In his latest blogpost, Guillaume André analyzes MDI's detection of PKINIT authentication, explains how to bypass it and releases Invoke-RunAsWithCert, a tool to perform Kerberos authentication via PKINIT with the Windows API from a non domain-joined machine. synacktiv.com/publications/u…

AWS CloudQuarry: Digging for Secrets in Public AMIs securitycafe.ro/2024/05/08/aws…

I wrote a blogpost on injecting code into a PPL process on Windows 11, without abusing any vulnerable driver. blog.slowerzs.net/posts/pplsyste…

I've converted my SSTIC talk on #GitHub action exploitation to a series of blogspots with additional details, here is the first part ☀️

Want to know how we prevented some CI/CD supply chain attacks against Microsoft, FreeRDP, AutoGPT, Ant-Design, Cypress, Excalidraw and others? Read the second article in our series on exploiting GitHub Actions by Hugow. synacktiv.com/publications/g…

[Tool & Blog release] - smbtakeover, a technique to unbind/rebind port 445 without loading a driver, loading a module into LSASS, or rebooting the target machine. The goal is to ease exploitation of targeted NTLM relay primitives while operating over C2. Github repo is linked at

We just rewrote the AsOutsider part of #AADInternals in Python to enhance compatibility and ease of use in Linux environments. You can find it here: github.com/synacktiv/AADO…

Thanks to Théo Louis-Tisserand's PR, DPoP auth support has now been added to CloudNine for Okta which is used in agent versions >3.18.0 \o/ github.com/xpn/OktaPostEx…

GitLab recently released a patch for the Ruby-SAML / GitLab Authentication Bypass (CVE-2024-45409). Our ninjas Alexis Danizan and Pierre Milioni analyzed the patch and wrote the exploit code! github.com/synacktiv/CVE-…

Want to run roadrecon, but a device compliance policy is getting in your way? You can use the Intune Company Portal client ID, which is a hardcoded and undocumented exclusion in CA for device compliance. It has user_impersonation rights on the AAD Graph 😃

Thrilled to see it merged! Note: some tools may not integrate well (without tweaks) with ntlmrelayx due to, for instance, concurrent LDAP connections, SMB queries before LDAP communications, or starttls. Check this PR comment for details and workarounds: github.com/fortra/impacke…

We really love relaying authentication: you can now also perform NTLM relaying on SCCM Management and Distribution points thanks to the PR from Quentin Roland on ntlmrelayx (now merged upstream).

A few months ago, Microsoft released a critical patch for CVE-2024-43468, an unauthenticated SQL injection vulnerability in SCCM/ConfigMgr leading to remote code execution, discovered by kalimero. synacktiv.com/advisories/mic…

In our latest article, Quentin Roland proposes an implementation of a trick discovered by James Forshaw in his research. Discover how to perform pre-authenticated Kerberos relay over HTTP with our Responder and krbrelayx pull requests! synacktiv.com/publications/a…

#pypykatz new version 0.6.11 is out on github and pip. Big thanks to all awesome contributors!! Besides the fixes, the two important things in this version: - Kerberos aes keys extraction is now supported - !!!!Windows 24H2 support is here!!!!! github.com/skelsec/pypyka…

Got SCCM? You need to hear this! At #x33fcon, kalimero will share insights from his SCCM research, including tradecraft from real-world attacks and a critical unauthenticated SQL injection discovery (CVE-2024-43468). Essential for anyone managing or defending SCCM! Learn

Microsoft just released the patch for CVE-2025-33073, a critical vulnerability allowing a standard user to remotely compromise any machine with SMB signing not enforced! Checkout the details in the blogpost by Guillaume André and Wil. synacktiv.com/publications/n…

The GroupPolicyBackdoor tool, presented at #DEFCON 2025, is now available on Synacktiv's GitHub: github.com/synacktiv/Grou… This python utility offers a stable, modular and stealthy exploitation framework targeting Group Policy Objects in Active Directory!

🧑‍🎓 Boost your offensive Active Directory skills with our Entry & Advanced trainings. Hands-on labs with dozens of machines + latest research from DEFCON, x33fcon & more! Seats are limited, don’t miss out! 🔗 Entry: synacktiv.com/en/offers/trai… 🔗 Advanced: synacktiv.com/en/offers/trai…

Synacktiv Volker bsecure.fr Orange Cyberdefense France 📢 #GreHack25 program release! New speaker on the line-up, a second ninja ! 🥷 👤 Pierre Milioni Pierre Milioni from Synacktiv ➡️ Sharker: where Wireshark ends, we begin See you tomorrow for a next talk 🔥