SpecterOps

ICYMI: @0xr0BIT joined #KnowYourAdversary for a discussion on how scheduled tasks store creds, why they frequently appear during security assessments, & how TaskHound helps operators & defenders visualize these relationships directly within BloodHound. 👀 ghst.ly/4x4qGmU

Happy #BloodHoundBasics Friday from @Jonas_B_K! 🎉 Did you know BloodHound now shows Eligible Roles in the Entity Panel? For Azure users and groups, you can quickly see who can activate privileged roles or approve role activation requests.

Want to better defend Azure and Entra ID environments? Start by understanding the adversary's perspective. At #BHUSA, our Azure training uses hands-on labs to teach the attack paths, misconfigs, and techniques used against modern cloud environments. ➡️ ghst.ly/4uii3Ua

Scale indirect prompt-injection testing w/ Codex-driven automation by turning payload development into a generate-inject-test-analyze-repeat loop. Antero Guy used it to explore indirect prompt-injection behavior against a custom Claude Sonnet 4.5/4.6 agent ghst.ly/4us3EnJ

Why do MFA and SSO stop mattering once someone has access to your machine? @JustinKohler10 dives into it with @CloudSecPod ⤵️

MSSQL has always been a favorite target. Now it ships its own egress channel. @gershsec's latest research breaks down how SQL Server 2025's native AI features enable exfil, NTLM coercion, and C2 transport, all functioning as intended. Read more 👇 ghst.ly/4e2L3JX

This work is published as part of GhostWorks, an AI-focused engineering and research initiative at SpecterOps, focused on the disciplined exploration of frontier AI-enabled cybersecurity tooling. Read more ⤵️ ghst.ly/4otZ1rJ

Most prompt engineering still boils down to vibes. @_xpn_ explores GEPA, a framework for optimizing prompts using eval results, execution traces, & iterative refinement. Read this practical look at bringing measurable engineering practices to AI agents. ghst.ly/4vGffAp

Join our Tradecraft Analysis training at #BHUSA! The course digs into how Windows attack techniques work under the hood, how to identify telemetry sources & detection choke points, & develop robust detection coverage & informed evasion strategies. ➡️ ghst.ly/43eLw5s

U2U powers UnPAC-the-Hash and chains into Shadow Credentials and ADCS ESC attacks, but most resources skip the “how.” @GrayHatKiller breaks down Kerberos U2U auth from the RFC to Windows’ divergences—and why modern attacks rely on it. ghst.ly/4egy4TT

AzureHound now has least-privilege permission documentation + @martinsohndk shows the internal research that made it. TL;DR of changes: Directory.Read.All → 8 MS Graph permissions Reader role → 16 ARM actions Directory Readers → not required ghst.ly/4vzI8yk

If you had FOMO during #SOCON2026 or you want to run back your favorite talk, the talk playlist is now available! 👀 Watch all currently available sessions: ghst.ly/SOCON26YT 📊: Access the presentation slides: ghst.ly/4xivvt9

📃 The update also added a one-page Cypher cheat sheet for quick lookups, plus a bundle of new queries that increase mapping coverage to security assessment tools. Check it out: queries.specterops.io 6/6

❤️ Favorite queries! Log in, heart the queries you use most, sort for Most Favorites, and use Show Favorites to filter your list. For now, this applies to the BloodHound Query Library source. 5/6

Happy #BloodHoundBasics Day! This week, @martinsohndk walks through: queries.specterops.io helps you find & run the queries you need. Caught up on the latest features? - Multi-source loading - Multi-server management - Favorites - Cypher cheat sheet Quick glance in 🧵 1/6

And the winner is... 🥁 foobar! At the close of #InfoSecEurope, foobar was crowned the #BloodHoundUnleashed Attack Path Champion! 👑 Thank you to all of our competitors for your enthusiasm and participation throughout the challenge. We will see you for the next one...

Most teams think they have a few attack paths. The real number can run into the billions. Mark Wilson & Kay Daskalakis from the team behind Bloodhound @SpecterOps spoke to @hashishrajan about identity, agentic AI on old infrastructure, and why speed changes but context doesn't