Vulnlab just released a new Active Directory lab called Wutai! Like Shinra, it’s a simulated corporate environment with about 15 machines spread across multiple networks, domains & forests. The lab focuses on exploiting misconfigurations & users - not CVEs.

More quality video content by Martin Mielke. Those labs are really great.

Introducing ETWHash! ETWHash is a new method and tool by Lefteris Panos for consuming SMB events from Event Tracing for Windows (ETW) and extracting NetNTLMv2 hashes for cracking offline. labs.nettitude.com/blog/etwhash-h…

Been playing with the .zip TLD for phishing, apparently Outlook on Windows doesn't let you click links containing credentials, mitigating the "attack". haven't seen anyone talk about this, weirdly. after looking into this a bit, I found a way to bypass this behaviour!

Outlook for Windows can be tricked into displaying a fake domain, but open another one. Add a <base> tag with a fake domain + left-to-right mark (U+200E) Links in <a> tags will show the fake domain, but open the real domain. No need to buy .zip! :) Convincing #phishing #redteam

🔥 Excited to share my latest Mandiant (part of Google Cloud) Red Team blog on "Escalating Privileges via Third-Party Windows Installers" mandiant.com/resources/blog… Learn how attackers exploit this privilege escalation vector and ways to defend against it. Includes BOF release and a couple CVEs!

You can use the Windows Search Protocol to coerce authentication from hosts running the Windows Search Service (Win10/11 only by default) as a regular domain user. Haven't been able to do WebDAV with it though so usefulness is limited. PoC: github.com/slemire/WSPCoe…

Thanks to the generous folks BC Security Hack The Box SANS Offensive Operations @sektor7net and No Starch Press for sponsoring prizes at the DEF CON Red Team Village CTF!

Did Bethesda hire the Microsoft UX team to work on Starfield? This is so shit. Really disappointed with the game so far.

Do you want to start the RemoteRegistry service without Admin privileges? Just write into the "winreg" named pipe 👇

It's been quiet for a while around bloodhound Python, however I'm happy to share that I am now maintaining the project at my personal GitHub. The latest version fixes many bugs/issues, also thanks to the many PRs that were submitted (thanks all!). github.com/dirkjanm/blood…

Struggeling to get those precious certificates with #certipy and AD CS instances that do not support web enrollment and do not expose CertSvc via RPC? Tobias Neitzel has you covered and added functionality to use DCOM instead of good old RPC #redteaming github.com/ly4k/Certipy/p…

Found a flaw in NetBSD's utmp_update allowing injection of ASCII escape sequences into utmpx logs, leading to unexpected terminal emulator behavior and utmpx database integrity concerns. ftp.netbsd.org/pub/NetBSD/sec… #NetBSD #Security

CcmPwn is equipped with various modules. The “exec” module runs an AppDomainManager Injection payload for every logged-in user. The “coerce” module coerces SMB/HTTP authentications, which can then be used for password cracking or relay attacks. 👇 github.com/mandiant/CcmPwn

Just got some nice swag from Vulnlab 😄

Introducing PowerHuntShares 2.0 Release! NetSPI VP of Research Scott Sutherland introduces new insights, charts, graphs, & LLM capabilities that can be used to map the relationships & risks being exposed through the network shares: ow.ly/6Rjo50U7tNr

#pypykatz new version 0.6.11 is out on github and pip. Big thanks to all awesome contributors!! Besides the fixes, the two important things in this version: - Kerberos aes keys extraction is now supported - !!!!Windows 24H2 support is here!!!!! github.com/skelsec/pypyka…

My new blog for Check Point Research - check it out! 💙 // #ProcessInjection : #WaitingThreadHijacking

And the source code: github.com/hasherezade/wa…