I'm SO hyped to finally make MSSQLHound public! It's a new BloodHound collector that adds 37 new edges and 7 new nodes for MSSQL attack paths using the new OpenGraph feature for 8.0!. Let me know what you find with it! - https://t.co/Hh089SaVOS - https://t.co/geO0HXTykf

AdminSDHolder is kinda my jam. I wrote the e-book on it. If you work with Activity Directory, I highly recommend you give this a skim, or at least check the spoilers in the blog.

This is (probably) the last time I‘ll nag you with TaskHound. Since my org doesn’t allow me to use memes in our official blogs I finally took the hint and stopped procrastinating. My personal Blog is now live :). https://t.co/Sp2aj2Y0EO (Disclaimer: may contain sarcasm and memes)

I have released an OpenGraph collector for network shares and my first blogpost at @SpecterOps on the subject! You can now visualize attack paths to network shares in BloodHound 👀 https://t.co/2e2DBIndcU

The only conference dedicated to Attack Path Management is back! 3 tracks. Real-world case studies. Hands-on BloodHound Quest lab. Join us at #SOCON2026 and advance your identity-first security strategy. 🎟️ Save 25% with early bird: https://t.co/0njiU2f3ac

Microsoft introduced nested application auth (NAA) in 2024. Researchers spotted FOCI similarities & dubbed it brokered client IDs (BroCI). @Icemoonhsv documents NAA flows and BroCI—filling a gap for research on Microsoft identity protocols.

Just like chocolate and peanut butter, runZero and BloodHound are an amazing combination. Today we are introducing runZeroHound - an open source toolkit for bringing runZero Asset Inventory data into BloodHound attack graphs: https://t.co/YIbFZiSb6A

Credential Guard was supposed to end credential dumping. It didn't. @bytewreck just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled. Read for more ⤵️

SCCM is one of the most relied-on enterprise tools, but that legacy comes with risk. Join @unsigned_sh0rt this Friday at #BSidesPDX as he discusses how attackers can abuse #SCCM Entra integrations to gain admin access. ➡️ https://t.co/7UiihoC0kA

Coercing machine authentication on Windows 11 /2025 using the MS-PRN/PrinterBug DCERPC edition, since named pipes are no longer used. Kerberos fails in this case due to a bad SPN from the spooler, forcing NTLM fallback.

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog:

I wanted to find out if you could start the WebClient service remotely, so I ended up digging into it

Why should Microsoft's Nested App Authentication (NAA) should be on your security team's radar? @Icemoonhsv breaks down NAA and shows how attackers can pivot between Azure resources using brokered authentication.

The AD CS security landscape keeps evolving, and so does our tooling. 🛠️ @bytewreck drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements.

PDQ SmartDeploy versions prior to 3.0.2046 used static, hardcoded encryption keys for cred storage. Low-privileged users could potentially access admin creds from registry or deployment files. @unsigned_sh0rt unpacks his testing in his latest blog post.

WSFC misconfigurations can turn your domain into one big fustercluck. I'm sharing fustercluck today as part of my #BHUSA presentation. The README summarizes the issues and a detailed blog is coming soon.

What all do you need to know about BloodHound CE 8.0 & OpenGraph? @ScoubiMtl is joining @RedSiege's Wednesday Offensive tomorrow to dive into the JSON schema for OpenGraph, how to ingest nodes & edges, best practices, & how to create custom icons. Join 👉 https://t.co/5LN1l2r5mZ

Dear fellow pentesters & red teamers, How often do you run into a vCenter in your client’s environment? 🖥️ I just built one for vCenter - meet vCenterHound 🐾😉 This is just the beginning… more collectors and surprises are on the way. #Pentesting #RedTeam #BloodHound #vCenter

I pushed updates to SCCMHunter as part of my Arsenal demo at #BHUSA today! New features include a relay module for TAKEOVER-5 and a community contribution to coerce client push from a *nix host for ELEVATE-2. https://t.co/INtQRq6bdI.

This post about MSSQLHound, a PowerShell collector that adds 7 new nodes and 37 new edges to BloodHound, details my experience and lessons learned designing and implementing the tool using OpenGraph and provides examples of how to research and discover MSSQL attack paths.

Want to add your own new nodes and edges to BloodHound with OpenGraph and wondering where to start with your design? This post is a must read. Andy does an excellent job explaining the concepts and patterns you can follow to create reliable attack path graphs every time.