SpecterOps provides adversary simulation and detection tools for companies looking to assess their cybersecurity measures. Their experts have worked in defending government agencies and worldwide enterprises across various industries. Andy Robbins, Resilience Lead at SpecterOps, will discuss how graphs have changed the way hackers attack. He acknowledges prior works on Active Directory ACL Scanner and a French work from ANSSI, and explains that attackers think in graphs while defenders think in lists. Hackers follow a four-step methodology: recon phase, initial access phase, post-exploitation phase, and exfiltration phase. The recon phase involves gathering information about the target system, such as user names, IP addresses, and network topology. The initial access phase aims to gain access to the network by exploiting vulnerabilities or using social engineering tactics. The post-exploitation phase involves escalating privileges and gaining control over the system. Attackers use tools like PowerView and Mimikatz to achieve this. Identity snowball attacks, where attackers exploit user credentials and group memberships, are a common tactic. The BloodHound project automates the process of identifying and exploiting vulnerabilities by creating attack graphs. SharpHound is another tool that collects information about local admin group memberships across the enterprise. Attack path automation, enabled by projects like GoFetch and ANGRYPUPPY, allows attackers to quickly identify and execute the most effective attack paths, making it difficult for defenders to counter them.