Chris Thompson

My SCCM BloodHound OpenGraph collector, ConfigManBearPig, is finally ready to share! It can enumerate all of the relay TAKEOVERs and a few CRED and ELEVATE techniques from Misconfiguration Manager with just a domain account. Let me know what you find! specterops.io/blog/2026/01/1…

@miketerrill I'm not super familiar with this but it does sound like the exploit was an abuse of that functionality: #windows-re-and-bitlocker-recovery" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/windows/…

Hmm...I wonder if this is how Quick Machine Recovery gets around BitLocker and unlocks the disk. 🤔 @_Mayyhem

Very compelling read on OpenGraph's beginnings. The content is interesting, but also I just love Brandon's writing! It makes you feel like you're there on a personal journey instead of just dumping technical info onto the page, which I tend to do and would love to improve upon.

"Red team" has become a catchall term. Some vendors mean pentesting. Others mean compliance theater. None of that tells you what actually matters: Would you detect an attacker once they're already in? @Ne0nd0g breaks it down ⤵️ ghst.ly/4uk1qaj

@Octoberfest73 I remember you once posted a quirk of impacket that could be used as an ioc so I thought you’d like this list of 50+ impacket IOCs😄 github.com/ThatTotallyRea…

Tool: github.com/SpecterOps/MSS… Blog: specterops.io/blog/2026/04/2…

MSSQLHound runtime is down from 17 minutes to 17 seconds in my lab after rewriting the BloodHound collector in Go with Javier Azofra and added SOCKS proxying, Kerberos and NT hash auth, and pathfinding. Hope this is more useful for ops than PowerShell! Let me know how it goes!

gopacket is live! Check it out, it is intended to be a full reimplementation of Impacket in Go (it is in beta please send me bug reports) github.com/mandiant/gopac…

BloodHound users: your query workflow just got better. With this latest update, @martinsohndk and @joeydreijer introduce multi-source loading, multi-server support, and dozens of new queries, now live in the Query Library. Check it out: ghst.ly/4vBic6c

Missed @jaredcatkinson & @JustinKohler10's talk at #SOCON2026? They announced BloodHound 9.0! Attack paths span SaaS, cloud, endpoints & identity providers. Attackers have exploited these connections for years. BloodHound 9.0 closes that gap. Learn how: ghst.ly/3OmSe5A

Relayed NTLM creds are powerful, if you can use them. @senderend shows why browsers fail through ntlmrelayx SOCKS and introduces ghostsurf to make NTLM-authenticated web apps accessible. Read more ⤵️ ghst.ly/4tnJOtx

@synzack21 @badsectorlabs ConfigManBearPig will catch a ton of the attack techniques that are possible in the lab and allow you to graph them in BloodHound: github.com/SpecterOps/Con…

I added an SCCM central admin site, child site, passive site server, secondary site, and remote system roles to @synzack21 and @badsectorlabs Ludus lab so you can skip the manual deployment. It's vuln to almost every technique in Misconfiguration Manager. specterops.io/blog/2026/04/0…

Check out GoLinHound: - Discovers Linux & SSH attack paths - Outputs OpenGraph JSON for BloodHound ingestion - Integrates with SharpHound and AzureHound data to unveil cross-technology attack paths github.com/RantaSec/golin…

Every Entra ID assessment ends here: “How do I get a token without triggering Conditional Access controls?” 🤔 @rbnroot built CAPSlock, an offline ROADrecon-based Conditional Access engine that simulates sign-ins & flags gaps without touching the tenant. ghst.ly/4aKIk64

Introducing BloodHound Scentry: BloodHound Enterprise + SpecterOps experts working alongside your team to eliminate attack paths and accelerate APM. Level 0 → Level 3 maturity in ~6 months. Not theory. Tradecraft. 🎯 Learn more ➡️ ghst.ly/bhscentry-tw

@_subTee reminded me that the Projected File System existed on Windows recently, so I decided to do a deep dive. Turns out - this is probably the best base technology for canary/deception features out there. There is also a splash of offensive use cases😎 @HuntressLabs Blog: huntress.com/blog/windows-p…

I can't believe Microsoft killed one of my favorite labs in my Entra ID training 😭. The Azure CLI and Azure PowerShell are no longer FOCI clients. On a serious note: good for security!

@jannisj If it's breaking due to the new NTLM rejection, there should be a way to force the use of Kerberos by supplying a fully qualified domain name. Looks like there's an issue tracking this that might help: github.com/MSEndpointMgr/…

@_Mayyhem And after you upgrade to 2509, modern driver management breaks :/

RIP SCCM hierarchy TAKEOVER-5: #adminservice-now-rejects-ntlm-authentication" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/intune/c… github.com/subat0mik/Misc… It's a good idea to upgrade to 2509 ASAP, sysadmin friends! There's no other mitigation if you have an SMS Provider hosted remotely from the site server AFAIK.

I found unauthenticated bugs in MDT that can be abuse to coerce authenticaton from the host server or to leak creds stored in the deployment share's rules file. Instead of fixing the issues, Microsoft retired MDT. specterops.io/blog/2026/01/2…