Many in the Mythic Community have asked for a way to standardize BOF/.NET execution within Mythic Agents. Today I'm releasing Forge, a new Mythic container to do just that: posts.specterops.io/forging-a-bett… We're starting off with default support for Apollo and Athena. Check it out! :)

RemoteMonologue - A Windows credential harvesting attack that leverages the Interactive User RunAs key and coerces NTLM authentications via DCOM. Remotely compromise users without moving laterally or touching LSASS. Hope you enjoy the blog & tool drop 🤟 ibm.com/think/x-force/…

📧 GraphSpy 1.5.0 is out now and brings a brand new Outlook Graph module! ✅Read emails in any folder ✅Send HTML-formatted emails directly in GraphSpy ✅Access shared mailboxes ✅Search for sensitive information like passwords 🔗Check out GraphSpy here: github.com/RedByte1337/Gr…

cuddlephish : Weaponized multi-user browser-in-the-middle (BitM) for penetration testers : github.com/fkasler/cuddle… Details : link.springer.com/article/10.100… credits Forrest Kasler

Short post on an alternative method for obtaining Microsoft Entra refresh tokens via Beacon. Proof of concept BOF is available on my GitHub 🙂 infosecnoodle.com/p/obtaining-mi…

🚀 Launching TheManticoreProject – a long-term offensive & defensive security ecosystem in Go! First release (the core library): Manticore 🐾 🔧 Modular Go library to craft & interact with network protocols. ⚙️ SMB support coming soon. 🌐 github.com/TheManticorePr…

I'm super happy to announce an operationally weaponized version of Yuval Gordon's BadSuccessor in .NET format! With a minimum of "CreateChild" privileges over any OU it allows for automatic escalation to Domain Admin (DA). Enjoy your inline .NET execution! github.com/logangoins/Sha…

Wondering how you can maintain persistence while staying under the radar? Antero Guy just dropped his guide on COM hijacking — a go-to technique that balances stealth w/ reliability. Read more ⤵️ ghst.ly/4kg5Ytq

So excited to see this one come out! Awesome post from Julian Catrambone on why IdP's should still be scrutinized! (tl;dr: OneLogin leaked random customer logs with info valid to generate JWT's) 👀 specterops.io/blog/2025/06/1…

GraphSpy just got scarily powerful!🔥 🤖Automated device code entry 🖥️Post-comprimise automation (device registration, WinHelloForBusiness, ...) 🍪PRT Cookies ⚒️Cross-tool support ❤️‍🔥The sponsor branch is now live for early access: github.com/sponsors/RedBy… 🧵More info below

My latest blog post just dropped! This time it's about Entra 🆔 "High-Profile Cloud Privesc" revisits an old PowerShell trick to pivot from cloud to endpoint - or how to elevate to Global Admin from 'OneDrive Admin'-equivalent permissions labs.reversec.com/posts/2025/07/…

Wrote a BOF that extracts access tokens from .tbres files by decrypting DPAPI blobs in the current user context, this tool can be used as an alternate to office_tokens BOF github.com/grayhatkiller/…

Made some changes to SoaPy to allow ADWS recon to be ingested into Matt Creel 's BOFHound offline for upload to BloodHound. A blog detailing an operational perspective of ADWS collection from Linux with BloodHound is coming soon. For now, the changes are here: github.com/logangoins/Soa…

My first SpecterOps blog! Ever wanted to collect Active Directory information from LDAP for a Red Team? Using LDAP's more OPSEC-considerate cousin: ADWS can be used to improve upon the already present advantages of using smaller-scaling LDAP queries. specterops.io/blog/2025/07/2…

I'm SO hyped to finally make MSSQLHound public! It's a new BloodHound collector that adds 37 new edges and 7 new nodes for MSSQL attack paths using the new OpenGraph feature for 8.0!. Let me know what you find with it! - github.com/SpecterOps/MSS… - specterops.io/blog/2025/07/2…

WSFC misconfigurations can turn your domain into one big fustercluck. I'm sharing fustercluck today as part of my #BHUSA presentation. The README summarizes the issues and a detailed blog is coming soon. github.com/garrettfoster1…