🧵 Red teams are shifting to stealthier AD enumeration via Active Directory Web Services (ADWS) over port 9389. Tools like SOAPHound, SoaPy & ShadowHound wrap LDAP queries in SOAP, bypassing traditional detections. ipurple.team/2025/08/12/act… A KQL to detect this type of AD

CypherHound github.com/fin3ss3g0d/cyp… now supports ALL traversable AD edges in BloodHound CE! There have been a lot of traversable edges added by SpecterOps over the last year, my project is providing prebuilt queries for you to use with the latest edges! Don't miss out!

I will be doing an in depth blog post covering CypherHound and its capabilities soon! I recently got back into AD pen testing and revamped the tool with powerful enhancements. It’s a tool that now has to be in every AD pen test toolbox and I will soon explain why 🔥

Just bypassed CrowdStrike with a loader I wrote 1 year ago 😂 DAMN IT FEELS GOOD

specterops.io/blog/2025/08/1…

specterops.io/blog/2025/07/2…

specterops.io/blog/2025/08/1…

SpecterOps found out that the EFS service (PetitPotam) can simply be activated by asking the endpoint mapper. Great research!🎓 Now our efsr_spray NetExec module is obsolete, but we're on it: This PR activates the service by default with coerce_plus 🚀 github.com/Pennyw0rth/Net…

Do you want to trigger shellcode only when: - Certain DNS resolution happens? - Certain servers are reached out to? - When you get a 112 byte long response? ...etc Meet InternetSetStatusCallback() for fine tuning execution (or if you are just bored): gist.github.com/whokilleddb/59…

specterops.io/blog/2025/08/2…

How did this AI slop get a talk at the main track @ DEFCON????????? github.com/poppopjmp/VMDr…

Cookie theft has evolved. 🍪 Over the last year, stealing cookies on Windows devices has changed significantly for Chromium browsers like Chrome and Edge. Andrew Gomez dives into these changes, how threat actors adapt, & new detection opportunities. ghst.ly/45S1ZgW

You want to load your shellcode in .NET without calling VirtualProtect? Use RuntimeHelpers.PrepareMethod to create a predictable RWX memory region for you. This method also doesn't require a delegate function pointer, since you override a .NET method. github.com/Mr-Un1k0d3r/Do…

Mr.Un1k0d3r Oh man I remember seeing this idea in SharpHellsGate github.com/am0nsec/SharpH… a while back and it blew my mind cause I couldnt find any talk on it. Glad to see the thing still being talked about You could also do a deterministic alloc w/ dynamic assemblies gist.github.com/susMdT/2d13330…

lakera.ai/blog/zero-clic…

specterops.io/wp-content/upl…

This is absolutely wild... aikido.dev/blog/npm-debug…

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-glob…