I wrote a white paper at CYPFER regarding the techniques we use during our red team engagement. #redteam #cypfer linkedin.com/posts/charles-…

We’re seeing a clear trend: attackers are bypassing the endpoint entirely. Not just avoiding traditional EDR-monitored systems by pivoting to embedded and edge devices, but now also operating purely in the cloud. No shell, no malware, no persistence on the endpoint. Just an OAuth

I just published a blog post where I try to explain and demystify Kerberos relay attacks. I hope it’s a good and comprehensive starting point for anyone looking to learn more about this topic. ➡️decoder.cloud/2025/04/24/fro…

BOF execution ⚡ is now live in Loki C2! Execute COFF files in backdoored Electron app memory using the ported COFFLoader project from TrustedSec! 🏴‍☠️ COFFLoader Project: github.com/trustedsec/COF…… Loki C2 Project: github.com/boku7/Loki

One more thing about my Hikvision journey: extracted the plaintext camera passwords from the NVR by MitM (actually connected to the NVR using a camera IP) and by downgrading the default HTTP digest authentication to basic using these RTSP server replies. gist.github.com/tothi/068426b4…

ok ok fine, for old time's sake haxx.in/files/limit-yo…

If you want to be a successful red teamer in 2025, do you have to be able to code(This includes with or without the assistance of LLM)?

Can’t win. Try to do the right thing and get told to fuck off by Microsoft, so you open source it WITH detection logic and you’re still the bad guy. Publicizing this sort of thing seems to be the ONLY way to force Microsoft to do their actual jobs and stop being lazy.

Took Akamai Security Intelligence Group's script for BadSuccessor and improved it a bit. - runs from non domain joined systems - works in forests - prints the rights each entity has on a OU - pre-flight check if 2025 DCs are present - code changes here and there github.com/LuemmelSec/Pen…

Critical 0-Day (CVSS 9.8) in Fortinet Products Actively Exploited A critical Fortinet zero-day (CVE-2025-32756, CVSS 9.8) is being actively exploited, allowing unauthenticated RCE. PoC available, patch immediately. securityexpress.info/critical-0-day…

How the new Bad Successor dMSA domain takeover attack works. #ThreatHunting #DFIR

Played with copilot for offensive coding. Tbh it is disappointing. If I asked sth for low-level the produced code is totally false and uncompilable. It was easier to use legacy (but still awesome) stuff like Donut, +polished my loader from lasy year. Still good in some scenarios.

🚨 Our new blog post about Windows CVE-2025-33073 which we discovered is live: 🪞 The Reflective Kerberos Relay Attack - Remote privilege escalation from low-priv user to SYSTEM with RCE by applying a long forgotten NTLM relay technique to Kerberos: blog.redteam-pentesting.de/2025/reflectiv…

Watch Falcon 9 launch Dragon and Axiom Space's Ax-4 mission to the International Space Station x.com/i/broadcasts/1…