Martin Sohn Christensen
@martinsohn.dk
Security Researcher @ SpecterOps
https://martinsohn.dk
https://martinsohn.dk
BloodHound's OpenGraph is 🔥🚀
This is how we rapidly developed a customer specific attack primitive for BloodHound that we call "ManagerOf" 👇
This is how we rapidly developed a customer specific attack primitive for BloodHound that we call "ManagerOf" 👇
New #BloodHoundBasics post from @martinsohn.dk ‼️
Today is a demo of how BloodHound's #OpenGraph helped a customer build ManagerOfHound.ps1 - going from attack path concept to a custom "ManagerOf" edge in BloodHound. Can it fit in a thread? Let's see...
🧵 1/6
Today is a demo of how BloodHound's #OpenGraph helped a customer build ManagerOfHound.ps1 - going from attack path concept to a custom "ManagerOf" edge in BloodHound. Can it fit in a thread? Let's see...
🧵 1/6
September 19, 2025 at 7:05 PM
BloodHound's OpenGraph is 🔥🚀
This is how we rapidly developed a customer specific attack primitive for BloodHound that we call "ManagerOf" 👇
This is how we rapidly developed a customer specific attack primitive for BloodHound that we call "ManagerOf" 👇
Reposted by Martin Sohn Christensen
I publish two blog posts today! 📝🐫
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
Good Fences Make Good Neighbors: New AD Trusts Attack Paths in BloodHound - SpecterOps
The ability of an attacker controlling one domain to compromise another through an Active Directory (AD) trust depends on the trust type and configuration. To better map these relationships and make i...
specterops.io
June 25, 2025 at 10:14 AM
I publish two blog posts today! 📝🐫
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...
Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...
Hope you enjoy the read 🥳
Easily find and share BloodHound Cyphers on queries.specterops.io
Released with ~90 new Cypher queries, go check them out!
@joeydreijer.bsky.social and I spent many hours creating it and we hope you find it useful. All feedback is appreciated :)
Released with ~90 new Cypher queries, go check them out!
@joeydreijer.bsky.social and I spent many hours creating it and we hope you find it useful. All feedback is appreciated :)
June 17, 2025 at 7:57 PM
Easily find and share BloodHound Cyphers on queries.specterops.io
Released with ~90 new Cypher queries, go check them out!
@joeydreijer.bsky.social and I spent many hours creating it and we hope you find it useful. All feedback is appreciated :)
Released with ~90 new Cypher queries, go check them out!
@joeydreijer.bsky.social and I spent many hours creating it and we hope you find it useful. All feedback is appreciated :)
**Every** BloodHound Enterprise tenant I've checked has multiple Non Tier Zero principals with the rights required for BadSuccessor. Luckily a 2025 DC is still rare.
Often helpdesk has GenericAll, misconfig'ed to apply on the OU itself, instead of only inheriting to principals within.
Often helpdesk has GenericAll, misconfig'ed to apply on the OU itself, instead of only inheriting to principals within.
Happy #BloodHoundBasics Day!
This week's 🔥 topic from @martinsohn.dk: the Microsoft-wont-fix-yet "BadSuccessor" attack that abuses Server 2025's dMSA feature for domain takeover.
This 🧵 shows how you can use BloodHound to find BadSuccessor risk.
(1/9)
This week's 🔥 topic from @martinsohn.dk: the Microsoft-wont-fix-yet "BadSuccessor" attack that abuses Server 2025's dMSA feature for domain takeover.
This 🧵 shows how you can use BloodHound to find BadSuccessor risk.
(1/9)
May 24, 2025 at 5:01 AM
**Every** BloodHound Enterprise tenant I've checked has multiple Non Tier Zero principals with the rights required for BadSuccessor. Luckily a 2025 DC is still rare.
Often helpdesk has GenericAll, misconfig'ed to apply on the OU itself, instead of only inheriting to principals within.
Often helpdesk has GenericAll, misconfig'ed to apply on the OU itself, instead of only inheriting to principals within.
April 26, 2025 at 4:01 PM
BloodHound has 4 new edges: 𝗖𝗼𝗲𝗿𝗰𝗲𝗔𝗻𝗱𝗥𝗲𝗹𝗮𝘆𝗡𝗧𝗟𝗠𝗧𝗼𝗦𝗠𝗕, ...𝗧𝗼𝗟𝗗𝗔𝗣, ...𝗧𝗼𝗟𝗗𝗔𝗣𝗦, ...𝗧𝗼𝗔𝗗𝗖𝗦 [ESC8]
They combine 𝗰𝗼𝗲𝗿𝗰𝗶𝗼𝗻 and 𝗿𝗲𝗹𝗮𝘆𝗶𝗻𝗴, allowing Auth. Users to compromise computers. Read this excellent post by Elad Shamir if you are unfamiliar with those terms or want to know how to mitigate.
