A recent #malware bypassed almost every public sandbox and antivirus, except Threat.Zone, and even evaded EDR/XDR in real-world incidents. Many banks, ISPs, and organizations were impacted. #ThreatIntelligence #onpatrol4malware malwation.com/blog/technical…

Windows lateral movement quick reference #ThreatHunting #DFIR

New tool: LostMyPassword - nirsoft.net/utils/lost_my_…

I reverse engineered Lockbit's Linux ESXi variant, also explaining how I did some of the steps! For the fun of it, cause reverse engineering is lots of fun. Enjoy! hackandcheese.com/posts/blog1_lo…

Hosts running the WebClient service are prime targets for NTLM relay attacks, and it may be possible to start the service remotely as a low-privileged user. Steven breaks down the service startup mechanics, plus the protocols and technologies. ghst.ly/41QT7GW

Bypassing EDR to dump LSA secrets orangecyberdefense.com/global/blog/cy…

#redteam You can exploit the update functionality vulnerability of #Windows Defender to move its executable folder to a location of your choosing. After that, you can use DLL Sideloading for persistence, inject code, or simply disable it... #blueteam

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-glob…

Interested in what real world Active Directory compromise looks like and how to prevent it? I wrote a deep dive on what we continually see when Active Directory gets owned. Hint: stop letting domain admins log onto all your endpoints Read here - techcommunity.microsoft.com/blog/microsoft…

Mandiant mentioned the User Access Logs in their newest report [1]. We use the UAL extensively in our investigations, as this artifact can retain logs for a longer period of time, as outlined by Mandiant (and also covered in my Anti-Forensics presentation). "In addition to EDR

I heard Dirk-jan is going to be its own Mitre ID in itself. Loving Dr. Nestori Syynimaa talk on Token Theft Protection. youtube.com/watch?v=YlPkCX…

Lateral movement getting blocked by traditional methods? werdhaihai just dropped research on a new lateral movement technique using Windows Installer Custom Action Server, complete with working BOF code. ghst.ly/4pN03PG

Just posted a write-up on a DC hang traced to a deadlock inside LSASS. I break down call stacks, the blocked threads, and how doing LDAP work in DllMain triggered the issue. medium.com/@Debugger/serv…

Today I learned: Using diskshadow to fetch the NTDS.dit. As mentioned several times, I love reading the HTB writeups from 0xdf because I always learn something new. Like here [1]: "To dump the domain hashes, I’ll want to get the C:\Windows\NTDS.dit file. Unfortunately, this file

Credential Guard was supposed to end credential dumping. It didn't. Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled. Read for more ⤵️ ghst.ly/4qtl2rm

Today I learned: SeManageVolumePrivilege While reading the HTB write-up for Certificate, I learned about SeManageVolumePrivilege. [1] A video by Grzegorz Tworek goes into great detail about how to abuse SeManageVolumePrivilege.[2] The privilege provides direct access to the

Windows RPC lateral movement quick reference for defenders. #ThreatHunting #DFIR

AdminSDHolder: the AD security feature everyone thinks they understand but probably don't. 😬 Jim Sykora went to the source code to debunk decades of misconceptions — including ones in Microsoft's own docs. Read more ⤵️ ghst.ly/3Lpmjzv

👀 OpenSource Malware an open database for tracking malicious open-source packages from npm, PyPI, GitHub repos! Great source of intel feed for supply-chain attacks! 👇 opensourcemalware.com

One compromised Microsoft Entra ID or Azure account can lead to a full tenant takeover. Our new framework ranks roles by risk and adds strong MFA + secure admin workstations to protect the most critical accounts. Read the whitepaper: bit.ly/47GbPTU