Lightnews — Scholar-powered news

SpecterOps @specterops.io · 9h

Celebrating #BloodHoundBasics day w/ Nathan Davis!

DYK: Risk calculation in BHE findings can be based on different values—some use Exposure (inbound control), others Impact (outbound). Hover over a finding in the Attack Paths page to see which applies.

1

SpecterOps @specterops.io · 1d

The CFP for #SOCON2026 is OPEN! 🙌

Have you been working on something interesting in Attack Path Management or identity-first defense? Join us in Arlington, VA (April 13–14) and share your work with the community.

Submit your talk by Nov. 15 → ghst.ly/socon26-cfp

SpecterOps @specterops.io · 2d

Your strongest platform is only as secure as its weakest dependency. And you probably don't know what those are.

Jared Atkinson dives into the Clean Source Principle, hidden trust relationships, & why BloodHound OpenGraph changes the game. ghst.ly/4pYTtFU

The Clean Source Principle and the Future of Identity Security - SpecterOps

TL;DR Modern identity systems are deeply interconnected, and every weak dependency creates an attack path — no matter how strong any single platform appears. The Clean Source Principle and BloodHound ...

ghst.ly

4

SpecterOps @specterops.io · 7d

Possession of that password enables authentication as the GMSA, and potentially allows for further attack paths depending on the privileges held by the GMSA.

Read more about this edge here: ghst.ly/42lMeho

🧵: 3/3

ReadGMSAPassword - SpecterOps

This privilege allows you to read the password for a Group Managed Service Account (GMSA).

ghst.ly

1 2

SpecterOps @specterops.io · 7d

The ReadGMSAPassword edge indicates that a principal can request the account's current password from a Domain Controller.

🧵: 2/3

1 1

SpecterOps @specterops.io · 7d

It's another #BloodHoundBasics day with @andyrobbins.bsky.social!

Today we are highlighting the ReadGMSAPassword edge.

A GMSA is an Active Directory object. GMSA stands for Group-Managed Service Account - a great solution from Microsoft that we recommend organizations use!

🧵: 1/3

1 1

SpecterOps @specterops.io · 7d

Red teams slip past detection. Defenders adapt. The cycle continues. 🔄

John Wotton's latest on AI gated loaders shows how offensive operators are using LLMs to make shellcode execution context-aware, executing only when OPSEC policies are met. ghst.ly/4nvxsgh

AI Gated Loader: Teaching Code to Decide Before It Acts - SpecterOps

My eyes and ears when I cannot be there, AI gated loaders inspect the victim machine and wait for the right moment to execute.

ghst.ly

3

SpecterOps @specterops.io · 9d

The only conference dedicated to Attack Path Management is back!

3 tracks. Real-world case studies. Hands-on BloodHound Quest lab. Join us at #SOCON2026 and advance your identity-first security strategy.

🎟️ Save 25% with early bird: specterops.io/so-con

1 3

SpecterOps @specterops.io · 11d

Lateral movement getting blocked by traditional methods?

@werdhaihai.bsky.social just dropped research on a new lateral movement technique using Windows Installer Custom Action Server, complete with working BOF code. ghst.ly/4pN03PG

DCOM Again: Installing Trouble - SpecterOps

DCOM lateral movement BOF using Windows Installer (MSI) Custom Action Server - install ODBC drivers to load and execute DLLs

ghst.ly

3 9

SpecterOps @specterops.io · 14d

6️⃣ Give the query a Name (and a description if you want) and click Save.

🧵: 5/5

SpecterOps @specterops.io · 14d

5️⃣ Your instance of BH will open and the query will run automatically. You can now click on Save.

🧵: 4/5

1

SpecterOps @specterops.io · 14d

3️⃣ Enter your instance's URL
4️⃣ Click on Play/Your URL

🧵: 3/5

1

SpecterOps @specterops.io · 14d

1️⃣ Head to queries.specterops.io
2️⃣ Click on Run Query

🧵: 2/5

1

SpecterOps @specterops.io · 14d

Happy #BloodHoundBasics Day from @scoubi.bsky.social!

By now, you've probably heard about our Query Library. But did you know you can run any query in your own instance of BHE/BHCE and then save the query to your Personal Library?

Follow the steps threaded below!

🧵: 1/5

1 2 1

SpecterOps @specterops.io · 16d

It's time to change how you think about SaaS integrations.

The Salesloft attack shows how GitHub → AWS → Drift → Salesforce created an attack highway defenders never saw coming.

Jared Atkinson's analysis details the patterns we should look out for. ghst.ly/4ngDQrD

The Salesloft–Drift Breach: An Attack Path Case Study - SpecterOps

This post analyzes the Salesloft–Drift incident through an attack path lens, showing how violations of the clean source principle, identities in transit, and hidden hybrid paths combined to turn a sin...

ghst.ly

1 1

SpecterOps @specterops.io · 17d

Learn to detect adversary TTPs through behavioral analysis, not just malware signatures. Our Detection course at Specter Bash teaches you to engineer detections based on attacker tactics and techniques.

Register & save your spot ➡️ ghst.ly/specter-bash-2025

SpecterOps @specterops.io · 18d

🎙️ NEW PODCAST: #KnowYourAdversary

Jared Atkinson & Justin Kohler explore identity security from the attacker's perspective. Real stories, real tactics, real insights.

Check out our first three episodes now 👉 ghst.ly/kya-podcast