Dumping LSASS is old school. If an admin is connected on a server you are local admin on, just create a scheduled task asking for a certificate on his behalf, get the cert, get its privs. All automatized in the schtask_as module for NetExec 🥳🥳🥳

After over a year of work my second course with Zero-Point Security is now available! In it students will apply low level windows tradecraft in the writing of Cobalt Strike’s UDRL and Sleepmask components. To celebrate, the BOF course is 25% off thru Jan 12th! zeropointsecurity.co.uk/course/udrl-sl…

Spent some time porting DumpGuard to C as a BOF. Abuses Remote Credential Guard to pull NTLMv1 hashes without going near LSASS or needing admin. Shoutout to Valdemar Carøe for the original research. github.com/0xedh/dumpguar…

As promised, today we released DumpBrowserSecrets a tool which extracts passwords, tokens, cookies and other data from several browsers. github.com/Maldev-Academy…

OWASP Agentic AI Top 10: Threats in the Wild - labs.lares.com/owasp-agentic-… _Ray at Lares This post aims to provide a comprehensive overview of each security risk. While it doesn't dive into deep exploitation techniques or defensive code, it covers how each risk works,

I wrote an article about 8 vulnerabilities in Claude Code that allowed me to bypass the permission model and execute arbitrary commands!

Creating Shadow Copies with VSS API by Ricardo Ruiz 🔥 ricardojoserf.github.io/w11shadowcopie…

Just released a new SpecterOps blog! I discovered that during client push in SCCM env's it's possible to remotely start WebClient and coerce HTTP from site servers for a relay to LDAP resulting in hierarchy takeover when WebClient is installed! 🫠 specterops.io/blog/2026/01/1…

WSL2 is a powerful attacker hideout because it runs as a separate Hyper-V VM, and defenders rarely monitor it. Daniel Mayer explains how attackers pivot into WSL2 and what it took to build tooling that works across WSL2 versions. Read more ⤵️ ghst.ly/45fPUma

Spent the weekend working on Cyllex: → Interactive onboarding tour → AWS TTPs (57% MITRE coverage) → Linux TTPs (22% MITRE coverage) → Windows TTPs: ADCS & ShadowCreds → LDAP Enum TTPs with multiple maturity levels → Reporting improvements → Improved agent deployment

Agentic AI systems are already showing real-world weaknesses. The first OWASP Agentic AI Top 10 highlights where autonomous applications are most exposed. Link: labs.lares.com/owasp-agentic-… ✍️_Ray

This is the most brutally honest (and accurate) take on corporate IT I've ever read. The subtlety and nuance is 🤌.

🛠️ SharePointDumper: PowerShell SharePoint extraction + auditing tool. ✅Enumerates all SharePoint sites/drives a user can access via Microsoft Graph, recursively downloads files, and logs every Graph + SharePoint HTTP request github.com/zh54321/ShareP…

Anyone know if Microsoft silently patch the Shadow Creds attack recently ? Looks like a computer object cannot write its own attribute anymore :D

Aurélien Chalot I just installed a clean version of Server 2022 (20348.169), setup it up as a DC, and tried to create a keycredential. That worked. Than I installed the latest cumulative update (KB5073457) and now it does not work anymore. So it seems to be a recent change.

Create local administrators with the SAMR API ✅Implemented in C#, Python, Rust or Crystal github.com/ricardojoserf/…

Self shadow cred is back again 🔥🔥🔥🔥🔥🔥🔥🔥🥳

A small rant: The State of Art in Red Team is whatever you want to believe x-c3ll.github.io/posts/Rant-Red…

Spent the weekend working on Cyllex and added a Splunk integration for log correlation. Also added detection events for each TTP. There's still a lot of work ahead, but it's starting to look great! I'll keep working on more integrations. Thanks to everyone who's been showing

Today is the day and I'm sorry it's been so long, and also provisionally delayed by nearly a week. lms.zsec.red launches today with my Malwareless Adversarial Emulation (MAE) course. If you signed up for the waitlist, you should have received an email.