🔥 We uncovered notable shifts in how threat actors stage payload delivery, including emerging combinations of preferred loader, dropper and payload pairings. We think these insights reveal interesting patterns that were previously not shared, and provide a view of the

Introduction to Windows kernel exploitation mdanilor.github.io/posts/hevd-0/

Many commented that determining when a breach began depends on how long the victim retains its logs. That’s simply not true. Log data is just one piece of forensic evidence, and often not even the most reliable. Analysts can build timelines from dozens of other artifacts – file

Europol and Latvian law enforcement dismantled five servers, seized 1,200 SIM box devices and 40,000 active SIM cards. The criminals were linked to over 1,700 cyber fraud cases in Austria and 1,500 in Latvia, causing losses of several million euros, including EUR 4.5 million in

I feel like Yuval Gordon's briefly mentioned new dMSA account takeover mechanism in his last blog didn't get enough attention. A new account takeover mechanism is on the horizon. I wrote a blog detailing it, releasing with a new BOF I wrote called BadTakeover specterops.io/blog/2025/10/2…

Stop wrestling with ES|QL syntax. The new Python query builder in the Elasticsearch client does the heavy lifting for you. 👉 Try it out on #ElasticSearchLabs: go.es.io/3WP6KU8

Windows API arsenal by reRoot for reversers blog.fautl.com/api-list.html

Wrote a little tracer I found helpful when analyzing obfuscated .NET - might be useful for you, might be not. Have fun :3 github.com/eversinc33/Net…

Credential Guard was supposed to end credential dumping. It didn't. Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled. Read for more ⤵️ ghst.ly/4qtl2rm

The blog links a free NetNTLMv1 cracking site (ntlmv1.com) whose operator appears tied to Chengdu Mistiny Ltd., a company in Sichuan, China. I don't know if you really want to let them crack your hash values.

Google research created a dataset with rainbow tables for NetNTLMv1 with the 1122334455667788 challenge. research.google/resources/data… Dataset is available for download at: ▪️console.cloud.google.com/storage/browse… [Login required] ▪️gs://net-ntlmv1-tables

EDR-Redir uses a Bind Filter (mini filter bindflt.sys) and the Windows Cloud Filter API (cldflt.sys) to redirect the Endpoint Detection and Response (EDR) 's working folder to a folder of the attacker's choice github.com/TwoSevenOneT/E…

🛠️ SockTail - Lightweight binary that joins a device to a Tailscale network and exposes a local SOCKS5 proxy. ✅ Designed for red team operations and ephemeral access into restricted environments using Tailscale’s embedded client (tsnet). github.com/Yeeb1/SockTail

Forget common backdoors — a DLL hijack in Windows Narrator can grant SYSTEM-level persistence at login. In our new blog, Oddvar Moe shows how attackers abuse accessibility features and what defenders should monitor. Read now! trustedsec.com/blog/hack-cess…

PowerShell script to copy locked files. Has two modes: MFT (master file table) and Metadata (fsutil). Last one didn’t work on my payload VM but MFT mode did work.

AdminSDHolder: the AD security feature everyone thinks they understand but probably don't. 😬 Jim Sykora went to the source code to debunk decades of misconceptions — including ones in Microsoft's own docs. Read more ⤵️ ghst.ly/3Lpmjzv

I felt another MythicC2 demo and showcase was in order, showing off both the new Forge collection utility, but also my Apollo fork with HTTPx Malleable Profile support. Video is out now (link in comments)

Bitdefender, with support from Georgian CERT, exposes Curly COMrades’ new tactic of deploying a tiny Alpine Linux VM via Hyper-V to run CurlyShell and CurlCat, securing persistence while bypassing standard EDR solutions. businessinsights.bitdefender.com/curly-comrades…

Dynamic EDR Evasion. A dive into auto-detecting EDR hooks and generating dynamic stager that compiles evasion-tailored payloads per target (with SHAPESHIFTER). A great post by Matt Hand (Matt Hand). Source: medium.com/@matterpreter/… #redteam #blueteam #maldev #evasion

🔒 Secure Bits 💡 Have you ever heard of 𝗘𝗦𝗖 𝘃𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝗶𝗲𝘀? I guess you have. If you're running 𝗔𝗰𝘁𝗶𝘃𝗲 𝗗𝗶𝗿𝗲𝗰𝘁𝗼𝗿𝘆 𝗖𝗲𝗿𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗲 𝗦𝗲𝗿𝘃𝗶𝗰𝗲𝘀 (𝗔𝗗 𝗖𝗦) and haven't audited it for ESC misconfigurations — you may be sitting on a