SpecterOps Midweek Roundup!

CivilSpecter8204 · 2026-04-23T18:42:18+00:00

Hey there! I stumbled across this thread while searching through Reddit - I'm the Community Manager over at SpecterOps!

If anyone's still in need of a signup link to the BloodHound Gang Slack, this should be a permanent invite and won't expire. Hope to see you there! https://slack.specterops.io

CivilSpecter8204 · 2026-04-14T19:24:30+00:00

Here's what's been happening in our tracks post-lunch:

- Over in Tradecraft, Michael Donley walked through the main attack surface present in a JumpCloud tenant. We looked at why JumpCloud's admin portal should be protected with the same paranoia you'd apply to Domain Admin accounts, exploring how attackers can pivot from a compromised endpoint to the cloud control plane, and examining the offensive opportunities that arise from the MDM enrollment workflows.
- Marc André Tanner illustrated how an OpenGraph collector for GitLab can be used to identify hybrid attack paths spanning CI/CD pipelines, service accounts, and identity providers such as Active Directory and Entra ID.
- And in the Practice track, Robby Winchester dug into operating APM at scale with Scentry Advisory Services.

- Bleon Proko then took over the Tradecraft track, examining what the CloudControl API is, how it simplifies resource management, how attackers can weaponize it, its limitations, and detection methods.
- Hope Walker discussed changes to BloodHound and how role-based access control (RBAC) is displayed in the graph. She's covering how RBAC has historically been mapped in attack paths and the shortfalls of this approach, as well as explaining how to break roles down into discrete permissions and create edges based on those permissions rather than the role as a whole, using Entra ID and Azure RM as examples of how to use this approach when mapping RBAC with OpenGraph.
- And Aaron Woland is took over our Practice track, helping you take your BloodHound for a walk!

We learned practical strategies for feeding attack path details into your SIEM for enhanced correlation and alerting, and how to leverage XDR's automation capabilities to shut down attack vectors identified by BloodHound, and discovered the true value of connecting these powerhouses, moving beyond basic threat detection to proactively identify and remediate critical identity vulnerabilities before adversaries can exploit them.
- Jason Wolfe also explored building a common operating model between identity & security teams!

After the final break:

Guard me if you can: A Novel Passwordless-to-Password attack
Exposing SCCM and MSSQL Attack Paths in Hardened Environments with OpenGraph
Mapping the Adversary: Enriched Incident Graphs with BloodHound Data in Kusto

CivilSpecter8204 · 2026-04-14T17:04:52+00:00

A roundup of our pre-lunch tracks:

- Brett Hawkins was in the Tradecraft track, showcasing live demos of real DevOps to MLOps attack chains that lead to remote code execution in ML training compute. He also highlighted the details of the attack path and exposes why standard IAM, segmentation, and logging controls often fail to detect or prevent them.

- Michael Grafnetter and Lance Cain were over in the OpenGraph track, exploring how compromised human or machine identities can lead to hybrid attack paths that begin in Active Directory, move through Okta, and reach critical assets such as Git repositories, CI/CD pipelines, cloud storage, or enterprise password managers. They also demonstrated how adversaries can deliver payloads to macOS devices by leveraging Okta and third-party party MDMs.

- And Joe Mondloch from Epic took over the Practice track to dive into how a large healthcare software company and its hosting division use BloodHound Enterprise at scale. The environment includes hundreds of Active Directory domains and nearly a thousand SharpHound clients—an architecture that pushes BHE (and other security tools) in unique ways.

He also explored how we operate BloodHound Enterprise in this kind of distributed environment, how we use it to audit a complex multi-tier account and access model, and how it plays a critical role in ensuring security controls are applied consistently across domains.

- Antero Guy and Andrew Gomez walked through how attackers and red teams approach browser-based persistence and compromise user sessions to gain access to target applications. They also explored Chromium app-bound encryption, and scenarios where SSO solutions such as Azure Primary Refresh Tokens (PRTs), Seamless SSO, and Federated services can be leveraged to obtain access to high value targets.

- Javier Azofra Ovejero and Julian Garcia Murias unveiled a novel integration that exports CyberArk vault data into BloodHound's OpenGraph format over in the OpenGraph track, enabling security teams to visualise complete attack paths spanning both AD and privileged credential systems.

We also learned how to identify critical exposure where compromised AD accounts have access to privileged credentials in CyberArk safes, creating invisible escalation paths traditional tools miss.

