SpecterOps

The #SOCON2026 agenda is live! 🎉 Explore talks, topics, & speakers across the Tradecraft, OpenGraph, & new Practice Track, focused on turning Attack Path Management into an operational discipline. Check out the agenda & plan your experience: ghst.ly/socon26-tw 🧵: 1/4

LIMIT statements are optional, but recommended for queries that may return many objects. LIMIT 1000 is the default, but using LIMIT 10 or 100 helps quickly check if your query returns results. 🧵: 5/5

RETURN statements can return any variable declared in the query. In the above example, that includes p (variable representing the whole relationship), a (just the User accounts), or b (just the computers). 🧵: 4/5

Happy #BloodHoundBasics day from @Sec_Distilled! Having trouble getting started w/ Cypher queries? Here's a quick intro to get you going: Start w/ a MATCH statement, use a WHERE clause to refine, & RETURN your data (don't forget a LIMIT statement, just in case). Query in 🧵⤵️

What if the attack paths you’re missing are outside your core identity stack? 🤔 Join @JustinKohler10 & @jaredcatkinson March 31 to see how BloodHound Enterprise now maps risk across Okta, GitHub, and Mac environments. Save your spot! ghst.ly/4bFEnir

Supply chain attacks propagate through relationships. Shai-Hulud 2.0 proved it. @c0kernel breaks down the worm used in the attack as an attack graph & introduces NPMHound, which can be used to model NPM dependencies in BloodHound. Read for more! ⤵️ ghst.ly/4smZVqE

What do hundreds of incident response engagements reveal? Identity is the battleground. ⚔️ Steve Elovitz from @Unit42_Intel joins #KnowYourAdversary to break down how attacks unfold, from phishing to privilege escalation to SaaS expansion. 🎧: ghst.ly/4uFeMie

GitHub isn’t just a code platform anymore. It’s a security boundary. New from @jaredcatkinson: how GitHub creates real attack paths into repos, secrets, CI/CD, and even cloud environments. Read more: ghst.ly/4cU3QHd

Tune in now! 🎙️ @JustinKohler10 & @_Mayyhem are on with @_JohnHammond talking about BloodHound OpenGraph.

You can also catch @JustinKohler10 this morning on @_JohnHammond’s live stream chatting all things BloodHound OpenGraph. Tune in on John’s channels at 10:30AM ET / 7:30AM PT. 🧵: 3/3

Want to learn more? Find us at Booth N-6277 at #RSAC to chat with the team about BloodHound OpenGraph and these new extensions! 🧵: 2/3

BloodHound Enterprise is expanding. New OpenGraph extensions now uncover identity attack paths across Okta, GitHub, and Jamf-managed macOS—connecting identities, repositories, and endpoints across hybrid environments. ghst.ly/3N7X7yY 🧵: 1/3

Get a jump start and check out @_JohnHammond's stream from today where he explored the functionality of BloodHound OpenGraph! 👀: ghst.ly/4bi2BjW (2/2)

Don't miss this: @JustinKohler10 will join @_JohnHammond live to talk all things BloodHound OpenGraph—what it is, why it matters, and what’s coming next. 🔴 Tune in live TOMORROW at 10:30AM ET / 7:30AM PT! (1/2)

Heading to #RSAC next week? 🧳 Stop by booth N-6277 for live BloodHound demos and see how teams are eliminating identity-based attack paths. Our exec team will also be on-site to chat. Book your meeting ➡️ ghst.ly/3NezMLJ

Here are the instructions for creating a gMSA for your SharpHound collector: ghst.ly/4ur3mhN 🧵: 5/5

Combined w/ other hardening strategies such as the Protected Users group (enforces stricter auth & doesn't store credentials locally), & disabling outbound NTLM (prevents machines from sending NTLM credentials to other systems). This is just good security hygiene. 🧵: 4/5

Happy #BloodHoundBasics day from @psionicjake! Why do we recommend a Group Managed Service Account for SharpHound? Security. When you use a gMSA as a service principal for running SharpHound, Windows manages the p/w for the account. Not an admin. 🧵: 1/5