New on the blog: @michaelbarclay_ revives registry-based tradecraft using a telemetry gap in the hive restoration process. The blog also includes PoC code and detection guidance. 📃

Implemented a number of persistence methods in a BOF. Nothing ground breaking but might be useful to some.

Inspired by @TrustedSec article on remotely starting Windows services, enjoy our python unauthenticated EFS trigger developed with @Hypnoze57 Enjoy! https://t.co/lfXowfPYtv

Google research created a dataset with rainbow tables for NetNTLMv1 with the 1122334455667788 challenge. https://t.co/fLBxwTIY2H Dataset is available for download at: ▪️ https://t.co/mCt6R7y5Pk [Login required] ▪️gs://net-ntlmv1-tables

Credential Guard was supposed to end credential dumping. It didn't. @bytewreck just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled. Read for more ⤵️

Remotely enable the EFS service for Win11 systems? No problem with rpcping. Just worked for me from remote with a low privileged user. 🧐

Check out Titanis, my new C#-based protocol library! It features implementations of SMB and various Windows RPC protocols along with Kerberos and NTLM. https://t.co/GC5wA2y3EO

What I learned today. Nice - I wasn't aware of the InstallProduct method from PowerShell to fetch a remotely hosted MSI file and subsequently install it. Invoke-WebRequest is one of the more popular methods, at least in our incident response cases. As always, there is more!

Whenever I see people say the red teaming should only use TI, it seems unusual because if you're mature enough to need a red team, your EDR vendor will likely pick up on many currently known threats in the public eye. At that point, you're stuck modifying things away from what's

This is so much! 🔥🔥😎 Found two new Potato triggers just today. Not only Potato but can also be used for LPE as remote auth is done which could be relayed to LDAP without Signing enabled. Or relayed to ADCS for a certificate. https://t.co/H83AIxtskn

Since several people already asked: the slides from @fabian_bader and myself for @WEareTROOPERS are available! "Finding Entra ID CA bypasses-the structured way". We talked about FOCI, BroCI, CA bypasses, scopes and getting tons of tokens. Check it at

[BLOG] Integrating Tradecraft Garden PIC loaders into Cobalt Strike https://t.co/vHZyptx3xo

While posted jokingly, "Read Teaming" is very much is the reality of the current state of Red Teaming. If you want to learn about why this approach is both highly effective and gaining popularity, check out: https://t.co/rj9CPeEI0Y

WMI Research and Lateral Movement https://t.co/IL3Ucc5SC0 TLDR: In this article, we will go over the WMI technology, the potential attack vectors it opens, some detection pitfalls (from an attacker’s perspective), and how we can enumerate the technology for useful capabilities.

BOF is out now, enjoy! 🐸 https://t.co/qbukYjAe9S

As promised... this is Loki Command & Control! 🧙‍♂️🔮🪄 Thanks to @d_tranman for his work done on the project and everyone else on the team for making this release happen! https://t.co/fR44ukK1Y2

KrbRelayEx-RPC tool is out! 🎉 Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;) https://t.co/Aebt5iFIjC

The detailed version of our #WorstFit attack is available now! 🔥 Check it out! 👉 https://t.co/EWlBSgXhpx cc: @_splitline_

Worst fit is a Windows attack surface that exploits the Best-Fit charset conversion feature! This attack provides path traversal, argument injection, and RCE in numerous well known applications! Links in next post👇

every time someone wants help with getting a job in cs and i recommend them a plan or a course they always end up not doing it i've had exactly 1 friend actually follow through and now he works at a large bank you need to do the hard things. the industry is tough. i find that