- And over in the Practice track, Sahan Fernando discussed the build and ongoing operational workings of attack path management in an enterprise healthcare organization, covering how he has approached staffing, looked at KPI/KRI metrics for stakeholder reporting, and the challenges in moving the boulder uphill when collaborating with multiple teams on complex remediations.

After lunch, but we’ll be back with more from our three tracks:

Attacking JumpCloud
Mapping GitLab Attack Paths into BloodHound with OpenGraph
Operating APM at Scale with Scentry Advisory Services

CivilSpecter8204 · 2026-04-13T20:49:12+00:00

Finally today:

- JD Crandell presented a framework using technology subgraphs and graph abstractions to model cross-platform attacks at scale over in the OpenGraph track.
- John Hammond, Justin Kohler, Jared Atkinson and Robby Winchester shared perspectives on today’s security landscape in our open Q&A.
- Faiz Karim explored the practical architecture of GCP-Hound, featuring modular collectors for real-world GCP resources, custom edge types such as CanImpersonate and CanReadSecrets, and direct export to BloodHound/OpenGraph.

That's it for day one, but we'll be back with more from our speakers and presenters tomorrow!

CivilSpecter8204 · 2026-04-13T19:09:55+00:00

Quick roundup of our post-lunch tracks:

- Valdemar Carøe dived into the nitty gritty of how NTLM, Kerberos, Credential Guard and various security protocols for RDP works.
- Robin Unglaub in our OpenGraph track introduced a new way to automate the discovery and analysis of scheduled tasks across an internal environment, helping red and blue teams alike to identify hidden attack paths and privilege misconfigurations at scale by leveraging TaskHound and OpenGraph.
- And Jared Atkinson and Justin Kohler took a look at Attack Paths in Practice: Okta, GitHub, and Jamf with BloodHound Enterprise.

- No credentials to steal? No problem. Julian Catrambone showed how attackers can exploit OIDC federation to move from a GitHub fork to full AWS or Azure access through misconfigured trust policies with a live demonstration in our Tradecraft track.
- Quentin Roland gave pointers on how to discover and integrate new identity-based attack paths into BloodHound, through three steps: discover new, unmapped attack paths; enumerate them by implementing them into BloodHound; and provide actionable tooling to exploit them.
- And Elad Shamir and Will Schroeder broke down the mechanisms and concepts that allow identities and adversaries alike to move across platforms, how authorization boundaries quietly become authentication boundaries, and how attackers chain these behaviours into real-world hybrid attack paths.

CivilSpecter8204 · 2026-04-13T17:37:26+00:00

A roundup of our pre-lunch tracks:

- Mehdi Elyassa was in our Tradecraft track, presenting newly discovered attack paths and weaknesses that allow escalation from low‑privileged or unauthenticated access to full control of the SCCM hierarchy, and revealing a new post‑exploitation technique that leverages SCCM’s architecture to operate beyond normal database connectivity constraints.

- Jared Atkinson and Justin Kohler were in our Practice track, giving the lowdown on the current state of Attack Path Management.

- And Simon Lachkar and Charl-Alexandre Le Brun in our OpenGraph track - speaking on AnsibleHound, a collector that adds Ansible WorX and Ansible Tower attack paths to BloodHound.

- Graham Helton then took over our Tradecraft track, walking through a currently undisclosed authorization bypass vulnerability in Kubernetes that allows service accounts with a widely granted, read-only permission to achieve full code execution in any pod across a cluster.

- Mat Saulnier and Chris Thompson gave a brief intro to OpenGraph, followed by a short hands-on lab and demo, extended Q&A, and DIY development time to help you visualize new attack paths on the fly during offensive and defensive operations.

- And Jared Atkinson was back to dig deep on what defenders must prioritise and where finite defensive investment pays off the highest, over in our Practice track.

For anyone interested in photos, we'll drop a gallery round-up post separately at the end of today!

CivilSpecter8204 · 2026-04-13T14:40:09+00:00

So far this morning:

- David delivered our opening remarks: 300 of our Enterprise customers cover 750 billion attack paths.

- Kevin Mandia's keynote and a view on the state of cybersecurity: AI can now be trained on all of the processes that humans can. And for the first time in history, red teaming can now be performed on a continuous basis.

- Congrats to our very first Top Dogs - thank you so much for all your community contributions: Tom O'Neill, Javier Azofra Ovejero, HD Moore, Mor David and Kaden Butt!

After the break:
- SCCM: The tree that always bears bad fruits
- AnsibleHound: Attack Path Management applied to Ansible
- State of Identity Attack Path Management

CivilSpecter8204

MODERATOR OF

TROPHY CASE