#BloodHoundBasics 🌸 Spring cleaning edition from @martinsohn.dk!

It's time to audit the API Keys of your dog house - BloodHound.

Here's how in under a minute.

🧵1/3

Friday brings #BloodHoundBasics - this time from Stephen Hinck!

This old dog is learning a ton of new tricks! 🐕

DYK BloodHound now covers Okta, GitHub, & JAMF? Check out our newest extensions & start mapping even more Attack Paths than ever before! https://ghst.ly/4dmfACv

Friday = #BloodHoundBasics, this week courtesy for @andyrobbins.bsky.social!

BloodHound is extensible - you can add your own nodes and edges from any source with BloodHound's "OpenGraph".

Get started here → https://ghst.ly/3PmS0f1

Happy #BloodHoundBasics day from Nathan Davis!

Having trouble getting started w/ Cypher queries? Here's a quick intro to get you going:

Start w/ a MATCH statement, use a WHERE clause to refine, & RETURN your data (don't forget a LIMIT statement, just in case).

Query in 🧵⤵️

Happy #BloodHoundBasics day from @psionicjake.github.io!

Why do we recommend a Group Managed Service Account for SharpHound? Security.

When you use a gMSA as a service principal for running SharpHound, Windows manages the p/w for the account. Not an admin.

🧵: 1/5

New #BloodHoundBasics post on edge filtering from Carlo Alcantara!

DYK: You can filter edges in BloodHound to simulate remediating attack paths? Simply use the filter to remove an edge to reveal the next shortest path. In this example, we keep filtering until no path remains.

Happy #BloodHoundBasics Friday from @jonas-bk.bsky.social!

Auditing group nesting is painful - until you use BloodHound 🐶

The graph makes it simple to explore group members, including nested groups.

You can use this built-in cypher query for Tier Zero groups in AD.

It’s #BloodHoundBasics day w/ @scoubi.bsky.social!

This week: Relationship Shortcuts.

Instead of listing all traversable relationships in your Cypher queries, use:

[:AD_ATTACK_PATHS] for Active Directory
[:AZ_ATTACK_PATHS] for Entra ID
[:ALL_ATTACK_PATHS] for AD & Entra

Happy #BloodHoundBasics Friday w/ @martinsohn.dk!
Did you know the BloodHound Query Library now includes a ZIP of all queries in Releases on GitHub for bulk importing?

No more copying queries one by one—grab & import the whole collection in seconds!

🧵: 1/3

Happy #BloodHoundBasics from @andyrobbins.bsky.social!

Want to see attack paths in your own environment? Install BloodHound CE with three commands:

1️⃣ wget ghst.ly/3NTWRmY
2️⃣ tar -xvzf bloodhound-cli-linux-amd64.tar.gz
3️⃣ ./bloodhound-cli install

More info here: ghst.ly/3NMjhqn

A very happy #BloodHoundBasics day from @psionicjake.github.io!

In BloodHound Enterprise, CanRDP normally means:
"If I compromise this user, I can RDP directly to this machine and land inside Windows."

But Citrix changes what "RDP access" actually means.

🧵: 1/4

Friday = #BloodHoundBasics w/ Nathan Davis!

Did you know that you can set the source type for ingested data with OpenGraph? This allows you to search using a custom object type to return all ingested nodes, as well as delete selectively from your BH instance.

🧵: 1/2

It's #BloodHoundBasics day w/ @jonas-bk.bsky.social!

Want to connect w/ other BloodHound users, or the folks building BloodHound?

Join the community Slack 👉 slack.specterops.io

Dedicated channels for:
• Active Directory
• Red Teaming
• SCCM
• Detection
...and more

Come hang with us!

A very merry #BloodHoundBasics, courtesy of @martinsohn.dk!

In Active Directory, the creator of an object (user, computer, group, ...) becomes the object's owner.
What can an owner do? By default, the owner can compromise the created object.

🧵: 1/4

Happy #BloodHoundBasics day from Stephen Hinck & the entire SpecterOps team! 🎄

🧵: 2/2

Happy #BloodHoundBasics day from Nathan Davis!

