In our latest blogpost, Quentin Roland presents an often overlooked AD attack surface related to OUs ACLs,with the release of a dedicated exploitation tool, OUned.py (github.com/synacktiv/OUned). synacktiv.com/publications/o…

More scrutiny of PwC's auditing Evergrande's liquidation lawyers are looking into auditor's role in Evergrande overstating its revenue by $78 Billion over two years through 2020. $78 Billion over two years! "Lawyers appointed by the liquidators of China Evergrande Group

Something that was extremely helpful for me yesterday is this PR by to properly handle cross-realm tickets requests. Having got a [email protected] that is a member of ForeignSecurityPrincipals container in B.LOC, I could successfully request her ST and pwn B 🥰 github.com/fortra/impacke…

''Sleeping Safely in Thread Pools | White Knight Labs'' #infosec #pentest #redteam #blueteam whiteknightlabs.com/2024/04/30/sle…

Decorrelate attack tool behaviour to avoid EDR interference. In this post, Aurélien Chalot writes about how remote LSA secrets dumping works and retrieves a Windows computer's BOOTKEY using less common methods. sensepost.com/blog/2024/dump…

If you want to take a happy little journey through PEB structs, PE headers and kernel32.dll Export Table to spawn some "calc.exe" on x64 using Assembly, here it is. Enjoy :) print3m.github.io/blog/x64-winap…

MaLDAPtive - a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection github.com/MaLDAPtive/Inv…

shellsilo - a cutting-edge tool that translates C syntax into syscall assembly and its corresponding shellcode github.com/nixpal/shellsi…

Personal update: if you need a guy who is passionate on innovative in-the-wild zero-day exploit detection and advanced vulnerability research, please let me know. DM open. :)

HTB: EvilCUPS 0xdf.gitlab.io/2024/10/02/htb…

The PrintNightmare is not Over Yet itm4n.github.io/printnightmare…

Following up on my earlier tweet (x.com/decoder_it/sta…) regarding Kerberos relay with SMB server, I've uploaded my quick & dirty version. It's far from perfect, so feel free to improve it! github.com/decoder-it/Krb…

New tool published which is proving to be useful. Cred1py allows execution of the CRED-1 SCCM attack published by Christopher Panayi over SOCKS5 UDP by wrapping the awesome PxeThiefy.py from Carsten. Enjoy :) github.com/SpecterOps/cre…

Want to check for #ESC15 ? Use the following cypher with #BloodHound MATCH p=(:Base)-[:MemberOf*0..]->()-[:Enroll|AllExtendedRights]->(ct:CertTemplate)-[:PublishedTo]->(:EnterpriseCA)-[:TrustedForNTAuth]->(:NTAuthStore)-[:NTAuthStoreFor]->(:Domain) WHERE

portswigger.net/research/bypas…

Check out my latest blog post on how the NTDS.dit file is used by Active Directory, and my accompanying tool, DIT Explorer, for browing the data contained within NTDS.dit. Blog post: trustedsec.com/blog/exploring… DIT Explorer on Github: github.com/trustedsec/Dit…

This cropped up recently for me and hopefully save someone some time... If you're exploiting ADCS and get a KDC_ERR_CERTIFICATE_MISMATCH error, this is down to strong mapping enforcement. Just supply the SID + UPN during your cert request and gtg as normal