SpecterOps Blog

BloodHound

Attack Graph Model Design Requirements and Examples

TL;DR OpenGraph makes it easy to add new nodes and edges into BloodHound, but doesn’t design your data model for…

Research & Tradecraft

Entra Connect Attacker Tradecraft: Part 3

TL;DR Attackers can exploit Entra Connect sync accounts to hijack device userCertificate properties, enabling device impersonation and bypassing conditional access…

BloodHound

BloodHound v8: Usability, Extensibility, and OpenGraph

TL;DR BloodHound v8 introduces exciting new features enabling users to get more and do more with the BloodHound Attack Path…

BloodHound

BloodHound Community Edition v8 Launches with OpenGraph: Identity Attack Paths Beyond Active Directory & Entra ID 

TL;DR SpecterOps announces the rollout of BloodHound Community Edition 8.0, which includes usability and expandability enhancements for community members. The…

Industry Insights

DPAPI Backup Key Compromise Pt. 1: Some Forests Must Burn

TL;DR The industry recommendation for DPAPI backup key compromise remediation is to destroy and rebuild the environment. This article aims…

Requesting Entra ID Tokens with Entra ID SSO Cookies

TL;DR This post explains how to request OAuth tokens and enumerate an Entra ID tenant by using an SSO cookie…

Research & Tradecraft

Misconfiguration Manager: Still Overlooked, Still Overprivileged

TL;DR It has been one year since Misconfiguration Manager’s release and the security community has been hard at work researching…

Research & Tradecraft

Untrustworthy Trust Builders: Account Operators Replicating Trust Attack (AORTA)

TL;DR The Incoming Forest Trust Builders group (not AdminSDHolder protected) can create inbound forest trusts with ticket-granting ticket (TGT) delegation…

BloodHound

Good Fences Make Good Neighbors: New AD Trusts Attack Paths in BloodHound

TL;DR The ability of an attacker controlling one domain to compromise another through an Active Directory (AD) trust depends on…