So you want to exploit ADCS ESC8 with only netexec and ntlmrelayx ? Fear not my friend, I will show you how to do it 👇 NetExec now supports "Pass-the-Cert" as an authentication method, thanks to Dirk-jan original work on PKINITtools ⛱️

Achievement unlocked, my first blog with SoecterOps 🤗 This post looks at ADFS OAuth2 support, Device Registration, Enterprise PRT, and a brain dump of things that I didn’t want to leave sat on Notion. posts.specterops.io/adfs-living-in…

imo way to complicated to extract the ntds, once you got a user with backup privilege group just do: 1⃣ nxc smb dc -u user -p pass -M backup_operator 🏆

Un article de t0muxx, chercheur pour Shindan , traitant d'Operation Triangulation vient de paraitre dans le dernier MISCmag. Voici le synopsis: "La révélation de l'Opération Triangulation par Kaspersky, une attaque dont ils ont été la cible en 2023, a mis en lumière une

--generate-krb5-file

While doing internal assessments, I was often able to bypass EDR's because of them trusting legitimate binaries. In this blogpost I'll show why trust is wrong creating a python wrapper for PsExeSVC.exe (M$) and explain why zero trust is mandatory! tinyurl.com/4vr94skf

In our latest article, laxa revisits the secretsdump implementation, offering an alternative avoiding reg save and eliminates writing files to disk, significantly reducing the likelihood of triggering security alerts. Read the details at synacktiv.com/publications/l….

Enjoy the easy keepass.exe discovery :D :D

Bypass AMSI in 2025, my newest blog post is published 🥳! A review on what changed over the last years and what's still efficient today. en.r-tec.net/r-tec-blog-byp…

New Active Directory Mindmap v2025.03! 🚀 📖 Readable version: orange-cyberdefense.github.io/ocd-mindmaps/i… 🔧 Now fully generated from markdown files—way easier to update and maintain! 💡 Got improvements? PRs welcome! 👉 github.com/Orange-Cyberde…

Attacks against AD CS are de rigueur these days, but sometimes a working attack doesn’t work somewhere else, and the inscrutable error messages are no help. Jacques replicated the most infuriating and explains what’s happening under the hood in this post sensepost.com/blog/2025/divi…

GOAD Writeup - Part 14: ADCS – The Rest Exploiting ESC 5, 7, 9, 10, 11, 13, 14, and 15 in Game of Active Directory. mayfly277.github.io/posts/ADCS-par…

Today I'm releasing Xenon, a custom Mythic agent for Windows targets written in C. Notable features include: 📁 Modular command/code inclusion 🦠 Malleable C2 Profile support 🪨 Compatible with Cobalt Strike BOFs github.com/MythicAgents/X… Blog series - c0rnbread.com/creating-mythi…

Evading Defender by Embedding Lua into Rust by Dylan Reuter synercomm.com/evading-defend…

📩 Exchange Exploitation - Part 1 (Without Credentials) Explore Exchange exploitation in Game of Active Directory and learn about attacks without valid credentials. mayfly277.github.io/posts/Exchange…

As promised... this is Loki Command & Control! 🧙‍♂️🔮🪄 Thanks to Dylan Tran for his work done on the project and everyone else on the team for making this release happen! github.com/boku7/Loki

NetExec v1.4.0 has been released! 🎉 There is a HUGE number of new features and improvements, including: - backup_operator: Automatic priv esc for backup operators - Certificate authentication - NFS escape to root file system And much more! Full rundown: github.com/Pennyw0rth/Net…

In case you missed it, check out my Youtube channel with videos mostly related to Windows Internals: youtube.com/@zodiacon.

Today, I’m excited to introduce Nimhawk C2 – an APT-style framework built in Nim, months in the making. 🥷 🔗 github.com/hdbreaker/Nimh… Call to the community: Nimhawk is constantly evolving. If you're passionate about Malware Development and love Nim, come join & contribute! 🚀

MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectsid ENDS WITH '-516' WITH COLLECT(c1[.]name) AS dcs MATCH (c2:Computer) WHERE c2.enabled = true AND (c2.operatingsystem contains '2025') AND (c2[.]name IN dcs) RETURN c2[.]name If this query hits, you're in.