They combine 𝗰𝗼𝗲𝗿𝗰𝗶𝗼𝗻 and 𝗿𝗲𝗹𝗮𝘆𝗶𝗻𝗴, allowing Auth. Users to compromise computers. Read this excellent post by Elad Shamir if you are unfamiliar with those terms or want to know how to mitigate.
Think NTLM relay is a solved problem? Think again.
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
April 9, 2025 at 6:46 AM
BloodHound has 4 new edges: 𝗖𝗼𝗲𝗿𝗰𝗲𝗔𝗻𝗱𝗥𝗲𝗹𝗮𝘆𝗡𝗧𝗟𝗠𝗧𝗼𝗦𝗠𝗕, ...𝗧𝗼𝗟𝗗𝗔𝗣, ...𝗧𝗼𝗟𝗗𝗔𝗣𝗦, ...𝗧𝗼𝗔𝗗𝗖𝗦 [ESC8]
They combine 𝗰𝗼𝗲𝗿𝗰𝗶𝗼𝗻 and 𝗿𝗲𝗹𝗮𝘆𝗶𝗻𝗴, allowing Auth. Users to compromise computers. Read this excellent post by Elad Shamir if you are unfamiliar with those terms or want to know how to mitigate.
They combine 𝗰𝗼𝗲𝗿𝗰𝗶𝗼𝗻 and 𝗿𝗲𝗹𝗮𝘆𝗶𝗻𝗴, allowing Auth. Users to compromise computers. Read this excellent post by Elad Shamir if you are unfamiliar with those terms or want to know how to mitigate.
I had a great time at @specterops.bsky.social #SOCON2025 in Arlington/DC!
I'm grateful I get to meet all you awesome people; community members and Specters. Huge thanks to the many speakers and trainers 💙
See you next year!
I'm grateful I get to meet all you awesome people; community members and Specters. Huge thanks to the many speakers and trainers 💙
See you next year!
April 8, 2025 at 1:17 PM
I had a great time at @specterops.bsky.social #SOCON2025 in Arlington/DC!
I'm grateful I get to meet all you awesome people; community members and Specters. Huge thanks to the many speakers and trainers 💙
See you next year!
I'm grateful I get to meet all you awesome people; community members and Specters. Huge thanks to the many speakers and trainers 💙
See you next year!
Reposted by Martin Sohn Christensen
In Part 1 of my Intune Attack Paths series, I discuss the fundamental components and mechanics of Intune that lead to the emergence of attack paths: posts.specterops.io/intune-attac...
Intune Attack Paths — Part 1
Intune is an attractive system for adversaries to target…
posts.specterops.io
January 15, 2025 at 5:33 PM
In Part 1 of my Intune Attack Paths series, I discuss the fundamental components and mechanics of Intune that lead to the emergence of attack paths: posts.specterops.io/intune-attac...
Reposted by Martin Sohn Christensen
Merry Christmas from us to you 🎄🎁💙 We launched Trending Topics today, and you can find it by tapping the search icon on the bottom bar of the app or the right sidebar on desktop.
December 26, 2024 at 1:09 AM
Merry Christmas from us to you 🎄🎁💙 We launched Trending Topics today, and you can find it by tapping the search icon on the bottom bar of the app or the right sidebar on desktop.
Reposted by Martin Sohn Christensen
The Misconfiguration Manager DETECT section has been updated with fresh guidance to help defensive operators spot the most prolific attack techniques.
Check out the blog post from @bouj33boy.bsky.social to learn more. ghst.ly/3VJ5y4F
Check out the blog post from @bouj33boy.bsky.social to learn more. ghst.ly/3VJ5y4F
Misconfiguration Manager: Detection Updates
TL;DR: The Misconfiguration Manager DETECT section has been updated with relevant guidance to help defensive operators identify the most…
ghst.ly
December 16, 2024 at 4:08 PM
The Misconfiguration Manager DETECT section has been updated with fresh guidance to help defensive operators spot the most prolific attack techniques.