Did you know that with Privilege Zones, you can create custom Labels to organize asset groups? Better yet, Labels receive tags that can be used to build Cypher queries for fine-tuned Attack Path analysis!

🧵: 1/2

Traversable and Non-Traversable Edge Types - SpecterOps Details on traversable and non-traversable edge types in BloodHound

It's #BloodHoundBasics day w/ @andyrobbins.bsky.social! 🎉

"Traversable"? "Non-Traversable"? These are terms you may see in BloodHound documentation & discussions, but what do they mean?

We wrote this page to hopefully clear up the confusion w/ these terms: ghst.ly/48OOuSe

In today’s installment of #BloodHoundBasics from Carlo Alcantara: Easily manage your custom cypher queries.

Support for importing and exporting cypher queries was added recently in BloodHound v8.2.0 — now with drag and drop!

In today's #BloodHoundBasics, @sadprocessor.bsky.social
highlights a powerful new feature you might’ve missed: Cypher Selectors for Privilege Zones.

Why powerful? Unlike classic objectid selectors, Cypher selectors use complex conditions & can be created before the node exists.

🧵: 1/3

It's another #BloodHoundBasics day with Stephen Hinck!

Go back ⬅️, forward ➡️, & share your BloodHound view 👀. Earlier this year, we added Back button support directly through your browser. You can also copy your current URL & share it with a teammate so they see what you see.

For today’s #BloodHoundBasics from Carlo Alcantara, we explore how easy it is to use OpenGraph to enrich our existing Active Directory data in BloodHound. In this example, we will add a new attribute to AD objects that have a fine grained password policy applied to them.

🧵 1/5

Celebrating #BloodHoundBasics day w/ Nathan Davis!

DYK: Risk calculation in BHE findings can be based on different values—some use Exposure (inbound control), others Impact (outbound). Hover over a finding in the Attack Paths page to see which applies.

It's another #BloodHoundBasics day with @andyrobbins.bsky.social!

Today we are highlighting the ReadGMSAPassword edge.

A GMSA is an Active Directory object. GMSA stands for Group-Managed Service Account - a great solution from Microsoft that we recommend organizations use!

🧵: 1/3

Happy #BloodHoundBasics Day from @scoubi.bsky.social!

By now, you've probably heard about our Query Library. But did you know you can run any query in your own instance of BHE/BHCE and then save the query to your Personal Library?

Follow the steps threaded below!

🧵: 1/5

New #BloodHoundBasics post from @martinsohn.dk ‼️

Today is a demo of how BloodHound's #OpenGraph helped a customer build ManagerOfHound.ps1 - going from attack path concept to a custom "ManagerOf" edge in BloodHound. Can it fit in a thread? Let's see...

🧵 1/6

We've got a fresh #BloodHoundBasics post from @jonas-bk.bsky.social!

Ever wondered about those obscure AD special identity groups that quietly grant permissions to every principal in your environment?

With BloodHound, you can uncover compromising permissions tied to these groups.

🧵: 1/2

In today’s installment of #BloodHoundBasics from Carlo Alcantara: Labels and Tags. 🏷️

With the Privilege Zones feature, labels can be created to define a collection of assets.

🧵: 1/2

Happy #BloodHoundBasics day from Nathan Davis!

Unsure what Active Directory Certificate Services (AD CS) Escalation (ESC) Attack Paths are? These depend heavily on certificate template configurations that may lead to the abuse of any principal in your forest.

🧵: 1/4

Happy #BloodHoundBasics Day from @scoubi.bsky.social! 🎉

Have you ever run a Cypher Query & get so many nodes you couldn't see anything? You Pinch Zoom to get a closer look and it worked fine, but you Pinch Un-zoom & the application resized.

🧵: 1/2

Friday = #BloodHoundBasics! 🙌 This week's post comes from Stephen Hinck.

Most BloodHound users are familiar with filtering for object or edge types in the MATCH section of a Cypher query, but did you know you can specify it in the WHERE clause as well?

🧵: 1/3