Looks like NULLCON Berlin talks are out, so you can watch Rotem Salinas and me in my return to doing conference talks! We have some nice info about Microsoft EPM, a cool exploitation trick with the Cloud Filter driver, and a no-fix LPE for you here :) youtube.com/watch?v=0H4jcE…

Hunting EDR Freeze... A recent EDR-Freeze technique by Two Seven One Three can suspend a given EDR process. Now it's time to hunt it down with few logs and clever correlation. The post: blog.axelarator.net/hunting-for-ed… #redteam #blueteam #maldev Hunting EDR Freeze... A recent EDR-Freeze

Just published a summary of "modern" Windows authentication reflection attacks. Turns out reflection never really died. 😅decoder.cloud/2025/11/24/ref…

Added my ICMP, NTP and Websocket C2 channel examples to the public repo. github.com/CodeXTF2/Custo… Also accompanying blog post explaining the template: codex-7.gitbook.io/codexs-termina… pls no flame bad code :D Websocket channel in action:

NTLM relays failing because of EPA? 😒 Nick Powers & Matt Creel break down how to enumerate EPA settings across more protocols + drop new tooling (RelayInformer) to make relays predictable. Check out their blog for more: ghst.ly/4rqwpRs

New post: Field Notes on Malware A look at how C2 frameworks are evolving their evasion techniques and what it means for detection. deceptiq.com/blog/field-not…

My gift for Thanksgiving 💜 I wrote for you the blog post I always wanted to read! Happy holiday!🦃 PLEASE READ IT!!! wiz.io/blog/recent-oa…

I'm releasing research soon detailing a technique to take over Kubernetes clusters. It allows running arbitrary commands in EVERY pod in the cluster using only a commonly granted "read only" RBAC permission. Oh and it's not logged by Kubernetes AuditPolicy 👀

"Offense and defense aren't peers. Defense is offense's child." - John Lambert We built an LLM-powered AMSI provider and paired it against a red team agent. Then, Max Harley wrote a blog about it: dreadnode.io/blog/llm-power… A few observations from the experiment: >>> To advance, we

New blog by Outflank’s @KyleAvery: Linux process injection leveraging seccomp to inject shared libraries into Linux processes without LD_PRELOAD, ptrace nor elevated privileges. Parent-to-child injection at any ptrace_scope level 💪😎 Tech details here: ow.ly/KwBh50XGvrC

SCOM is one of the most deployed, but least researched, System Center products. Zach Stein breaks down how it works + how to build a lab to test new tradecraft. ghst.ly/4prZMRI

Wanting more from today's #BHEU talk on SCOM? Check out this two part blog series! 1️⃣ Garrett maps SCOM’s roles, accounts, & trust boundaries, then shows how attackers can chain insecure defaults into full management group compromise. ghst.ly/3MBPeAW 🧵: 1/2

A single hypervisor breach can put hundreds of virtual machines at risk. We’ve seen Akira and others shift to ESXi/Hyper-V for mass impact. ✅ They use legit tools (like openssl) ✅ Bypass EDR ✅ Encrypt VMDKs directly 📃 RussianPanda 🐼 🇺🇦 Dray Agha huntress.com/blog/hyperviso…

[RELEASE] As promised, I’m releasing the first blog post in a series. It covers the gaps still present in current stack-based telemetry and how Moonwalking can be extended to evade detection logic and reach “on-exec” memory encryption. Enjoy ;) klezvirus.github.io/posts/Moonwalk…

Dusting off the ol' blog with some notes on Azure Storage Accounts attacks and detections. hausec.com/2025/12/15/azu…

Fully autonomous AI hacker to find actual exploits in your web apps. Shannon has achieved a 96.15% success rate on the hint-free, source-aware XBOW Benchmark. github.com/KeygraphHQ/sha…

Field Notes on Malware: The Evolution of C2 Evasion and What It Means for Detection - deceptiq deceptiq.com/blog/field-not…

I fell down the Kubernetes security rabbit hole. So I wrote a deep-dive on attack techniques, detection engineering, and scripts to test everything in a lab. Shoutout to @GrahamHelton and Rory McCune for their previous work! heilancoos.github.io/research/2025/…

One-shot ESC1 + unPAC BOF for Havoc and CS. The certificate request includes the target's SID in the SAN to comply with strong mapping requirements (KB5014754). Hope it’s useful github.com/RayRRT/ESC1-un…

Tool Spotlight: IAM Vulnerable IAM Vulnerable is an open source playground that spins up intentionally vulnerable IAM configs so you can practice finding and exploiting real privesc paths safely.