Created another write-up, this time on NTLM relay attacks to LDAP(S), including details of WebClient coercion, NTLM transport vulnerabilities, and finally device takeover after achieving authentication. You can read about it on my blog :) logan-goins.com/2024-07-23-lda…

🔥We have big news for you, NetExec now has a new protocol: NFS🔥 Main features: - Detecting NFS servers - List exported shares - Recursive enumeration of shares - Up&Download files Many thanks to Mehmetcan TOPAL who had the idea and implemented the protocol with me.

BOFHound can now parse AD CS objects, manually queried from LDAP, for review and Attack Path mapping within BloodHound Community Edition. Matt Creel digs into this addition in his latest blog post and shares a few queries to get you started. ghst.ly/3NKMYER

DonPAPI users I have pushed quite a few things lately! Hopefully you'll like it and here is a recap (1/x)

Coffee break thoughts: "is it possible to bruteforce RPC endpoint to perform code exec if you can't access EPM/SMB?" 99% impacket atexec + 1% "for loop" = 100% prod ready gist.github.com/ThePirateWhoSm… (silent command only) h/t SAERXCIT 🌻

NetExec has a new Module: Timeroast🔥 In AD environments, the DC hashes NTP responses with the computer account NT hash. That means that you can request and brute force all computer accounts in a domain from an UNAUTHENTICATED perspective! Implemented by Disgame 1/3🧵

Tip as we are seeing more and more Windows 11 machines, Webdav Relay for LPE still not dead.

Upping my thumbnail game, i think?😅 Did a video instead of stream today, might actually be useful for peeps! youtube.com/watch?v=9F9L4c…

This is a simple .NET tool I wrote as apart of my research with Jonathan Beierle called Krueger, meant for disabling EDR remotely with WDAC to assist in lateral movement activities. github.com/logangoins/Kru…

Hey guys, as a thank you to all the new followers, I will be dropping 0days all this week until Apache 0day. Here's a ACE vulnerability in 7Zip, run this command, pop calc.exe. pastebin.com/QhcTEQz9 #0day #infosec

ThievingFox - Remotely retrieving credentials from password managers and Windows utilities blog.slowerzs.net/posts/thieving… #redteam

Did you know you can activate Windows 11 using a 3rd party activation server on the internet outlined in dozens of GitHub projects that Microsoft purposefully doesn't try to stop because at the end of the day, they want you running Windows 11 because you're the product! 😏

The Microsoft AI Red Team recently released both a blog and an in-depth whitepaper after red teaming 100+ different GenAI products. The research is extremely interesting, while also being very approachable for those who aren't experts in AI. Importantly, the white paper is also

Today, we are disclosing the details of 4 vulns effecting #Ivanti #EPM which allow an unauth attacker to coerce the machine credential of the EPM server to be used in relay attacks. horizon3.ai/attack-researc… Depending on the environment, compromising the EPM server may be

Impersonate another user by moving their Kerberos tickets into your logon session with lsa-whisperer by Evan McBroom. You can even move them back after you are done. Only your session will loose its tickets.

In my opinion, the dMSA elevation of privilege vulnerability in Active Directory in Windows Server 2025 that has been reported by Akamai is a showstopper bug. Meaning you should not move to Windows Server 2025 on any domain controllers until it is fixed.

PoC Exploit for the NTLM reflection SMB flaw CVE-2025-33073 github.com/mverschu/CVE-2…

Red teamers, no need to “pull” clipboard data when Windows already saves it all on disk for you in a neat little file 🗿 (including past clipboard items) inversecos.com/2022/05/how-to…

The Print Spooler service is a default service on Windows Servers and is set to run at startup. There are a number of attacks that are enabled by having the Print Spooler service running on Domain Controllers (ex.: Printer Bug: adsecurity.org/?p=4056) At this point it's best to

Remember when AADInternals made M365 tenant enumeration trivial? 😢 Microsoft closed that door, but I've documented some techniques that still work: ✅ EOP smart host validation ✅ SPF/TXT reconnaissance ✅ MOERA inference techniques dstreefkerk.github.io/2025-07-m365-e…