Raj Patel

MSSQL has always been a favorite target. Now it ships its own egress channel. @gershsec's latest research breaks down how SQL Server 2025's native AI features enable exfil, NTLM coercion, and C2 transport, all functioning as intended. Read more 👇 ghst.ly/4e2L3JX

U2U powers UnPAC-the-Hash and chains into Shadow Credentials and ADCS ESC attacks, but most resources skip the “how.” @GrayHatKiller breaks down Kerberos U2U auth from the RFC to Windows’ divergences—and why modern attacks rely on it. ghst.ly/4egy4TT

Checkout my blog which deep dives into Kerberos U2U authentication, with packet-level breakdowns of UnPAC-the-Hash and RDP with NLA specterops.io/blog/2026/06/0…

SPN-less RBCD with NetExec🔥 While classic RBCD requires a computer account, you can use U2U authentication to perform RBCD with a normal user account, if a computer account is not available. Thanks to @azoxlpf, you can now perform this attack with NetExec as well🚀

Vibed up a quick tool to visualize and stack significant red/blue events that occurred during an assessment. Have always liked including a high-level visual like this in debriefs but made them by hand in the past using something like draw[.]io

WSL2 is a powerful attacker hideout because it runs as a separate Hyper-V VM, and defenders rarely monitor it. Daniel Mayer explains how attackers pivot into WSL2 and what it took to build tooling that works across WSL2 versions. Read more ⤵️ ghst.ly/45fPUma

The Azure AD Broker plays a key role in Entra ID sign-in & token handling, but how well do we really understand it? @winternl_t unpacks its on-disk cache, how to decode it, & the security implications. 🔐 ghst.ly/4oTR4v5

Credential Guard was supposed to end credential dumping. It didn't. @bytewreck just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled. Read for more ⤵️ ghst.ly/4qtl2rm

Lateral movement getting blocked by traditional methods? @werdhaihai just dropped research on a new lateral movement technique using Windows Installer Custom Action Server, complete with working BOF code. ghst.ly/4pN03PG

frankensteined some code together to make a couple BOFs that set shadowcreds/rbcd for when proxying was acting up...maybe they're useful to you they dont clean up at the moment so that'll have to get added at some point...ops not done yet lol github.com/garrettfoster1…

I pushed updates to SCCMHunter as part of my Arsenal demo at #BHUSA today! New features include a relay module for TAKEOVER-5 and a community contribution to coerce client push from a *nix host for ELEVATE-2. github.com/garrettfoster1….

This post about MSSQLHound, a PowerShell collector that adds 7 new nodes and 37 new edges to BloodHound, details my experience and lessons learned designing and implementing the tool using OpenGraph and provides examples of how to research and discover MSSQL attack paths.

MSSQLHound leverages BloodHound's OpenGraph to visualize MSSQL attack paths with 7 new nodes & 37 new edges, all without touching the SharpHound & BloodHound codebases. @_Mayyhem unpacks this new feature in his blog post. 👇 ghst.ly/4leRFFn

Many missed this on #BadSuccessor: it’s also a credential dumper. I wrote a simple PowerShell script that uses Rubeus to dump Kerberos keys and NTLM hashes for every principal-krbtgt, users, machines. no DCSync required, no code execution on DC.

I'm SO hyped to finally make MSSQLHound public! It's a new BloodHound collector that adds 37 new edges and 7 new nodes for MSSQL attack paths using the new OpenGraph feature for 8.0!. Let me know what you find with it! - github.com/SpecterOps/MSS… - specterops.io/blog/2025/07/2…

BloodHound v8.0 is here! 🎉 This update introduces BloodHound OpenGraph, revolutionizing Identity Attack Path Management by exposing attack paths throughout your entire tech stack, not just AD/Entra ID. Read more from @JustinKohler10: ghst.ly/bloodhoundv8 🧵: 1/7

The industry recommendation for DPAPI backup key compromise remediation is to destroy and rebuild the environment. @sou_predictable explores why this is the current industry guidance. ghst.ly/40DTLHk

Looks like BloodHound has picked up the scent of something new :) Join us Thursday to see where the trail leads.

Classic NTLM relay problem: Stuck on port 445/TCP, can't use WMI (needs 135/TCP), and dumping hashes triggers EDR alerts. So what's a stealthy attacker to do? 🤔 Our latest blog post explores evasive alternatives beyond the old techniques. ghst.ly/3ILR1l0

Had some time and decided to take a shot at Fabian’s RAITrigger project. After a look into the RPC internals, I put together a super lightweight C# version (no NtApiDotNet), plus a C++ and BOF version. Enjoy! github.com/klezVirus/RAIW…