Lateral movement getting blocked by traditional methods?
@werdhaihai just dropped research on a new lateral movement technique using Windows Installer Custom Action Server, complete with working BOF code. ghst.ly/4pN03PG
Fact: Remote service and scheduled task creation bypass firewalls on DCs and Win file servers because of SMB tunnelling.
Solution: Create RPC filters that block MS-SCMR and MS-TSCH over named pipes. The latter has 3 UUIDs, so blocking the atsvc pipe is more elegant. #DSInternals
Check out Titanis, my new C#-based protocol library! It features implementations of SMB and various Windows RPC protocols along with Kerberos and NTLM.
github.com/trustedsec/Tit…
Better late than never. I wrote a post that analyzes the Salesloft-Drift breach in the context of Attack Paths.
specterops.io/blog/2025/09/2…
My main takeaways:
1) Hybrid paths are not limited to two platforms owned by the same organization
2) Ad-hoc paths arise when passwords are…
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-glob…
Even with HTTPS, Windows Server Update Services can be abused if attackers obtain a trusted certificate, allowing authentication relay. In our blog, @Coontzy1 explains how WSUS traffic can be found and abused, and what sparked his investigation. Read now! trustedsec.com/blog/wsus-is-s…
ICYMI: SO-CON is returning to Arlington, VA! #SOCON2026 will be bigger than before with a new third talk track.
🧑🏫 Conference: April 13-14, 2026
💻 Training: April 15-18, 2026
Sign up now to receive updates → specterops.io/so-con/
We are back with our BloodHound t-shirt fundraiser! 🙌
Grab your BloodHound 8.0 shirt today. All funds raised will go directly to @HopeforHIE, the global voice for families affected by Hypoxic Ischemic Encephalopathy.
👕: ghst.ly/bh8-tshirt
knew win10 had the dsquery.dll laying around but never knew what to do with it
"rundll32.exe dsquery.dll OpenQueryWindow" will pop open a console for you and you can do some light LDAP recon
you can also open with with win + ctrl + f
probably useful for VDI/Citrix type tests
There's no one-size-fits-all C2 framework.
That's why @its_a_feature_ spent 7 years building Mythic, & learning lessons along the way. Join Cody at @MCTTP_Con, where he will share the tips & tricks every red teamer needs to hear.
Learn more: ghst.ly/4mGUBw2
I recently came across a great blog from Chris Farris on AWS ransomware techniques using KMS. I decided to test it out in my own lab and ended up writing a post that showcases the attack path in RDS and EBS, plus what defenders can do about it.
heilancoos.github.io/research/2025/…
Oh, that's nice! I've done something similar recently with a vibe coded HTTP proxy server run in context of the target user to access the needed web resource behind domain authentication instead of an LDAP relay 😁
Oh, that's nice! I've done something similar recently with a vibe coded HTTP proxy server run in context of the target user to access the needed web resource behind domain authentication instead of an LDAP relay 😁 https://t.co/1UQiifmTjQ
🚨 New #BloodHound shirt alert 🚨
✅ - Unisex and ladies sizes available
✅ - Cool design :)
✅ - ALL profits go to charity:
Hope for HIE, which supports families suffering the effects of hypoxic ischemic encephalopathy
Get your shirt here: ghst.ly/bh8-tshirt
ICYMI: Our BloodHound t-shirt fundraiser is happening now!
Add the BloodHound 8.0 shirt to your collection today! All funds raised will go directly to @HopeforHIE, the global voice for families affected by Hypoxic Ischemic Encephalopathy.
👕: ghst.ly/bh8-tshirt
4 Followers 192 FollowingI’m a 17-year-old cybersecurity enthusiast on a mission to document my journey into the world of hacking, red teaming, and security research.
1 Followers 98 Following🇫🇷 French
✏️ Aspiring penetration tester (Currently looking for a Penetration Tester position in Toulouse). CTF Player
🎹 Plays piano, drums and composes
12K Followers 490 FollowingSr. Penetration Tester / Red Team Operator @ptswarm :: Author of the Pentester’s Promiscuous Notebook :: He/him :: Tweets’re my pwn 🐣
12K Followers 490 FollowingSr. Penetration Tester / Red Team Operator @ptswarm :: Author of the Pentester’s Promiscuous Notebook :: He/him :: Tweets’re my pwn 🐣
30K Followers 561 FollowingCyBeRsEcUrItY | Not afraid to put down with some THICC malware on disk | securing and breaking AI @PaloAltoNtwks | Ex @spacex
20K Followers 271 FollowingOffensive security company. Dojo of many ninjas. Red teaming, reverse engineering, vuln research, dev of security tools and incident response.
20K Followers 2K FollowingPrincipal Identity Security Researcher at Microsoft. Ex-Secureworks. (MSc, MEng, PhD, CITP, CCSK).
And yes, opinions are my own ;)
756 Followers 125 FollowingHusband | Father | Medic | Manager of Training Development @SpecterOps | Host of @dcpthepodcast | Creator of The Defender's Guide
No recent Favorites. New Favorites will appear here.