A little while ago I tweeted about a potential BOF-PE design. So here it is, a new design that includes a fully linked PE, C++ exceptions and use of the STL template library.

@_dirkjan found one of the most severe vulnerabilities ever discovered in Microsoft Entra ID. One that could have compromised every tenant in the cloud. In this episode, we unpack the story, the stress, and the mindset behind responsible disclosure. 🔥 We dive deep into his

Credential Guard was supposed to end credential dumping. It didn't. @bytewreck just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled. Read for more ⤵️

Ah well, no BlackHat talk for me this year. Another time maybe...

I made a website that lets you generate VBA macro docs in your browser (using rust+wasm!): https://t.co/mAsZU22IJZ ^just for fun, inb4 "motw kills macros" etc. 😅

Check out Titanis, my new C#-based protocol library! It features implementations of SMB and various Windows RPC protocols along with Kerberos and NTLM. https://t.co/GC5wA2y3EO

I'm SO hyped to finally make MSSQLHound public! It's a new BloodHound collector that adds 37 new edges and 7 new nodes for MSSQL attack paths using the new OpenGraph feature for 8.0!. Let me know what you find with it! - https://t.co/Hh089SaVOS - https://t.co/geO0HXTykf

Finishing off the week with a writeup of CVE-2025-0309 - Netskope Windows Client LPE This was one of the bugs we demo’d in our DEF CON #ZeroTrustTotalBust talk. Also releasing a NachoVPN plugin and our 🆙skope PoC. Details on the @AmberWolfSec blog: https://t.co/HJQCVbBpbk

Am I missing something with the Greenshot CVE-2025-59050 vulnerability? An 8.4 for something that is essentially self injection. Execution would have already need to have been achieved to exploit. I get it's unintended design, but an 8.4 CVSS?

@_dirkjan .@DrAzureAD even had an adapted slide in his presentation ;-) shout-out to @_dirkjan

After a break, I’ll be back to Black Hat EU 2025 to share new developments in call stack spoofing techniques and tradecraft. Likely my final public contribution to technique. Hope it'll inspire brilliant minds to build something great! See you there! #BHEU #offsec #SpecterOps

Lots of cool new Nemesis features merging in soon from @tifkin_ and I! Development definitely didn't stop with the 2.0 release :)

I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog:

Are there any tailscale experts out there that can help debug why advertise-routes is failing on Fedora? IP forwarding is enabled and I have a valid route prior to bringing tailscale up, but it just won't publish the route. Routes are auto approved on headscale control plane 😕

Hey @Veeam, help a friend out here. A security@ email that only accepts emails from https://t.co/JallpKcK3j makes it difficult to report concerns.

Recovering Metadata from .NET Native AOT Binaries - Washi @washi_dev https://t.co/MhFyey3KYs

If you didn't find my Black Hat / Def Con slides yet, they are available on https://t.co/nTDAepwUXR . Also includes the demo videos where I use actor tokens from on-prem to access SharePoint online and get Global Admin.

Extending AD CS attack surface to the cloud with Intune certificates, by @_dirkjan https://t.co/iQ1lyiYg5E

Thanks to everyone who joined my DEFCON33 talk!🎉 For those of you who missed it and are interested in seeing how we can extract cleartext credentials and bypass MFA directly from the official Microsoft login page, I just uploaded the recording to YouTube: https://t.co/MoPQiKgesd

gpoParser, which I presented at #leHACK2025 and #DEFCON, is available here: https://t.co/sHgmiOrPCV It is a specialized utility designed to enumerate Group Policy Objects (GPOs) and identify potential security misconfigurations.

The ADSyncCertDump tool is now part of the adconnectdump tools and can be used to extract SP credentials from Entra ID connect hosts. I will cover that during my BH/DC talks today and Friday! Tool is heavily based on Shwmae by @_EthicalChaos_