I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-glob…

kernel hackers go serverless ring0 → cloud 9 ☁️ ?? brb pwning yr gpu nodes ✨

I came across a WMI Win_32 Process replacement with some extra useful functionality. specterops.io/blog/2025/09/1…

I just released Flareprox 🔥 A Cloudflare based Fireprox alternative that allows you to route HTTP traffic through Cloudflare, to gain mostly unique IP Addresses, to avoid detection and blocks.

Check out Titanis, my new C#-based protocol library! It features implementations of SMB and various Windows RPC protocols along with Kerberos and NTLM. github.com/trustedsec/Tit…

Lateral movement getting blocked by traditional methods? werdhaihai just dropped research on a new lateral movement technique using Windows Installer Custom Action Server, complete with working BOF code. ghst.ly/4pN03PG

What happens when the User-Account-Restrictions property gets misconfigured? Spoiler: It's not good. From account compromise to full domain takeover, Garrett breaks down why this permission set is more dangerous than most realize. ghst.ly/4mKgycH

Enjoying the rooftop pool before Offensive AI Con 👀

I am also enjoying the rooftop pool before Offensive AI Con

Can’t say enough great things about Offensive AI Con. The people, the conversations, the vibes were unmatched. Can’t wait to see everyone again next year and excited to see the progress we all make in the offensive community.

CVE-2025-23282 is going to debut tomorrow at Hexacon in our talk "CUDA de Grâce" w/ chompie, but you can try CVE-2025-23332 now! Tweetable Python PoC: ``` import fcntl fcntl.ioctl(open('/dev/nvidiactl'),218,0) ```

tfw a tweetable PoC can take down yr cloud compute

Can we eliminate the C2 server entirely and create truly autonomous malware? On the Dreadnode blog, Principal Security Researcher Max Harley details how we developed an entirely local, C2-less malware that can autonomously discover and exploit one type of privilege escalation

Getting some downtime in EU post-Offensive AI Con . Thank you to all the community, sponsors, co-organizers, and speakers that helped make it such as amazing first year! A few more days to relax, then it’s back to the grind, exciting things coming!

Service triggers can be a pentester’s secret weapon, letting low-priv users quietly fire up powerful services. In our new blog, freefirex breaks down the types of service triggers that exist and how they can be activated with little to no code required. trustedsec.com/blog/theres-mo…

Remotely enable the EFS service for Win11 systems? No problem with rpcping. Just worked for me from remote with a low privileged user. 🧐

I feel like Yuval Gordon's briefly mentioned new dMSA account takeover mechanism in his last blog didn't get enough attention. A new account takeover mechanism is on the horizon. I wrote a blog detailing it, releasing with a new BOF I wrote called BadTakeover specterops.io/blog/2025/10/2…

Coercing machine authentication on Windows 11 /2025 using the MS-PRN/PrinterBug DCERPC edition, since named pipes are no longer used. Kerberos fails in this case due to a bad SPN from the spooler, forcing NTLM fallback.