIE is the global voice for families affected by Hypoxic Ischemic Encephalopathy. As the world’s largest HIE support network, Hope for HIE offers personalized resources, education, and a deep...

🚨 New #BloodHound shirt alert 🚨

✅ - Unisex adult/child and ladies sizes available
✅ - Cool design :)
✅ - ALL profits go to charity

This time we are supporting Hope for HIE, which supports families suffering the effects of hypoxic ischemic encephalopathy

Get your shirt here: ghst.ly/bh8-tshirt

Such a fantastic find and the ideal outcome. Amazing work, Katie.

Check out my new blog on nested app authentication.

Gonna tell my kids this is the eras tour

Attack Graph Model Design Requirements and Examples - SpecterOps TL;DR OpenGraph makes it easy to add new nodes and edges into BloodHound, but doesn’t design your data model for you. This blog post has everything you need to get started with proper attack graph mod...

In this blog post I explain the fundamental building blocks, vocabulary, and principles of attack graph design for BloodHound: specterops.io/blog/2025/08...

Drive safe

What’s Your Secret?: Secret Scanning by DeepPass2  - SpecterOps Discover DeepPass2 - a secret scanning tool combining BERT-based model and LLMs to detect free-form passwords, and other structured tokens and secrets with high accuracy.

Red teamers know the drill: endless file churning, hunting for passwords & tokens. 🔍

Meet DeepPass2, our new secret scanning tool that goes beyond structured tokens to catch those tricky free-form passwords too. Read Neeraj Gupta's blog post for more. ghst.ly/40HLNNA

Entra Connect Attacker Tradecraft: Part 3 - SpecterOps How Entra Connect and Intune can be abused via userCertificate hijacking to bypass conditional access and compromise hybrid domains

Entra Connect sync accounts can be exploited to hijack device userCertificate properties, enabling device impersonation and conditional access bypass.

@hotnops.bsky.social explores cross-domain compromise tradecraft within the same tenant.

Read more: ghst.ly/3ISMGN9

@egyp7.bsky.social Hey dude ✌️

BloodHound v8.0 is here! 🎉

This update introduces BloodHound OpenGraph, revolutionizing Identity Attack Path Management by exposing attack paths throughout your entire tech stack, not just AD/Entra ID.

Read more from Justin Kohler: ghst.ly/bloodhoundv8

🧵: 1/7

Great minds