Okta chained with Azure with auto MFA subscription for Okta and frame-buster bypass to perform Bitb ! Evilginx is really nice to setup custom phishing campaign whatever the environment is... Phishlet available here : github.com/OtterHacker/Ok…

While performing penetration tests on SAP Financial Consolidation, our ninjas laxa and Alexis Danizan discovered an authentication bypass for local accounts including the built-in ADMIN account, leading to the underlying system compromise: synacktiv.com/en/advisories/…

Introducing the BloodHound Query Library! 📚 Martin Sohn & Joey Dreijer explore the new collection of Cypher queries designed to help BloodHound users to unlock the full potential of the BloodHound platform by creating an open query ecosystem. ghst.ly/4jTgRQQ

Je serai à #LeHack vendredi 27 et samedi 28 juin, et si tu n'as pas encore ta place, tente ta chance pour venir gratuitement, en résolvant ce petit challenge made by Login Sécurité 💪 linkedin.com/posts/login-s-…

🧐Le 11 juin dernier, deux chercheurs de Synacktiv ont publié un billet de blog révélant CVE-2025-33073, une faille critique qui est pourtant passée (presque) sous le radar. 🤓On passe en revue la vuln' aujourd'hui ! youtu.be/sXdca8lfG14

New video out 😊 showing how you can take control of port 445 and perform those magical relay attacks toward AD CS when working from a C2 agent. Way easier than before thanks to some great research by Nick Powers youtube.com/watch?v=e4f3h5…

Netexec users and Windows lovers here is a small tip I learned experimenting with Samuel (scam) G. about windows loggedon-users and scheduled task impersonation

SCCM’s Management Points can leak more than you’d expect. Garrett shows how Network Access Accounts, Task Sequences, and Collection Settings can be stolen by relaying a remote Management Point to the site database. Check it out ⬇️ ghst.ly/4eNLaHU

To trigger local SYSTEM authentication for relaying to ADCS or LDAP for LPE you would usually need the printer service or EFS service to be enabled (printerbug/petitpotam). Here is an alternative without this requirement 🤠 github.com/rtecCyberSec/R…

It's been almost a year since my last blog... So, here is a new one: Extending AD CS attack surface to the cloud with Intune certificates. Also includes ESC1 over Intune (in some cases). dirkjanm.io/extending-ad-c… Oh, and a new tool for SCEP: github.com/dirkjanm/scepr…

In this blog post I explain the fundamental building blocks, vocabulary, and principles of attack graph design for BloodHound: specterops.io/blog/2025/08/0…

hashcat v7.0.0 released! After nearly 3 years of development and over 900,000 lines of code changed, this is easily the largest release we have ever had. Detailed writeup is available here: hashcat.net/forum/thread-1…

Added a small Quality of Life improvement to NetExec: When the target allows null authentication the host banner automatically displays this info now🚀

Today, together with Jonathan Elkabas, we're releasing EntraGoat - A Deliberately Vulnerable Entra ID Environment. Your own hands-on Entra lab for identity attack simulation. Built for red teams, blue teams and identity nerds. Check it out here👉github.com/semperis/entra…

Session enumeration is only possible with admin privileges? That is a problem of the past thanks to the new --reg-sessions core functionality of NetExec, made by Toffy🔥

You didn’t click, but your password challenge is leaked. I’m excited to share my latest research: CVE-2025-50154, a high severity NTLM hash disclosure vulnerability in the explorer.exe process, exploitable without any user interaction. cymulate.com/blog/zero-clic…

gpoParser, which I presented at #leHACK2025 and #DEFCON, is available here: github.com/synacktiv/gpoP… It is a specialized utility designed to enumerate Group Policy Objects (GPOs) and identify potential security misconfigurations.

If you want to quickly check whether the guest account is enabled, you can now do it with NetExec. This is not enabled by default you need to set the custom flag check_guest_account in your nxc.conf file. Maybe one day it will be set to true by default 🪂

Hosts running the WebClient service are prime targets for NTLM relay attacks, and it may be possible to start the service remotely as a low-privileged user. Steven breaks down the service startup mechanics, plus the protocols and technologies. ghst.ly/41QT7GW

A detailed description of the R&D process with its ups and downs, a great deep dive into Windows internals to try to remotely enable the Web Client service. Great work 👏