🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

The embargo (12:00 UTC 2025-06-10) is over, let's start a thread on Hydroph0bia (CVE-2025-4275), a trivial SecureBoot and FW updater signature bypass in almost any Insyde H2O-based UEFI firmware used since 2012 and still in use today. English writeup: coderush.me/hydroph0bia-pa…

You never wonder how malware (like Mimikatz) is statically detected by AV/EDR once dropped to disk! The answer is the Minifilter Pre-Operation callbacks. Each Minifilter has multiple instances of type (`FLT_INSTANCE`, you can have their addresses with !fltkd.filters on Windbg),

Thank you so much to /ˈziːf-kɒn/ and its organizers for an awesome experience! Lee Chagolla-Christensen and I had a blast talking about the new Nemesis 2.0 rewrite (code live at github.com/SpecterOps/Nem… !) and hope to be back next year #x33fcon

Did you know Windows has built-in RAM disk? Not just your regular RAM disk. It's pmem/nvdimm, via scmbus.sys built-in hack! That means you can make 🦆🦆🦆 #dax volume, so data/image mappings (section views) will use "drive" directly! No data persistence; ws22/w11+. EZ 📀 create:

I'm starting another series - Buffer Overflows in the Modern Era. I'll go over the basics of using a debugger all the way to successfully achieving a buffer overflow exploit on Windows 11 24H2, using ROP gadgets and bypassing ASLR, etc. Here's part 1! g3tsyst3m.github.io/binary%20explo…

Discovered a cool Windows LFI during a pentest in a widely used tool. This might be a 0-day — I found over 5k+ affected installations. Possibly another CVE in the pipeline. Payload:

Super interesting blog on how to automate some MS-RPC research 🧐 incendium.rocks/posts/Automati…

Read our new article about privilege escalation via SymLinks! You will learn how to abuse arbitrary deletion, copying, overwriting, we will show you a couple of tricks and teach you a new interesting way to bypass UAC :) cicada-8.medium.com/were-going-the…

A bit late, but I just published my blog post on bypassing Ubuntu’s sandbox! Hope you enjoy it! u1f383.github.io/linux/2025/06/…

After today’s talk at #TROOPERS25 I’m releasing BitlockMove, a PoC to execute code on remote systems in the context of a loggedon user session 🔥 github.com/rtecCyberSec/B… No need to steal credentials, no impersonation, no injection needed 👌

🔧 Byont: (PoC) Load clean ntdll.dll from Microsoft symbol servers and execute functions from memory. Manual PE loading without LoadLibrary - bypass userland hooks for security research. github.com/Teach2Breach/b…

Since several people already asked: the slides from Fabian Bader and myself for TROOPERS Conference are available! "Finding Entra ID CA bypasses-the structured way". We talked about FOCI, BroCI, CA bypasses, scopes and getting tons of tokens. Check it at dirkjanm.io/talks/

Azure Arc is Microsoft's solution for managing on-premises systems in hybrid environments. My new blog covers how it can it be identified in an enterprise and misconfigurations that could allow it to be used for out-of-band execution and persistence. ibm.com/think/x-force/…

Exposing your multi tenant service principal secret to everybody is not just bad security but it’s completely wrong. Great finding by ᅟ - Sad to see that Synology Inc. handled the disclosure so badly. Use managed identities! modzero.com/en/blog/when-b…

A helper function to log debug strings at runtime in your UDRL and hopefully make the whole process a bit easier. To use with the CobaltStrike UDRL-VS. rwxstoned.github.io/2025-07-06-Bet…

Good morning! Just published a blog post diving into Windows Kernel Pool internals: basics, memory allocation functions, internal structures, and how Segment Heap, LFH, and VS work. r0keb.github.io/posts/Windows-…

Introducing Havoc Professional: A Lethal Presence We’re excited to share a first look at Havoc Professional, a next-generation, highly modular Command and Control framework, and Kaine-kit our fully Position Independent Code agent engineered for stealth! infinitycurve.org/blog/introduct…

One of our current intern, vincent shared his Chrome-atic escape adventure using CVE-2024-30088 Epic obstacles documented in it too! starlabs.sg/blog/2025/07-f…