Looks like BloodHound has picked up the scent of something new :) Join us Thursday to see where the trail leads.

I'm SO hyped to finally make MSSQLHound public! It's a new BloodHound collector that adds 37 new edges and 7 new nodes for MSSQL attack paths using the new OpenGraph feature for 8.0!. Let me know what you find with it! - github.com/SpecterOps/MSS… - specterops.io/blog/2025/07/2…

New BH OpenGraph stuff is pretty cool, threw together a super basic PoC to map attack paths through SCCM this afternoon using data pulled from the site DB:

It's been almost a year since my last blog... So, here is a new one: Extending AD CS attack surface to the cloud with Intune certificates. Also includes ESC1 over Intune (in some cases). dirkjanm.io/extending-ad-c… Oh, and a new tool for SCEP: github.com/dirkjanm/scepr…

MSSQLHound leverages BloodHound's OpenGraph to visualize MSSQL attack paths with 7 new nodes & 37 new edges, all without touching the SharpHound & BloodHound codebases. Chris Thompson unpacks this new feature in his blog post. 👇 ghst.ly/4leRFFn

The AD CS security landscape keeps evolving, and so does our tooling. 🛠️ Valdemar Carøe drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements. ghst.ly/45IrBxI

Removing the Last Exchange Server is now FINALLY possible! A new capability in Exchange Online now allows administrators to manage Exchange attributes for directory-synchronized users with mailboxes hosted in the cloud. With this update, the Source of Authority (SOA) for

I Just documented a cool way to authenticate proxied tooling to LDAP in an AD environment using C2 payload auth context, without stealing any tickets or hashes! Keep tooling execution off-host and away from EDR on your Red Team assessments! specterops.io/blog/2025/08/2…

Don't forget to grab your BloodHound 8.0 t-shirt! Everything raised from this fundraiser will support Hope for HIE ☀️, the global voice for families affected by Hypoxic Ischemic Encephalopathy. ➡️ ghst.ly/bh8-tshirt

BloodHound isn't just for Active Directory anymore. 🤯 Walter.Legowski dives into the BloodHound OpenGraph functionality & demonstrates the new PowerShell cmdlets added to the BloodHound Operator module to work with the OpenGraph feature. ghst.ly/4peTTrB

knew win10 had the dsquery.dll laying around but never knew what to do with it "rundll32.exe dsquery.dll OpenQueryWindow" will pop open a console for you and you can do some light LDAP recon you can also open with with win + ctrl + f probably useful for VDI/Citrix type tests

Excited to present with Matt Johnson at #BHEU Black Hat where we'll be sharing our research on attacking System Center Operations Manager! SpecterOps

The DSInternals.RpcFilters PowerShell module for Windows RPC filter management is out! Includes support for the new OpNum matching capability of Windows Server 2025. Looking forward to community feedback. github.com/MichaelGrafnet…

Windows EventLog Remoting Protocol hardening using RPC filters: Block legacy MS-EVEN, restrict MS-EVEN6 to RPC over TCP/IP, and block the EvtRpcClearLog call (requires Windows Server 2025). And what is YOUR favorite RPC filter? #DSInternals

Fact: Remote service and scheduled task creation bypass firewalls on DCs and Win file servers because of SMB tunnelling. Solution: Create RPC filters that block MS-SCMR and MS-TSCH over named pipes. The latter has 3 UUIDs, so blocking the atsvc pipe is more elegant. #DSInternals

Lateral movement getting blocked by traditional methods? werdhaihai just dropped research on a new lateral movement technique using Windows Installer Custom Action Server, complete with working BOF code. ghst.ly/4pN03PG

The only conference dedicated to Attack Path Management is back! 3 tracks. Real-world case studies. Hands-on BloodHound Quest lab. Join us at #SOCON2026 and advance your identity-first security strategy. 🎟️ Save 25% with early bird: specterops.io/so-con

Certificate-based privilege escalation vulnerabilities are the attack vector enterprises keep overlooking. Join Emily Leidy at #BSidesNYC on Oct. 18 to learn a structured approach to ADCS remediation using attack path analysis and BloodHound Enterprise. ghst.ly/3J0BxKt

EPA can shut down NTLM relay attacks, but there's no public way to enumerate enforcement across protocols like MSSQL & HTTP. The solution? RelayInformer. Join Nick Powers & Matt Creel on Oct. 30 as they discuss the tool & their research: ghst.ly/web-oct-tw

Credential Guard was supposed to end credential dumping. It didn't. Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled. Read for more ⤵️ ghst.ly/4qtl2rm