🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

I’ve always thought Seatbelt was a great situational awareness tool, I created a python implementation of it. Due to the nature of how I expect it to run, it only implements the remote modules, but I hope someone finds it useful. github.com/0xthirteen/Car…

The talk Nick Powers and I gave at BSides Charleston titled Doe-n’t Play Fair was posted a couple days ago! It was our first dive into game hacking outside of some basic Cheat Engine hacks in middle school. The meme about red team techniques being downstream from game hacking is so real

[BLOG 📝] The brand new NetExec #Timeroast module made me finally study the attack itself, so here are some thoughts of mine on it with a couple of use cases and a real life example. snovvcrash.rocks/2024/12/08/app…

You can now use LDAP/LDAPs protocols with the SOCKS proxy of ntlmrelayx thanks to the PR from Pierre Milioni (now merged upstream). Here is an example with ldeep using relayed authentication from HTTP to LDAPs :

Normally you can't auth to Entra ID connected webapps with bearer tokens. But if Teams can open SharePoint/OneDrive with an access token, I guess so can we. roadtx now supports opening SharePoint with access tokens in the embedded browser 😀

🚀 New Blog & PoC: Abusing IDispatch for COM Object Access & PPL Injection Leveraging STDFONT via IDispatch to inject into PPL processes & access LSASS. Inspired by James Forshaw's research! 🔍 Blog: mohamed-fakroud.gitbook.io/red-teamings-d… 💻 Code: github.com/T3nb3w/ComDotN…

BIG NEWS: SpecterOps raises $75M Series B to strengthen identity security! Led by @InsightPartners with @AnsaCapital, M12 - Microsoft's Venture Fund, Ballistic Ventures, Decibel, and Cisco Investments. ghst.ly/seriesb #IdentitySecurity #CyberSecurity (1/6)

Along with this blog, I published an update to SCCMHunter that enables credential recovery all from the admin module. NAAs, client push, pxe boot password, discovery accounts, Azure app creds, etc. github.com/garrettfoster1…

A reoccurring necessity on assessments, this is a 🔥 resource from Matt Creel

RemoteMonologue - A Windows credential harvesting attack that leverages the Interactive User RunAs key and coerces NTLM authentications via DCOM. Remotely compromise users without moving laterally or touching LSASS. Hope you enjoy the blog & tool drop 🤟 ibm.com/think/x-force/…

👇 github.com/ly4k/Certipy/d…

I'm super happy to announce an operationally weaponized version of Yuval Gordon's BadSuccessor in .NET format! With a minimum of "CreateChild" privileges over any OU it allows for automatic escalation to Domain Admin (DA). Enjoy your inline .NET execution! github.com/logangoins/Sha…

I'm finally releasing a project that I've been working on for a little while now. Here's Boflink, a linker for Beacon Object Files. github.com/MEhrn00/boflink Supporting blog post about it. blog.cybershenanigans.space/posts/boflink-…

Have you ever wondered if there was a way to deploy a "Remote EDR"? Today I'm excited to share research I've been working on for the past couple months. This dives into DCOM Interfaces that enable remote ETW trace sessions without dropping an agent to disk. Includes a detailed

Windows 11 24H2 broke a popular malware evasion technique! The Lloyd Labs self-deletion method now fails because of NTFS changes, so I spent time with kernel debugging to figure out why and how to fix it. Full technical breakdown: tkyn.dev/2025-6-8-The-N…

Chatting with mah fwend and co-worker Jonny Johnson to learn all about Event Tracing for Windows, and some super cool projects he has been working on: a lightweight and custom "toy EDR" JonMon and ETWInspector to help with Windows telemetry research! youtu.be/BNWAxJFL6uM

Created small tool that joins a device to a Tailscale network and exposes a local SOCKS proxy. It’s built for red team pivots and quick access into (restricted) environments. The underlying tsnet library is currently Go-only, so it's semi-portable for now. github.com/Yeeb1/SockTail

Great walkthrough of an attack path that can be challenging to setup properly over C2. Thanks for the shoutout Melvin langvik !

I'm SO hyped to finally make MSSQLHound public! It's a new BloodHound collector that adds 37 new edges and 7 new nodes for MSSQL attack paths using the new OpenGraph feature for 8.0!. Let me know what you find with it! - github.com/SpecterOps/MSS… - specterops.io/blog/2025/07/2…

Reverse engineering Microsoft’s SQLCMD.exe to implement Channel Binding support for MSSQL into Impacket’s mssqlclient.py. Storytime from Aurelien (Aurélien Chalot), including instructions for reproducing the test environment yourself. (link below)