SpecterOps
@specterops.io
Creators of BloodHound | Experts in Adversary Tradecraft | Leaders in Identity Attack Path Management
Pinned
SpecterOps
@specterops.io
· Dec 11
We’re excited to announce Kevin Mandia as the keynote speaker for #SOCON2026! 🎉
His keynote will focus on how the threat landscape has evolved in the face of modern adversary tradecraft.
Secure your spot ➡️ ghst.ly/socon26-bsky
His keynote will focus on how the threat landscape has evolved in the face of modern adversary tradecraft.
Secure your spot ➡️ ghst.ly/socon26-bsky
Ghostwriter v6.1 includes a full-featured integration w/ BloodHound Community Edition & Enterprise.
Next week, Christopher Maddalena & Stephen Hinck will discuss the integration, improved collab tools, & what the release means for assessment workflows.
Register ➡️ ghst.ly/jan26-web-bsky
Next week, Christopher Maddalena & Stephen Hinck will discuss the integration, improved collab tools, & what the release means for assessment workflows.
Register ➡️ ghst.ly/jan26-web-bsky
January 13, 2026 at 12:15 AM
Ghostwriter v6.1 includes a full-featured integration w/ BloodHound Community Edition & Enterprise.
Next week, Christopher Maddalena & Stephen Hinck will discuss the integration, improved collab tools, & what the release means for assessment workflows.
Register ➡️ ghst.ly/jan26-web-bsky
Next week, Christopher Maddalena & Stephen Hinck will discuss the integration, improved collab tools, & what the release means for assessment workflows.
Register ➡️ ghst.ly/jan26-web-bsky
It's #BloodHoundBasics day w/ @jonas-bk.bsky.social!
Want to connect w/ other BloodHound users, or the folks building BloodHound?
Join the community Slack 👉 slack.specterops.io
Dedicated channels for:
• Active Directory
• Red Teaming
• SCCM
• Detection
...and more
Come hang with us!
Want to connect w/ other BloodHound users, or the folks building BloodHound?
Join the community Slack 👉 slack.specterops.io
Dedicated channels for:
• Active Directory
• Red Teaming
• SCCM
• Detection
...and more
Come hang with us!
January 9, 2026 at 9:43 PM
It's #BloodHoundBasics day w/ @jonas-bk.bsky.social!
Want to connect w/ other BloodHound users, or the folks building BloodHound?
Join the community Slack 👉 slack.specterops.io
Dedicated channels for:
• Active Directory
• Red Teaming
• SCCM
• Detection
...and more
Come hang with us!
Want to connect w/ other BloodHound users, or the folks building BloodHound?
Join the community Slack 👉 slack.specterops.io
Dedicated channels for:
• Active Directory
• Red Teaming
• SCCM
• Detection
...and more
Come hang with us!
ICYMI: Jared Atkinson recently joined Risky Biz to unpack how BloodHound OpenGraph exposes cross-platform identity attack paths, showing how misconfigurations and permissions chain together across directories, SaaS, & cloud services.
🎧: ghst.ly/4aSxrPY
🎧: ghst.ly/4aSxrPY
January 7, 2026 at 2:33 PM
ICYMI: Jared Atkinson recently joined Risky Biz to unpack how BloodHound OpenGraph exposes cross-platform identity attack paths, showing how misconfigurations and permissions chain together across directories, SaaS, & cloud services.
🎧: ghst.ly/4aSxrPY
🎧: ghst.ly/4aSxrPY
December 26, 2025 at 7:00 PM
BloodHound Cypher query used:
MATCH p=(g:Base)-[:Owns|OwnsLimitedRights]->(:Base)
WHERE NOT g.objectid =~ "-(512|519|544)"
RETURN p
LIMIT 1000
🧵: 3/4
MATCH p=(g:Base)-[:Owns|OwnsLimitedRights]->(:Base)
WHERE NOT g.objectid =~ "-(512|519|544)"
RETURN p
LIMIT 1000
🧵: 3/4
December 26, 2025 at 7:00 PM
BloodHound Cypher query used:
MATCH p=(g:Base)-[:Owns|OwnsLimitedRights]->(:Base)
WHERE NOT g.objectid =~ "-(512|519|544)"
RETURN p
LIMIT 1000
🧵: 3/4
MATCH p=(g:Base)-[:Owns|OwnsLimitedRights]->(:Base)
WHERE NOT g.objectid =~ "-(512|519|544)"
RETURN p
LIMIT 1000
🧵: 3/4
You can find unexpected owners with BloodHound's "Owns" edge, for example:
➡️ Domain join (ex. SCCM) service account
➡️ Past admin accounts
➡️ Intune connector service accounts
🧵: 2/4
➡️ Domain join (ex. SCCM) service account
➡️ Past admin accounts
➡️ Intune connector service accounts
🧵: 2/4
December 26, 2025 at 7:00 PM
You can find unexpected owners with BloodHound's "Owns" edge, for example:
➡️ Domain join (ex. SCCM) service account
➡️ Past admin accounts
➡️ Intune connector service accounts
🧵: 2/4
➡️ Domain join (ex. SCCM) service account
➡️ Past admin accounts
➡️ Intune connector service accounts
🧵: 2/4
A very merry #BloodHoundBasics, courtesy of @martinsohn.dk!
