Excited! Come grab some stickers...the update includes a new "relay" module to support TAKEOVER-5. No more using a 2 year old pull-request that hasn't been merged yet.

Made some changes to SoaPy to allow ADWS recon to be ingested into Matt Creel 's BOFHound offline for upload to BloodHound. A blog detailing an operational perspective of ADWS collection from Linux with BloodHound is coming soon. For now, the changes are here: github.com/logangoins/Soa…

#x33fcon 2025 talks: Lee Chagolla-Christensen & Will Schroeder - Nemesis 2.0: Building an Offensive VirusTotal > youtu.be/RjLqfhQGUnE

anyone else put on headphones and forget to turn on music for a few hours? just been sitting here listening to the soothing tones of tinnitus

My first SpecterOps blog! Ever wanted to collect Active Directory information from LDAP for a Red Team? Using LDAP's more OPSEC-considerate cousin: ADWS can be used to improve upon the already present advantages of using smaller-scaling LDAP queries. specterops.io/blog/2025/07/2…

Looks like BloodHound has picked up the scent of something new :) Join us Thursday to see where the trail leads.

BloodHound v8.0 is here! 🎉 This update introduces BloodHound OpenGraph, revolutionizing Identity Attack Path Management by exposing attack paths throughout your entire tech stack, not just AD/Entra ID. Read more from Justin Kohler: ghst.ly/bloodhoundv8 🧵: 1/7

I'm SO hyped to finally make MSSQLHound public! It's a new BloodHound collector that adds 37 new edges and 7 new nodes for MSSQL attack paths using the new OpenGraph feature for 8.0!. Let me know what you find with it! - github.com/SpecterOps/MSS… - specterops.io/blog/2025/07/2…

A colleague of mine used this today to escalate from MSSQL sysadmin to local admin on the underlying server . Much nicer than getting a potato past the EDR.

Entra Connect sync accounts can be exploited to hijack device userCertificate properties, enabling device impersonation and conditional access bypass. Daniel Heinsen explores cross-domain compromise tradecraft within the same tenant. Read more ⤵️ ghst.ly/3ISMGN9

Very excited! See you all at BlackHat!

The best creds are the ones you simply ask for =) specterops.io/blog/2025/07/3…

Red teamers know the drill: endless file churning, hunting for passwords & tokens. 🔍 Meet DeepPass2, our new secret scanning tool that goes beyond structured tokens to catch those tricky free-form passwords too. Read Neeraj Gupta's blog post for more. ghst.ly/40HLNNA

More on BH OpenGraph: Ran into some issues when attempting to map objects collected with partial info back to existing BH objects. Built out a small tool that allows for connecting objects in a more flexible manner: github.com/G0ldenGunSec/O…

MSSQLHound leverages BloodHound's OpenGraph to visualize MSSQL attack paths with 7 new nodes & 37 new edges, all without touching the SharpHound & BloodHound codebases. Chris Thompson unpacks this new feature in his blog post. 👇 ghst.ly/4leRFFn

Dry runs for my talk consistently hitting 37-39 minutes. Which means I'll be done in 22 when I'm on stage due to stress alone 😂

I pushed updates to SCCMHunter as part of my Arsenal demo at #BHUSA today! New features include a relay module for TAKEOVER-5 and a community contribution to coerce client push from a *nix host for ELEVATE-2. github.com/garrettfoster1….

My presentation starts in 20 minutes! Oceanside C level 2. Hope to see you there! #BHUSA

WSFC misconfigurations can turn your domain into one big fustercluck. I'm sharing fustercluck today as part of my #BHUSA presentation. The README summarizes the issues and a detailed blog is coming soon. github.com/garrettfoster1…

Good article from Bleeping Computer about the Exchange hybrid tradecraft I dropped at Black Hat yesterday, with some of my comments on the techniques: bleepingcomputer.com/news/security/…