Azure Arc is Microsoft's solution for managing on-premises systems in hybrid environments. My new blog covers how it can it be identified in an enterprise and misconfigurations that could allow it to be used for out-of-band execution and persistence.

Our initial access team has a deep dive blog out this week on creating .NET serialization gadgets by hand (or, alternatively, just using the new .NET deserialization library in VulnCheck's open-source go-exploit framework for your exploit dev needs)

Come join the team! Long-term operations with some of the best in the world with guaranteed development time. This kind of opportunity doesn't come around often 😀

If you're into serious red teaming with a crazy skilled team we've got a US based opening!

As a fun side project - I’ve started tracking vendors whose guides ask customers to create ESC1-style certificate templates, leaving an entire environment exposed 😅

Venom C2 tool drop! 🐍 During a recent red team engagement we needed a simple python agent that needs no dependencies to setup persistence on some exotic boxes we landed on. Some had EDR so we didn't want anything off-the-shelf. The server, agent, and client were made

Any Canadian friends with strong red team backgrounds looking for an AdvSim spot? https://t.co/Ba8V6QcYoP

AdminSDHolder is kinda my jam. I wrote the e-book on it. If you work with Activity Directory, I highly recommend you give this a skim, or at least check the spoilers in the blog.

Microsoft (kinda) deprecated DES in SCCM which caused some of the policy related tradecraft to break. The HTTP module in SCCMHunter and mssqlkaren have been updated to support AES-256. Thanks to @Blurbdust for helping get the fix into pxethief (which I stole from, ofc).

Today, I am releasing the COM-Fuzzer. Gain insights into COM/DCOM implementations that may be vulnerable using an automated approach and make it easy to visualize the data. https://t.co/RBVXP01UK4

Forget common backdoors — a DLL hijack in Windows Narrator can grant SYSTEM-level persistence at login. In our new blog, @Oddvarmoe shows how attackers abuse accessibility features and what defenders should monitor. Read now!

Last month, @d_tranman and I gave a talk @MCTTP_Con called "COM to the Darkside" focusing on COM/DCOM cross-session and fileless lateral movement tradecraft. Check out the slides here: https://t.co/1KNln1ldzF Recording should be released soon.

Credential Guard was supposed to end credential dumping. It didn't. @bytewreck just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled. Read for more ⤵️

Coercing machine authentication on Windows 11 /2025 using the MS-PRN/PrinterBug DCERPC edition, since named pipes are no longer used. Kerberos fails in this case due to a bad SPN from the spooler, forcing NTLM fallback.

Remotely enable the EFS service for Win11 systems? No problem with rpcping. Just worked for me from remote with a low privileged user. 🧐

I feel like @YuG0rd's briefly mentioned new dMSA account takeover mechanism in his last blog didn't get enough attention. A new account takeover mechanism is on the horizon. I wrote a blog detailing it, releasing with a new BOF I wrote called BadTakeover https://t.co/fyUkDYKAeP

Service triggers can be a pentester’s secret weapon, letting low-priv users quietly fire up powerful services. In our new blog, @freefirex2 breaks down the types of service triggers that exist and how they can be activated with little to no code required.

tooling link is kinda buried at the end of the blog. Standalone decryption POC: https://t.co/4vDuHiYFKS Integration into existing "decryptcredentials" method in SQLRecon: https://t.co/0lVAWOxufk (will also be merged into main SQLRecon)

Ever been on an SCCM site server and *this* close to a DA pw that you couldn't decrypt for some reason? Check out my new blog looking at encryption in use within SCCM sites configured for High Availability and accompanying tooling to recover passwords:

Can we eliminate the C2 server entirely and create truly autonomous malware? On the Dreadnode blog, Principal Security Researcher @0xdab0 details how we developed an entirely local, C2-less malware that can autonomously discover and exploit one type of privilege escalation

Getting some downtime in EU post-@OffensiveAIcon . Thank you to all the community, sponsors, co-organizers, and speakers that helped make it such as amazing first year! A few more days to relax, then it’s back to the grind, exciting things coming!