In Active Directory, the creator of an object (user, computer, group, ...) becomes the object's owner.
What can an owner do? By default, the owner can compromise the created object.
🧵: 1/4
In Active Directory, the creator of an object (user, computer, group, ...) becomes the object's owner.
What can an owner do? By default, the owner can compromise the created object.
🧵: 1/4
December 26, 2025 at 7:00 PM
A very merry #BloodHoundBasics, courtesy of @martinsohn.dk!
In Active Directory, the creator of an object (user, computer, group, ...) becomes the object's owner.
What can an owner do? By default, the owner can compromise the created object.
🧵: 1/4
In Active Directory, the creator of an object (user, computer, group, ...) becomes the object's owner.
What can an owner do? By default, the owner can compromise the created object.
🧵: 1/4
We’re closing out 2025 and looking forward to what’s next.
Join us in the new year for the Ghostwriter v6.1 webinar, and save your spot now for #SOCON2026, where the community comes together to advance APM.
Webinar 👉 ghst.ly/jan26-web-bsky
SO-CON 👉 ghst.ly/socon26-bsky
Join us in the new year for the Ghostwriter v6.1 webinar, and save your spot now for #SOCON2026, where the community comes together to advance APM.
Webinar 👉 ghst.ly/jan26-web-bsky
SO-CON 👉 ghst.ly/socon26-bsky
December 24, 2025 at 2:19 AM
We’re closing out 2025 and looking forward to what’s next.
Join us in the new year for the Ghostwriter v6.1 webinar, and save your spot now for #SOCON2026, where the community comes together to advance APM.
Webinar 👉 ghst.ly/jan26-web-bsky
SO-CON 👉 ghst.ly/socon26-bsky
Join us in the new year for the Ghostwriter v6.1 webinar, and save your spot now for #SOCON2026, where the community comes together to advance APM.
Webinar 👉 ghst.ly/jan26-web-bsky
SO-CON 👉 ghst.ly/socon26-bsky
“Deception is a good lie.”
When there’s no legitimate use for deception artifacts, interaction becomes high-fidelity signal. In his latest post, Ben Schroeder explains how BloodHound OpenGraph helps defenders plan & implement effective deception. ghst.ly/4b1nu2P
When there’s no legitimate use for deception artifacts, interaction becomes high-fidelity signal. In his latest post, Ben Schroeder explains how BloodHound OpenGraph helps defenders plan & implement effective deception. ghst.ly/4b1nu2P
Mapping Deception with BloodHound OpenGraph - SpecterOps
Explore how to design and visualize high-fidelity cyber deception using BloodHound OpenGraph to map realistic attack paths across Active Directory and third-party technologies. Learn practical techniques, tools, and real-world examples for deploying believable deceptions that improve detection, context, and defender advantage.
ghst.ly
December 23, 2025 at 10:07 PM
“Deception is a good lie.”
When there’s no legitimate use for deception artifacts, interaction becomes high-fidelity signal. In his latest post, Ben Schroeder explains how BloodHound OpenGraph helps defenders plan & implement effective deception. ghst.ly/4b1nu2P
When there’s no legitimate use for deception artifacts, interaction becomes high-fidelity signal. In his latest post, Ben Schroeder explains how BloodHound OpenGraph helps defenders plan & implement effective deception. ghst.ly/4b1nu2P
Credential Guard was meant to end credential dumping. Nearly a decade later, Valdemar Carøe tested what’s actually possible.
