SpecterOps Blog

BloodHound

Adding MSSQL to BloodHound with OpenGraph

TL;DR MSSQLHound is a standalone PowerShell collector that adds 7 new nodes and 37 new MSSQL attack path edges to…

BloodHound

Attack Graph Model Design Requirements and Examples

TL;DR OpenGraph makes it easy to add new nodes and edges into BloodHound, but doesn’t design your data model for…

Research & Tradecraft

What’s Your Secret?: Secret Scanning by DeepPass2 

TL;DR DeepPass2 is a secret scanning tool that combines regex rules, a fine-tuned BERT model, and LLM validation to detect…

Research & Tradecraft

Entra Connect Attacker Tradecraft: Part 3

TL;DR Attackers can exploit Entra Connect sync accounts to hijack device userCertificate properties, enabling device impersonation and bypassing conditional access…

BloodHound

BloodHound Community Edition v8 Launches with OpenGraph: Identity Attack Paths Beyond Active Directory & Entra ID 

TL;DR SpecterOps announces the rollout of BloodHound Community Edition 8.0, which includes usability and expandability enhancements for community members. The…

BloodHound

BloodHound v8: Usability, Extensibility, and OpenGraph

TL;DR BloodHound v8 introduces exciting new features enabling users to get more and do more with the BloodHound Attack Path…

Industry Insights

DPAPI Backup Key Compromise Pt. 1: Some Forests Must Burn

TL;DR The industry recommendation for DPAPI backup key compromise remediation is to destroy and rebuild the environment. This article aims…

Research & Tradecraft

Make Sure to Use SOAP(y) – An Operators Guide to Stealthy AD Collection Using ADWS

Learn how to perform stealthy recon of Active Directory environments over ADWS for Red Team Assessments

Escaping the Confines of Port 445

TL;DR NTLM relay attacks on SMB restrict lateral movement to port 445/TCP capabilities. To extend beyond, leverage the Service Control…