My new tool, Invoke-PowerDPAPI is able to obtain system master keys and decrypt various DPAPI encrypted material such as credentials, vaults and local SCCM encrypted blobs for NAA credentials and task sequences. Github: github.com/The-Viper-One/… Let me know what you think 😁

Aaand we (or mostly Fabian) made this cool website where you can explore all these first party apps and their scopes at entrascopes.com x.com/fabian_bader/s…

Are we bleeding out? Enjoy our analysis of CitrixBleed 2, aka CVE-2025-5777 - the "new" Citrix NetScaler Memory Leak vulnerability. We've been using this mechanism to identify vulnerable systems, and hope it helps the teams that need it.. enjoy! labs.watchtowr.com/how-much-more-…

Today MSRC fixed two vulnerabilities I reported a couple months ago. EoP in Windows Update service (affects only windows 11/10 with at least 2 drives) msrc.microsoft.com/update-guide/v… EoP in Microsoft PC Manager msrc.microsoft.com/update-guide/v… PoC for CVE-2025-48799: github.com/Wh04m1001/CVE-…

🔴 Red and blue teams, this one's for you. 🔵 LudusHound bridges BloodHound Attack Paths with lab automation by creating a functional Active Directory replica testing environment. Read Beyviel David blog post for more. ghst.ly/40Ippn1

This is so much! 🔥🔥😎 Found two new Potato triggers just today. Not only Potato but can also be used for LPE as remote auth is done which could be relayed to LDAP without Signing enabled. Or relayed to ADCS for a certificate. github.com/warpnet/MS-RPC…

Red teamers, no need to “pull” clipboard data when Windows already saves it all on disk for you in a neat little file 🗿 (including past clipboard items) inversecos.com/2022/05/how-to…

Here is the article explaining the different steps to create the Evilginx phishlet ! riskinsight-wavestone.com/en/2025/07/phi…

If you want to quickly evaluate if you are exploitable: github.com/LuemmelSec/Pen…

To trigger local SYSTEM authentication for relaying to ADCS or LDAP for LPE you would usually need the printer service or EFS service to be enabled (printerbug/petitpotam). Here is an alternative without this requirement 🤠 github.com/rtecCyberSec/R…

That is actually the real exploit. I went through all the decoding and stuff. It finally is the payload that creates spinstall0.aspx which then gets you the machine keys that allow you to craft your own Viewstates.

⚠️New Research: Clickfix on macOS - AppleScript Stealer via Terminal Prompts A new phishing campaign is using Clickfix to bypass downloads and trick users into running base64 -d | bash in Terminal. The AppleScript payload grabs browser data, crypto wallets, and cookies, then

We now have a (draft) Metasploit Project exploit module in the pull queue for the recent Microsoft SharePoint Server unauthenticated RCE zero-day (CVE-2025-53770), based on the in-the-wild exploit published a few days ago. Check it out here: github.com/rapid7/metaspl…

The Print Spooler service is a default service on Windows Servers and is set to run at startup. There are a number of attacks that are enabled by having the Print Spooler service running on Domain Controllers (ex.: Printer Bug: adsecurity.org/?p=4056) At this point it's best to

Added a new tool to: powershellforhackers.com/tools/revshell/ ⚠️Please Use Responsibly⚠️ You can use this to instantly generate an obfuscated reverse shell in powershell that i have personally used to beat EVERY single EDR out there right now. I've added some pretty cool stuff to my website

I have launched YSoNet (ysonet.net) and added #SharePoint CVE-2025-49704 payload generator to it as the first thing. Here is how this can work: Running command: ``` ysonet.exe -p sharepoint --cve=CVE-2025-49704 -var 1 -c "calc" ``` Running C# code: ``` ysonet.exe

New TTP dropped! Yesterday Microsoft announced a new feature coming in January, 2026. Microsoft Intune's Unattended Remote Help for Windows: remotely access devices over the cloud without requiring end user involvement by signing in with credentials. Yay!

I'm SO hyped to finally make MSSQLHound public! It's a new BloodHound collector that adds 37 new edges and 7 new nodes for MSSQL attack paths using the new OpenGraph feature for 8.0!. Let me know what you find with it! - github.com/SpecterOps/MSS… - specterops.io/blog/2025/07/2…

It's been almost a year since my last blog... So, here is a new one: Extending AD CS attack surface to the cloud with Intune certificates. Also includes ESC1 over Intune (in some cases). dirkjanm.io/extending-ad-c… Oh, and a new tool for SCEP: github.com/dirkjanm/scepr…

Fuzzing project is going fuzzingly. I still don't know why I decided to fuzz several million signed drivers, but we're doing it. I'll be sharing the results on vx-underground. Feel free to look at them, explore them, flag them, try to exploit them, get a CVE, add them to