Check out his blog post detailing new credential dumping techniques that work on fully patched Windows 11 & Server 2025 systems.
➡️ ghst.ly/cred-eoybsky
Check out his blog post detailing new credential dumping techniques that work on fully patched Windows 11 & Server 2025 systems.
➡️ ghst.ly/cred-eoybsky
December 22, 2025 at 7:54 PM
Credential Guard was meant to end credential dumping. Nearly a decade later, Valdemar Carøe tested what’s actually possible.
Check out his blog post detailing new credential dumping techniques that work on fully patched Windows 11 & Server 2025 systems.
➡️ ghst.ly/cred-eoybsky
Check out his blog post detailing new credential dumping techniques that work on fully patched Windows 11 & Server 2025 systems.
➡️ ghst.ly/cred-eoybsky
Have questions or feedback on these, or any of our other open source projects?
Join the BloodHound Gang Slack Community and chat directly with the creators: slack.specterops.io
🧵: 5/5
Join the BloodHound Gang Slack Community and chat directly with the creators: slack.specterops.io
🧵: 5/5
December 19, 2025 at 10:35 PM
Have questions or feedback on these, or any of our other open source projects?
Join the BloodHound Gang Slack Community and chat directly with the creators: slack.specterops.io
🧵: 5/5
Join the BloodHound Gang Slack Community and chat directly with the creators: slack.specterops.io
🧵: 5/5
Want to see Ghostwriter v6.1 in action?
Join @printingprops.com & Stephen Hinck in the new year for our webinar on how teams can quickly configure and consume BloodHound data, and how v6.1’s collaboration enhancements streamline assessment writing.
👉 ghst.ly/jan26-web-bsky
🧵: 4/5
Join @printingprops.com & Stephen Hinck in the new year for our webinar on how teams can quickly configure and consume BloodHound data, and how v6.1’s collaboration enhancements streamline assessment writing.
👉 ghst.ly/jan26-web-bsky
🧵: 4/5
December 19, 2025 at 10:35 PM
Want to see Ghostwriter v6.1 in action?
Join @printingprops.com & Stephen Hinck in the new year for our webinar on how teams can quickly configure and consume BloodHound data, and how v6.1’s collaboration enhancements streamline assessment writing.
👉 ghst.ly/jan26-web-bsky
🧵: 4/5
Join @printingprops.com & Stephen Hinck in the new year for our webinar on how teams can quickly configure and consume BloodHound data, and how v6.1’s collaboration enhancements streamline assessment writing.
👉 ghst.ly/jan26-web-bsky
🧵: 4/5
We also continued applying community feedback to evolve Ghostwriter.
Ghostwriter v6.1 includes full BloodHound integration & powerful collaboration features designed for real-world team workflows.
@printingprops.com shared the deets 👉 ghst.ly/ghst61-eoybsky
🧵: 3/5
Ghostwriter v6.1 includes full BloodHound integration & powerful collaboration features designed for real-world team workflows.
@printingprops.com shared the deets 👉 ghst.ly/ghst61-eoybsky
🧵: 3/5
December 19, 2025 at 10:35 PM
We also continued applying community feedback to evolve Ghostwriter.
Ghostwriter v6.1 includes full BloodHound integration & powerful collaboration features designed for real-world team workflows.
@printingprops.com shared the deets 👉 ghst.ly/ghst61-eoybsky
🧵: 3/5
Ghostwriter v6.1 includes full BloodHound integration & powerful collaboration features designed for real-world team workflows.
@printingprops.com shared the deets 👉 ghst.ly/ghst61-eoybsky
🧵: 3/5
This year, we released two Mythic video series, hosted by @its-a-feature.bsky.social, to share tips, tricks, and features with operators and developers.
🧠 Mythic Operator Series: ghst.ly/mythic-op
🛠️ Mythic for Developers: ghst.ly/mythic-dev
🧵: 2/5
🧠 Mythic Operator Series: ghst.ly/mythic-op
🛠️ Mythic for Developers: ghst.ly/mythic-dev
🧵: 2/5
December 19, 2025 at 10:35 PM
This year, we released two Mythic video series, hosted by @its-a-feature.bsky.social, to share tips, tricks, and features with operators and developers.
