Martin Sohn Christensen

The #SOCON2026 agenda is live! 🎉

Explore talks, topics, & speakers across the Tradecraft, OpenGraph, & new Practice Track, focused on turning Attack Path Management into an operational discipline.

Check out the agenda & plan your experience: ghst.ly/socon26-tw

🧵: 1/4

BloodHound Operator: The Six Degrees Of Master Yoda - SpecterOps A Technical Dive Into BloodHound OpenGraph With BloodHound Operator & Master Yoda… TL;DR: The latest version of BloodHound introduces BloodHound OpenGraph. This new feature allows for ingestion of any...

If you found the above cool, then check out @sadprocessor.bsky.social's much more comprehensive OpenGraph × Star Wars demo.
specterops.io/blog/2025/09...

BloodHound's OpenGraph is 🔥🚀
This is how we rapidly developed a customer specific attack primitive for BloodHound that we call "ManagerOf" 👇

Good Fences Make Good Neighbors: New AD Trusts Attack Paths in BloodHound - SpecterOps The ability of an attacker controlling one domain to compromise another through an Active Directory (AD) trust depends on the trust type and configuration. To better map these relationships and make i...

I publish two blog posts today! 📝🐫

First dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06...

Second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06...

Hope you enjoy the read 🥳

Easily find and share BloodHound Cyphers on queries.specterops.io
Released with ~90 new Cypher queries, go check them out!

@joeydreijer.bsky.social and I spent many hours creating it and we hope you find it useful. All feedback is appreciated :)

Cool! Is there a way to enum Symantec assets via LPDAP? E.g. does the server/service acc have a specific SPN?

Understanding & Mitigating BadSuccessor - SpecterOps Understanding the impact of the BadSuccessor AD attack primitive and mitigating the abuse via targeted Deny ACEs on Organizational Units.

The blog post: specterops.io/blog/2025/05...

**Every** BloodHound Enterprise tenant I've checked has multiple Non Tier Zero principals with the rights required for BadSuccessor. Luckily a 2025 DC is still rare.
Often helpdesk has GenericAll, misconfig'ed to apply on the OU itself, instead of only inheriting to principals within.

Shout out (skud ud) to @embar.io
Best CTF DJ. #tdcnetctf

BloodHound has 4 new edges: 𝗖𝗼𝗲𝗿𝗰𝗲𝗔𝗻𝗱𝗥𝗲𝗹𝗮𝘆𝗡𝗧𝗟𝗠𝗧𝗼𝗦𝗠𝗕, ...𝗧𝗼𝗟𝗗𝗔𝗣, ...𝗧𝗼𝗟𝗗𝗔𝗣𝗦, ...𝗧𝗼𝗔𝗗𝗖𝗦 [ESC8]

They combine 𝗰𝗼𝗲𝗿𝗰𝗶𝗼𝗻 and 𝗿𝗲𝗹𝗮𝘆𝗶𝗻𝗴, allowing Auth. Users to compromise computers. Read this excellent post by Elad Shamir if you are unfamiliar with those terms or want to know how to mitigate.

I had a great time at @specterops.bsky.social #SOCON2025 in Arlington/DC!

I'm grateful I get to meet all you awesome people; community members and Specters. Huge thanks to the many speakers and trainers 💙

See you next year!

Butthole*... Excellent typo

Intune Attack Paths — Part 1 Intune is an attractive system for adversaries to target…

In Part 1 of my Intune Attack Paths series, I discuss the fundamental components and mechanics of Intune that lead to the emergence of attack paths: posts.specterops.io/intune-attac...

Screenshot of trending topics launched on Christmas 2025. Topics trending include: Virat Kohli, Red Panda, Porzingis, Post Malone, Beyoncé, Gavin and Stacey Finale, Sixers, A Complete Unknown, King Henry, Joel Embiid, Pentatonix

Merry Christmas from us to you 🎄🎁💙 We launched Trending Topics today, and you can find it by tapping the search icon on the bottom bar of the app or the right sidebar on desktop.

Misconfiguration Manager: Detection Updates TL;DR: The Misconfiguration Manager DETECT section has been updated with relevant guidance to help defensive operators identify the most…

The Misconfiguration Manager DETECT section has been updated with fresh guidance to help defensive operators spot the most prolific attack techniques.

Check out the blog post from @bouj33boy.bsky.social to learn more. ghst.ly/3VJ5y4F

a woman wearing glasses says please with her hand up ALT: a woman wearing glasses says please with her hand up

It's that time of year again everybody! I want to know YOUR thoughts on Mythic! What did you like? What could be improved? What would you like to see next? Why do you or don't you use it? If you could change something, what would it be? www.surveymonkey.com/r/MythicPlan... I'm all ears :)

Other than securing DNS, what could prevent this technique?
Require SMB client signing? Some Kerberos hardening setting? Or only tiering (eg. Auth. Policy Silo)?

I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...

ShadowHound: A SharpHound Alternative Using Native PowerShell ShadowHound is a PowerShell tool designed for mapping Active Directory environments without using known malicious binaries. It utilizes legitimate PowerShell modules for data collection through two…

ShadowHound - brand new .ps1 SharpHound alternative that supports LDAP and ADWS
Outputs data in ldapsearch format that can be converted to BH JSON with BOFHound.
blog.fndsec.net/2024/11/25/s...

Meme template "they don't know". *infosec bsky users* me: they don't know that I had 395 followers on X

355 to go!

Relaying Kerberos over SMB using krbrelayx

Awesome new addition to krbrelayx by Hugow from Synacktiv: www.synacktiv.com/publications...

DEATHcon 2024: Prevention Engineering via the RPC and LDAP Firewalls YouTube video by Zero Networks

RCP Firewall and LDAP Firewall workshop by Sagie Dulce and Dekel Paz.

youtube.com/watch?v=hJyI...

Windows ships with insecure defaults for network shares, granting Read access to Everyone. But you can change that with "SrvsvcDefaultShareInfo" in the registry.
I made a post about it: blog.improsec.com/tech-blog/ne...

Hunting SMB Shares, Again! Charts, Graphs, Passwords & LLM Magic for PowerHuntShares 2.0 Learn how to identify, understand, attack, and remediate SMB shares configured with excessive privilege in active directory environments with the help of new charts, graphs, and LLM capabilities.

PowerHuntShares is a useful tool by Scott Sutherland (_nullbind), and the v2 looks amazing. I gotta test the experimental "Share Graph".
www.netspi.com/blog/technic...

SO-CON CFP submitted! Get yours in before tomorrow's deadline.
specterops.io/so-con/

Tier list of AD tiers

Welcome! You are invited to join a webinar: Defining the Undefined: What is Tier Zero, Part 4. After registering, you will receive a confirmation email about joining the webinar. In this webinar we continue to define Tier Zero with another deep dive into the intricate world of critical identities and resources across Active Directory and Azure. This discussion covers: - Insig...

Join our webinar on Thurs when Jonas Knudsen, Lee Christensen, and I will present pt. 4 of "What Is Tier Zero", covering:
- MS Exchange On-Premises
- ADCS
- Insights from isolating Tier Zero with BloodHound Enterprise customers

Watch live or register for on-demand at ghst.ly/4eSssxL

>an explicit Deny overrules an explicit Allow.

If Deny is closer to the secureable object than the Allow, ie. explicit Allow takes precedence over inherited Deny, and parent inherited Allow > grandparent Deny.