[Blog] CVE-2023–4632: Local Privilege Escalation in Lenovo System Updater

How do you model hybrid attack paths that span GitHub, GCP, Azure, and AD? @c0kernel has released SecretHound, a new BloodHound OpenGraph extension for secrets 🤫 — enabling modeling of “credential watering holes” across tech platforms.

introducing Adrenaline, a toolkit of many BOFs to speed up recon or prepare for large scale orchestration/eventing the idea is to introduce a bunch of small BOFs that are designed to output small but actionable information to later use for analysis or targeting more info below

Don't miss this one. 👀 @zyn3rgy & @Tw1sm are sharing techniques to better inform your NTLM relays and discussing RelayInformer, an open-source project that identifies EPA enforcement across the majority of popular NTLM relay targets. Save your spot 👉 https://t.co/qfcl7Lvw9q

SCCM is one of the most relied-on enterprise tools, but that legacy comes with risk. Join @unsigned_sh0rt this Friday at #BSidesPDX as he discusses how attackers can abuse #SCCM Entra integrations to gain admin access. ➡️ https://t.co/7UiihoC0kA

Credential Guard was supposed to end credential dumping. It didn't. @bytewreck just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled. Read for more ⤵️

In this post @_wald0 introduces PingOneHound, a BloodHound OpenGraph extension that allows users to visualize, audit, and remediate attack paths in their PingOne environment. The blog post also serves as an introduction to the PingOne architecture. https://t.co/BjD5DPiih1

I feel like @YuG0rd's briefly mentioned new dMSA account takeover mechanism in his last blog didn't get enough attention. A new account takeover mechanism is on the horizon. I wrote a blog detailing it, releasing with a new BOF I wrote called BadTakeover https://t.co/fyUkDYKAeP

Ever notice how every identity system depends on something else — and those dependencies are often invisible? That’s the idea behind the Clean Source Principle and why it matters for the future of identity security. https://t.co/Ov1eN8Jsjs

Lateral movement getting blocked by traditional methods? @werdhaihai just dropped research on a new lateral movement technique using Windows Installer Custom Action Server, complete with working BOF code.

Absolutely terrifying. Amazing find!

I Just documented a cool way to authenticate proxied tooling to LDAP in an AD environment using C2 payload auth context, without stealing any tickets or hashes! Keep tooling execution off-host and away from EDR on your Red Team assessments! https://t.co/VLE2Kh4idY

Hosts running the WebClient service are prime targets for NTLM relay attacks, and it may be possible to start the service remotely as a low-privileged user. @0xthirteen breaks down the service startup mechanics, plus the protocols and technologies.

Manual recon commands eating up your time? 🕐 @atomiczsec breaks down how Mythic Eventing automates those repetitive reconnaissance tasks during RTOs, complete with starter YAML scripts you can customize.

During my internship at @SpecterOps, I had the amazing opportunity to support red team and penetration test engagements. This lead to the creation of my capstone project, which I presented at the Seattle office and created a SpecterOps blog which you can see more about here:

MSSQLHound leverages BloodHound's OpenGraph to visualize MSSQL attack paths with 7 new nodes & 37 new edges, all without touching the SharpHound & BloodHound codebases. @_Mayyhem unpacks this new feature in his blog post. 👇

Your devs aren’t just writing code, they’re holding keys to your kingdom. 🔑 BloodHound now supports GitHub identities, so you can visualize access & control in your org’s dev pipeline. Read more about this & other features in BloodHound 8.0: https://t.co/TOcfzrrtqS

Data is gold and Snowflake is full of it. BloodHound now understands Snowflake’s access model. Map who can reach your critical data, and how they’d do it. Learn more about what is available w/ BloodHound 8.0: https://t.co/TOcfzrrtqS

In this blog post I explain the fundamental building blocks, vocabulary, and principles of attack graph design for BloodHound:

Red teamers know the drill: endless file churning, hunting for passwords & tokens. 🔍 Meet DeepPass2, our new secret scanning tool that goes beyond structured tokens to catch those tricky free-form passwords too. Read Neeraj Gupta's blog post for more.

Entra Connect sync accounts can be exploited to hijack device userCertificate properties, enabling device impersonation and conditional access bypass. @hotnops explores cross-domain compromise tradecraft within the same tenant. Read more ⤵️