🧠 Mythic Operator Series: ghst.ly/mythic-op
🛠️ Mythic for Developers: ghst.ly/mythic-dev
🧵: 2/5
🧠 Mythic Operator Series: ghst.ly/mythic-op
🛠️ Mythic for Developers: ghst.ly/mythic-dev
🧵: 2/5
Open source and shared research remain at the core of what we do.
In 2025, we worked to make adversary tradecraft more accessible, practical, and collaborative for the community.
🧵: 1/5
In 2025, we worked to make adversary tradecraft more accessible, practical, and collaborative for the community.
🧵: 1/5
December 19, 2025 at 10:35 PM
Open source and shared research remain at the core of what we do.
In 2025, we worked to make adversary tradecraft more accessible, practical, and collaborative for the community.
🧵: 1/5
In 2025, we worked to make adversary tradecraft more accessible, practical, and collaborative for the community.
🧵: 1/5
December 19, 2025 at 9:04 PM
On Christmas Eve at SpecterOps HQ,
BloodHound sniffed what attackers might do.
Through graphs and paths it traced the way,
Finding weak links before Christmas Day.
With risks in sight, defenders slept tight—
BloodHound kept watch through the silent night.
🧵: 1/2
BloodHound sniffed what attackers might do.
Through graphs and paths it traced the way,
Finding weak links before Christmas Day.
With risks in sight, defenders slept tight—
BloodHound kept watch through the silent night.
🧵: 1/2
December 19, 2025 at 9:04 PM
On Christmas Eve at SpecterOps HQ,
BloodHound sniffed what attackers might do.
Through graphs and paths it traced the way,
Finding weak links before Christmas Day.
With risks in sight, defenders slept tight—
BloodHound kept watch through the silent night.
🧵: 1/2
BloodHound sniffed what attackers might do.
Through graphs and paths it traced the way,
Finding weak links before Christmas Day.
With risks in sight, defenders slept tight—
BloodHound kept watch through the silent night.
🧵: 1/2
Released earlier this year, Certify 2.0 modernizes AD CS tradecraft with new capabilities and usability improvements, reflecting how much the attack landscape has changed since 1.0.
Read Valdemar Carøe’s deep dive 👉 ghst.ly/cert-eoybsky
Read Valdemar Carøe’s deep dive 👉 ghst.ly/cert-eoybsky
December 18, 2025 at 10:08 PM
Released earlier this year, Certify 2.0 modernizes AD CS tradecraft with new capabilities and usability improvements, reflecting how much the attack landscape has changed since 1.0.
Read Valdemar Carøe’s deep dive 👉 ghst.ly/cert-eoybsky
Read Valdemar Carøe’s deep dive 👉 ghst.ly/cert-eoybsky
ICYMI: Our new Mythic for Developers series, hosted by @its-a-feature.bsky.social, dives into tips & tricks for creating or customizing agents and anything else related to Mythic C2.
👀 Check it out: ghst.ly/mythic-dev
👀 Check it out: ghst.ly/mythic-dev
December 18, 2025 at 5:55 PM
ICYMI: Our new Mythic for Developers series, hosted by @its-a-feature.bsky.social, dives into tips & tricks for creating or customizing agents and anything else related to Mythic C2.
👀 Check it out: ghst.ly/mythic-dev
👀 Check it out: ghst.ly/mythic-dev
#SOCON2025 featured deep dives into identity attack paths, adversary tradecraft, and modern detection challenges.
Watch the full talk playlist ➡️ ghst.ly/socon25-talks
We're looking ahead now to #SOCON2026! Register and save your spot ➡️ ghst.ly/socon26-regb...
Watch the full talk playlist ➡️ ghst.ly/socon25-talks
We're looking ahead now to #SOCON2026! Register and save your spot ➡️ ghst.ly/socon26-regb...
December 18, 2025 at 2:39 PM
#SOCON2025 featured deep dives into identity attack paths, adversary tradecraft, and modern detection challenges.
Watch the full talk playlist ➡️ ghst.ly/socon25-talks
We're looking ahead now to #SOCON2026! Register and save your spot ➡️ ghst.ly/socon26-regb...
Watch the full talk playlist ➡️ ghst.ly/socon25-talks
We're looking ahead now to #SOCON2026! Register and save your spot ➡️ ghst.ly/socon26-regb...