Check out the blog post from @bouj33boy.bsky.social to learn more. ghst.ly/3VJ5y4F
Check out the blog post from @bouj33boy.bsky.social to learn more. ghst.ly/3VJ5y4F
Reposted by Martin Sohn Christensen
It's that time of year again everybody! I want to know YOUR thoughts on Mythic! What did you like? What could be improved? What would you like to see next? Why do you or don't you use it? If you could change something, what would it be? www.surveymonkey.com/r/MythicPlan... I'm all ears :)
a woman wearing glasses says please with her hand up
ALT: a woman wearing glasses says please with her hand up
media.tenor.com
November 25, 2024 at 5:35 PM
It's that time of year again everybody! I want to know YOUR thoughts on Mythic! What did you like? What could be improved? What would you like to see next? Why do you or don't you use it? If you could change something, what would it be? www.surveymonkey.com/r/MythicPlan... I'm all ears :)
Reposted by Martin Sohn Christensen
I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...
November 25, 2024 at 5:31 PM
I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...
ShadowHound - brand new .ps1 SharpHound alternative that supports LDAP and ADWS
Outputs data in ldapsearch format that can be converted to BH JSON with BOFHound.
blog.fndsec.net/2024/11/25/s...
Outputs data in ldapsearch format that can be converted to BH JSON with BOFHound.
blog.fndsec.net/2024/11/25/s...
ShadowHound: A SharpHound Alternative Using Native PowerShell
ShadowHound is a PowerShell tool designed for mapping Active Directory environments without using known malicious binaries. It utilizes legitimate PowerShell modules for data collection through two…
blog.fndsec.net
November 25, 2024 at 12:52 PM
ShadowHound - brand new .ps1 SharpHound alternative that supports LDAP and ADWS
Outputs data in ldapsearch format that can be converted to BH JSON with BOFHound.
blog.fndsec.net/2024/11/25/s...
Outputs data in ldapsearch format that can be converted to BH JSON with BOFHound.
blog.fndsec.net/2024/11/25/s...
Reposted by Martin Sohn Christensen
Awesome new addition to krbrelayx by Hugow from Synacktiv: www.synacktiv.com/publications...
Relaying Kerberos over SMB using krbrelayx
www.synacktiv.com
November 20, 2024 at 4:02 PM
Awesome new addition to krbrelayx by Hugow from Synacktiv: www.synacktiv.com/publications...
DEATHcon 2024: Prevention Engineering via the RPC and LDAP Firewalls
YouTube video by Zero Networks
m.youtube.com
November 19, 2024 at 5:31 PM
PowerHuntShares is a useful tool by Scott Sutherland (_nullbind), and the v2 looks amazing. I gotta test the experimental "Share Graph".
www.netspi.com/blog/technic...
www.netspi.com/blog/technic...
Hunting SMB Shares, Again! Charts, Graphs, Passwords & LLM Magic for PowerHuntShares 2.0
Learn how to identify, understand, attack, and remediate SMB shares configured with excessive privilege in active directory environments with the help of new charts, graphs, and LLM capabilities.
www.netspi.com
November 15, 2024 at 8:45 AM
PowerHuntShares is a useful tool by Scott Sutherland (_nullbind), and the v2 looks amazing. I gotta test the experimental "Share Graph".
www.netspi.com/blog/technic...
www.netspi.com/blog/technic...
SO-CON CFP submitted! Get yours in before tomorrow's deadline.
specterops.io/so-con/
specterops.io/so-con/
November 14, 2024 at 2:22 PM
SO-CON CFP submitted! Get yours in before tomorrow's deadline.
specterops.io/so-con/
specterops.io/so-con/
Tier list of AD tiers
November 13, 2024 at 11:11 AM
Tier list of AD tiers
Join our webinar on Thurs when Jonas Knudsen, Lee Christensen, and I will present pt. 4 of "What Is Tier Zero", covering:
- MS Exchange On-Premises
- ADCS
- Insights from isolating Tier Zero with BloodHound Enterprise customers
Watch live or register for on-demand at ghst.ly/4eSssxL
- MS Exchange On-Premises
- ADCS
- Insights from isolating Tier Zero with BloodHound Enterprise customers
Watch live or register for on-demand at ghst.ly/4eSssxL
Welcome! You are invited to join a webinar: Defining the Undefined: What is Tier Zero, Part 4. After registering, you will receive a confirmation email about joining the webinar.
In this webinar we continue to define Tier Zero with another deep dive into the intricate world of critical identities and resources across Active Directory and Azure. This discussion covers:
- Insig...
ghst.ly
November 11, 2024 at 1:56 PM
Join our webinar on Thurs when Jonas Knudsen, Lee Christensen, and I will present pt. 4 of "What Is Tier Zero", covering:
- MS Exchange On-Premises
- ADCS
- Insights from isolating Tier Zero with BloodHound Enterprise customers
Watch live or register for on-demand at ghst.ly/4eSssxL
- MS Exchange On-Premises
- ADCS
- Insights from isolating Tier Zero with BloodHound Enterprise customers
Watch live or register for on-demand at ghst.ly/4eSssxL