Even with HTTPS, Windows Server Update Services can be abused if attackers obtain a trusted certificate, allowing authentication relay. In our blog, Coontzy1 explains how WSUS traffic can be found and abused, and what sparked his investigation. Read now! trustedsec.com/blog/wsus-is-s…

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-glob…

pushed an update to pypykatz just now. NOT yet on pip, because first I'm waiting for feedback if it reliably works. The main issue it solves is the parsing of the new 24H2 update introduced some changes which made parsing not work github.com/skelsec/pypyka…

Dumping LSASS is old school. If an admin is connected on a server you are local admin on, just create a scheduled task asking for a certificate on his behalf, get the cert, get its privs. All automatized in the schtask_as module for NetExec 🥳🥳🥳

You got access to vsphere and want to compromise the Windows hosts running on that ESX? 💡 1) Create a clone into a new template of the target VM 2) Download the VMDK file of the template from the storage 3) Parse it with Volumiser, extract SAM/SYSTEM/SECURITY (1/3)

Lateral movement getting blocked by traditional methods? werdhaihai just dropped research on a new lateral movement technique using Windows Installer Custom Action Server, complete with working BOF code. ghst.ly/4pN03PG

If you weren't able to reproduce the ntlm reflection cross protocol attack ctjf, Alex Neff and I described (targetting ChannelBinding protected endpoints), its because ntlmrelayx was broken. Git pull the latest version and it will work :) (thx gabrielg5 and anadrianmanrique)

Those domain join permissions can be pretty useful...

A new NetExec module: certipy-find🔥 As ADCS is still configured insecurely in many environments, I decided to integrate the certipy find command into NetExec. Now you can quickly find and enumerate vulnerable templates before bringing out the big guns.

PingCastle-Notify update ! 🎉 - Add your own custom modules 🏗️ - Updated Slack & Teams, added Discord 🛠️ - New options: -noscan, -full_report, notify when no changes 🆕 - ANSSI rules link included 🐳 ➡️ github.com/LuccaSA/PingCa…

This year, a friend and I created two Active Directory challenges for the CTF! For people who have never touched Active Directory security before, I also made an introductory walkthrough that covers the basics. Total: - Intro: Baby - Challenge 1: Easy - Challenge 2: Medium/Hard

Hacklu CTF has started, our furniture store has opened for business! In the next 48 hours, you can buy as many products as you can and try to win nice prizes from our sponsors!

CVE-2025-59287 WSUS Remote Code Execution hawktrace.com/blog/CVE-2025-… #infosec #wsus #cve-2025-59287

Trust Issues – Attacking Trust in Active Directory TLDR; this blog covers attack chains abusing Trust account TDO in One-Way Outbound & Bidirectional Trusts. What the TDO can/can't do and Compromise shura.lab via shared CA trust in kapla.lab lorenzomeacci.com/trust-issues-a…

Credential Guard was supposed to end credential dumping. It didn't. Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled. Read for more ⤵️ ghst.ly/4qtl2rm

SpecterOps released "DumpGuard" along with a detailed article on how they were able to bypass Windows Credential Guard in both privileged and unprivileged contexts. I learned a ton about Isolated LSA and friends: specterops.io/blog/2025/10/2…