SpecterOps

Meet PingOneHound, an OpenGraph extension for BloodHound CE & Enterprise! PingOneHound enables security professionals to discover, analyze, and remediate identity-based attack paths in PingOne environments. Check out our latest blog post from Andy Robbins to learn more about the architecture and mechanics of the extension, and get started today! https://ghst.ly/3WLqlVd

Patching a technique doesn't always eliminate the threat vector. Case in point: BadSuccessor. While Microsoft addressed Yuval Gordon's original privilege escalation method, the broader dMSA abuse problem persists. Logan G. digs into why this matters for defenders, and introduces the new BadTakeover BOF and SharpSuccessor updates that demonstrate the technique's continued operational viability. If your team isn't monitoring for dMSA abuse, you've got a blind spot. Read the full breakdown and understand the lasting impact. https://ghst.ly/42POg9L

Large Language Models don't actually "think," they embed massive word patterns into matrices and predict what comes next. It's critical for anyone responsible for securing AI systems to understand this distinction. Blaise Brignac breaks down what's really happening under the hood of LLMs and why the attack surface is so challenging to defend. If you're building AI security strategies, this is essential reading for you. Read more: https://ghst.ly/497pxl0

Identity-based attack paths are central to most security breaches, but organizations still lack visibility into how attackers move from on-prem to the cloud. Join our Sales Engineering Director Ryan Bechtloff and -Derek Melber-, Strategic Advisor for Enterprise Identity at GuidePoint Security, and learn practical strategies to discover and remediate hybrid identity risks before attackers exploit them. Register at https://ghst.ly/so-gps-li

For today’s #BloodHoundBasics from Carlo Alcantara, we explore how easy it is to use OpenGraph to enrich our existing Active Directory data in BloodHound. In this example, we will add a new attribute to AD objects that have a fine grained password policy applied to them. A fine grained password policy called tierZeroPasswordPolicy (1) is currently enabled in this domain and applies to the Domain Admins group (2). Enumerate the objects that this policy applies to. The information we need is the object SID (3). The linked Gist contains a PowerShell script to gather this information and is stored in the variable $results (4). https://ghst.ly/4hpdHFa Using the OpenGraph schema reference, we’ll make the simplest example we can. All we need are the object SID (5), the kind of object to update (6), and the new property to add to the object (7). https://ghst.ly/3IQlgbb Save the JSON file and upload to BloodHound via the Quick Upload and wait a couple of minutes for the data to ingest and update. Search or query for the objects with cypher (8) that you just updated and view the new property (9).

#SOCON2026 is the only conference dedicated to Attack Path Management—where the global security community unites to push the boundaries of identity-first defense. We are currently seeking sessions on topics like: ➡️ Novel Attack Path research ➡️ BloodHound & OpenGraph use cases ➡️ Identity Provider attacks & defenses ➡️ Hybrid & Federated Attack Paths ...and more! The CFP closes November 15. Submit your talk today: https://lnkd.in/etANhhB6

Large Language Models don't actually "think," they embed massive word patterns into matrices and predict what comes next. It's critical for anyone responsible for securing AI systems to understand this distinction. Blaise Brignac breaks down what's really happening under the hood of LLMs and why the attack surface is so challenging to defend. If you're building AI security strategies, this is essential reading for you. Read more: https://ghst.ly/497pxl0

When Microsoft introduced nested application authentication (NAA) in 2024, researchers quickly identified similarities with Family of Client IDs (FOCI)—leading to the term "brokered client IDs" or BroCI. Hope Walker's new blog post documents what we know about NAA authentication flows and BroCI implementations, filling a gap in available resources. If you're researching Microsoft identity protocols or securing M365 environments, this breakdown is invaluable. Read more: https://ghst.ly/3Jdhp7Z

➡️ Defenders react after breaches ⬅️ APM shifts defense forward by continuously mapping and minimizing the identity risks attackers rely on. See how APM changes when defense happens. ⏬ Download our latest publication: https://lnkd.in/eEK2e3ed