It's alive! Apeman is a graph-based tool to model AWS IAM permissions. This marks the start of a new journey to methodically identify and remediate IAM attack paths, and I look forward to learning together with y'all. github.com/hotnops/apeman

No weekend plans? Daydreaming of attacking SCCM? We're offering access to our Offensive SCCM DEF CON workshop to the first 30 people who DM me. The workshop will be accessible till Wednesday. Please don't claim it if you don't plan on using it. Chris Thompson Garrett Foster

Just wrapped up DEF CON Demo Labs and published Maestro, a new tool for lateral movement with Intune from C2. Thanks to everyone who came to check it out! I'll be posting a blog and wiki with more info soon, but here's the code and link to today's slides: github.com/Mayyhem/Maestro

I wrote a blog post about some of the intangible benefits of working as a red team operator and adversary simulation consultant at SpecterOps. It's pretty awesome here. And we're hiring! posts.specterops.io/life-at-specte…

I’ve always thought Seatbelt was a great situational awareness tool, I created a python implementation of it. Due to the nature of how I expect it to run, it only implements the remote modules, but I hope someone finds it useful. github.com/0xthirteen/Car…

In part 15 of my On Detection series I dig into the different types of API functions that I’ve encountered in my journey to categorize and understand adversary tradecraft. posts.specterops.io/part-15-functi…

BIG NEWS: SpecterOps raises $75M Series B to strengthen identity security! Led by @InsightPartners with @AnsaCapital, M12 - Microsoft's Venture Fund, Ballistic Ventures, Decibel, and Cisco Investments. ghst.ly/seriesb #IdentitySecurity #CyberSecurity (1/6)

Think NTLM relay is a solved problem? Think again. Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31

Big updates are coming to BloodHound! Join our webinar July 31 to hear from Justin Kohler, Stephen Hinck (he/him), Andy Robbins & Jared Atkinson on some of the new features the team is rolling out. Register ▶️ ghst.ly/july-web-tw

BloodHound v8.0 is here! 🎉 This update introduces BloodHound OpenGraph, revolutionizing Identity Attack Path Management by exposing attack paths throughout your entire tech stack, not just AD/Entra ID. Read more from Justin Kohler: ghst.ly/bloodhoundv8 🧵: 1/7

I'm SO hyped to finally make MSSQLHound public! It's a new BloodHound collector that adds 37 new edges and 7 new nodes for MSSQL attack paths using the new OpenGraph feature for 8.0!. Let me know what you find with it! - github.com/SpecterOps/MSS… - specterops.io/blog/2025/07/2…

New BH OpenGraph stuff is pretty cool, threw together a super basic PoC to map attack paths through SCCM this afternoon using data pulled from the site DB:

MSSQLHound leverages BloodHound's OpenGraph to visualize MSSQL attack paths with 7 new nodes & 37 new edges, all without touching the SharpHound & BloodHound codebases. Chris Thompson unpacks this new feature in his blog post. 👇 ghst.ly/4leRFFn

This post about MSSQLHound, a PowerShell collector that adds 7 new nodes and 37 new edges to BloodHound, details my experience and lessons learned designing and implementing the tool using OpenGraph and provides examples of how to research and discover MSSQL attack paths.

👋 Say hello to Nemesis 2.0, a streamlined, Docker Compose-based platform that is laser-focused on file triage. After introducing v1 two years ago, the team has reworked the platform to better serve what people need from it. Read more from Will Schroeder. ⤵️ ghst.ly/4mxQzFU

I wanted to find out if you could start the WebClient service remotely, so I ended up digging into it specterops.io/blog/2025/08/1…

Credential Guard was supposed to end credential dumping. It didn't. Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled. Read for more ⤵️ ghst.ly/4qtl2rm

I have released an OpenGraph collector for network shares and my first blogpost at SpecterOps on the subject! You can now visualize attack paths to network shares in BloodHound 👀 specterops.io/blog/2025/10/3…

HEY EVERYONE. THE BLOG POST IS OUT. I put an LLM in an AMSI provider and some cool stuff came out. Really excited to finally have this released.

SCOM monitors critical systems, but insecure defaults make it a powerful attack vector. At #BHEU, Garrett & Matt Johnson show how to abuse SCOM for credential theft, lateral movement, and domain escalation, plus how to defend it. ghst.ly/4aoggph