Introducing the BloodHound Query Library! 📚 Martin Sohn & Joey Dreijer explore the new collection of Cypher queries designed to help BloodHound users to unlock the full potential of the BloodHound platform by creating an open query ecosystem. ghst.ly/4jTgRQQ

Well, it happened. The company I worked at for 6 years will be closing and thus I got laid off. This doesn't affect Octopwn operations in any negative ways, but I'm actively looking for a new day job. If someone has something please DM me. Retweets are appreciated.

Releasing a side project of mine: wsuks - automating the WSUS mitm attack🔥 github.com/NeffIsBack/wsu… TL;DR: If the Windows Server Update Service (WSUS) is configured to use HTTP instead of HTTPS, it's possible to take control of any Windows machine on your local network. 1/4🧵

Last week we added ELEVATE-4 github.com/subat0mik/Misc… to Misconfiguration Manager. tl;dr If SCCM uses AD CS for PKI, client auth certs are "borrowed" by clients during OSD. This will typically be a distribution point but could be the site server in all-in-one deployments...

🔥 Not your typical remote access tool… but it works. Chrome Remote Desktop isn’t just for tech support—it can be quietly repurposed for red team operations. I break down the how and why in my latest post. 👇

Introducing Havoc Professional: A Lethal Presence We’re excited to share a first look at Havoc Professional, a next-generation, highly modular Command and Control framework, and Kaine-kit our fully Position Independent Code agent engineered for stealth! infinitycurve.org/blog/introduct…

Classic NTLM relay problem: Stuck on port 445/TCP, can't use WMI (needs 135/TCP), and dumping hashes triggers EDR alerts. So what's a stealthy attacker to do? 🤔 Our latest blog post explores evasive alternatives beyond the old techniques. ghst.ly/3ILR1l0

The industry recommendation for DPAPI backup key compromise remediation is to destroy and rebuild the environment. Alexander Sou explores why this is the current industry guidance. ghst.ly/40DTLHk

hashcat v7.0.0 released! After nearly 3 years of development and over 900,000 lines of code changed, this is easily the largest release we have ever had. Detailed writeup is available here: hashcat.net/forum/thread-1…

👀Turns out MS-EVEN can do a lot more than NULL auth: In addition to leaking environment variables, it is possible to coerce authentication from arbitrary logged on users* 🤯 *If you are willing to trigger Windows Defender.

Hosts running the WebClient service are prime targets for NTLM relay attacks, and it may be possible to start the service remotely as a low-privileged user. Steven breaks down the service startup mechanics, plus the protocols and technologies. ghst.ly/41QT7GW

SpecterOps found out that the EFS service (PetitPotam) can simply be activated by asking the endpoint mapper. Great research!🎓 Now our efsr_spray NetExec module is obsolete, but we're on it: This PR activates the service by default with coerce_plus 🚀 github.com/Pennyw0rth/Net…

🛠️ Tool to interact with remote hosts using the Windows Search Protocol and coerce authentication. 🎯 The target host will connect over SMB to the listener host using the machine account github.com/slemire/WSPCoe…

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-glob…

Tell me this is not an intentional backdoor. LOOK ME IN THE EYE AND TELL ME IT'S NOT

Florian Roth ⚡️ Justin Elze Feel free to use the tables I made last year locally! They were created specifically to not send hashes to third parties. (I have no affiliation with ntlmv1.com)

NetExec turned 2 years old this month🎉 Time to take a look at what have achieved so far! As I love stats, I want to share some imo interesting numbers about NetExec: 4,853⭐ ~100,000 clones/14 days => ~2,4mio clones ~7,200 unique clones/14 days => ~172,800 unique clones 1/4🧵

Multiple, serious security vulnerabilities found in the Rust clone of Sudo — which shipped with Ubuntu 25.10 (the most recent release). Not little vulnerabilities: We’re talking about the disclosure of passwords and total bypassing of authentication. In fact, we’re getting new

🚨8 months after public disclosure, Red Hat Enterprise Linux AlmaLinux Rocky Linux are still vulnerable for a Ghostscript RCE with a reliable public exploit (CVE-2025-27835 and others)! It can be triggered by opening LibreOffice docs or through a server that uses ImageMagick for file conversion!