This year @mrmurky.bsky.social & @joeydreijer.bsky.social debuted BloodHound Quest #DEFCON33, took it to #BHEU, and turned identity attack paths into a hands-on, competitive experience.
It’s not stopping there! Experience BloodHound Quest on-site at #SOCON2026.
Register 👉 ghst.ly/socon26-eoyb...
It’s not stopping there! Experience BloodHound Quest on-site at #SOCON2026.
Register 👉 ghst.ly/socon26-eoyb...
December 16, 2025 at 9:35 PM
This year @mrmurky.bsky.social & @joeydreijer.bsky.social debuted BloodHound Quest #DEFCON33, took it to #BHEU, and turned identity attack paths into a hands-on, competitive experience.
It’s not stopping there! Experience BloodHound Quest on-site at #SOCON2026.
Register 👉 ghst.ly/socon26-eoyb...
It’s not stopping there! Experience BloodHound Quest on-site at #SOCON2026.
Register 👉 ghst.ly/socon26-eoyb...
Nemesis 2.0 wasn’t an update, it was a rebuild.
Built from real operator feedback, it strips away the noise and focuses on what matters most: fast, effective file triage.
Check out the blog post from @harmj0y.bsky.social ➡️ ghst.ly/nem2-eoybsky
Built from real operator feedback, it strips away the noise and focuses on what matters most: fast, effective file triage.
Check out the blog post from @harmj0y.bsky.social ➡️ ghst.ly/nem2-eoybsky
December 15, 2025 at 10:46 PM
Nemesis 2.0 wasn’t an update, it was a rebuild.
Built from real operator feedback, it strips away the noise and focuses on what matters most: fast, effective file triage.
Check out the blog post from @harmj0y.bsky.social ➡️ ghst.ly/nem2-eoybsky
Built from real operator feedback, it strips away the noise and focuses on what matters most: fast, effective file triage.
Check out the blog post from @harmj0y.bsky.social ➡️ ghst.ly/nem2-eoybsky
PingOneHound, created in partnership with @pingidentity.com, brought BloodHound visibility into PingOne this year, helping defenders discover and remediate identity attack paths.
Check out @andyrobbins.bsky.social's post to learn more → ghst.ly/poh-eoybsky
Check out @andyrobbins.bsky.social's post to learn more → ghst.ly/poh-eoybsky
December 12, 2025 at 11:20 PM
PingOneHound, created in partnership with @pingidentity.com, brought BloodHound visibility into PingOne this year, helping defenders discover and remediate identity attack paths.
Check out @andyrobbins.bsky.social's post to learn more → ghst.ly/poh-eoybsky
Check out @andyrobbins.bsky.social's post to learn more → ghst.ly/poh-eoybsky
Now you can evaluate who exactly is able to control your sensitive assets, whether that's servers, databases, or anything else.
Hit us up in the BloodHoundGang slack to see how you could build out your own. ➡️ slack.specterops.io
🧵: 2/2
Hit us up in the BloodHoundGang slack to see how you could build out your own. ➡️ slack.specterops.io
🧵: 2/2
December 12, 2025 at 8:17 PM
Now you can evaluate who exactly is able to control your sensitive assets, whether that's servers, databases, or anything else.
Hit us up in the BloodHoundGang slack to see how you could build out your own. ➡️ slack.specterops.io
🧵: 2/2
Hit us up in the BloodHoundGang slack to see how you could build out your own. ➡️ slack.specterops.io
🧵: 2/2
Happy #BloodHoundBasics day from Nathan Davis!
Did you know that with Privilege Zones, you can create custom Labels to organize asset groups? Better yet, Labels receive tags that can be used to build Cypher queries for fine-tuned Attack Path analysis!
🧵: 1/2
Did you know that with Privilege Zones, you can create custom Labels to organize asset groups? Better yet, Labels receive tags that can be used to build Cypher queries for fine-tuned Attack Path analysis!
🧵: 1/2
December 12, 2025 at 8:17 PM
Happy #BloodHoundBasics day from Nathan Davis!
Did you know that with Privilege Zones, you can create custom Labels to organize asset groups? Better yet, Labels receive tags that can be used to build Cypher queries for fine-tuned Attack Path analysis!
🧵: 1/2
Did you know that with Privilege Zones, you can create custom Labels to organize asset groups? Better yet, Labels receive tags that can be used to build Cypher queries for fine-tuned Attack Path analysis!
🧵: 1/2