Andy Robbins

I'm on Bluesky here: bsky.app/profile/andyro…

My SCCM BloodHound OpenGraph collector, ConfigManBearPig, is finally ready to share! It can enumerate all of the relay TAKEOVERs and a few CRED and ELEVATE techniques from Misconfiguration Manager with just a domain account. Let me know what you find! specterops.io/blog/2026/01/1…

Stack spoofing isn’t dead. Hear from @klezvirus at #BHEU on how modern detection still breaks, and unveils the first CET-compliant stack spoofing framework. Learn more ➡️ ghst.ly/4izmuou

See you all next week...excited to present with @breakfix at #BHEU! 💣

SCOM monitors critical systems, but insecure defaults make it a powerful attack vector. At #BHEU, @unsigned_sh0rt & @breakfix show how to abuse SCOM for credential theft, lateral movement, and domain escalation, plus how to defend it. ghst.ly/4aoggph

Just in time for the holidays, I wanted to share something that a lot of people have asked for: youtube.com/playlist?list=… Short videos about Mythic development and customizations. This is just the start - I'll release a survey soon that'll get feedback for the next batch :)

Credential Guard was supposed to end credential dumping. It didn't. @bytewreck just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled. Read for more ⤵️ ghst.ly/4qtl2rm

In this post @_wald0 introduces PingOneHound, a BloodHound OpenGraph extension that allows users to visualize, audit, and remediate attack paths in their PingOne environment. The blog post also serves as an introduction to the PingOne architecture. specterops.io/blog/2025/10/2…

BloodHound isn't just for Active Directory anymore. 🤯 @SadProcessor dives into the BloodHound OpenGraph functionality & demonstrates the new PowerShell cmdlets added to the BloodHound Operator module to work with the OpenGraph feature. ghst.ly/4peTTrB

ICYMI: BloodHound OpenGraph, introduced with BloodHound v8.0, allows you to map attack paths across your entire tech stack. @JustinKohler10 & @_wald0 recently joined @_JohnHammond to discuss the new feature and share a demo. Watch the conversation 👉 ghst.ly/4fNZLDM

@techspence @SwiftOnSecurity NAT

What security control do you think is the most underrated… and why?

🚨 New #BloodHound shirt alert 🚨 ✅ - Unisex and ladies sizes available ✅ - Cool design :) ✅ - ALL profits go to charity: Hope for HIE, which supports families suffering the effects of hypoxic ischemic encephalopathy Get your shirt here: ghst.ly/bh8-tshirt

We are back with our BloodHound t-shirt fundraiser! 🙌 Grab your BloodHound 8.0 shirt today. All funds raised will go directly to @HopeforHIE, the global voice for families affected by Hypoxic Ischemic Encephalopathy. 👕: ghst.ly/bh8-tshirt

Check out my new blog on nested app authentication and brokered authentication.

Dear fellow pentesters & red teamers, How often do you run into a vCenter in your client’s environment? 🖥️ I just built one for vCenter - meet vCenterHound 🐾😉 This is just the beginning… more collectors and surprises are on the way. #Pentesting #RedTeam #BloodHound #vCenter

This post about MSSQLHound, a PowerShell collector that adds 7 new nodes and 37 new edges to BloodHound, details my experience and lessons learned designing and implementing the tool using OpenGraph and provides examples of how to research and discover MSSQL attack paths.

MSSQL support just landed in BloodHound! You can now map out how attackers might use SQL servers to move laterally. This is incredibly useful in hybrid and legacy heavy environments. Let us know what you find. Learn more ➡️ ghst.ly/MSSQLHound

MSSQLHound leverages BloodHound's OpenGraph to visualize MSSQL attack paths with 7 new nodes & 37 new edges, all without touching the SharpHound & BloodHound codebases. @_Mayyhem unpacks this new feature in his blog post. 👇 ghst.ly/4leRFFn

More on BH OpenGraph: Ran into some issues when attempting to map objects collected with partial info back to existing BH objects. Built out a small tool that allows for connecting objects in a more flexible manner: github.com/G0ldenGunSec/O…

In this blog post I explain the fundamental building blocks, vocabulary, and principles of attack graph design for BloodHound: specterops.io/blog/2025/08/0…

Entra Connect sync accounts can be exploited to hijack device userCertificate properties, enabling device impersonation and conditional access bypass. @hotnops explores cross-domain compromise tradecraft within the same tenant. Read more ⤵️ ghst.ly/3ISMGN9