« Back to home
windows

LAPS 2.0 Internals
Alternative methods of becoming SYSTEM
Cisco AMP - Bypassing Self-Protection
AppLocker CLM Bypass via COM
Debugging into .NET
Exploring PowerShell AMSI and Logging Evasion
g_CiOptions in a Virtualized World
Exploiting Windows 10 Kernel Drivers - NULL Pointer Dereference
Exploiting Windows 10 Kernel Drivers - Stack Overflow
Hiding your .NET - ETW
Inter-Realm Key Roasting (well... within the first 30 days)
Kerberos AD Attacks - Kerberoasting
NTLMquic
Object Overloading
Protecting Your Malware with blockdlls and ACG
RunDLL32 your .NET (AKA DLL exports from .NET)
Exploiting CVE-2018-1038 - Total Meltdown
Understanding and Evading Get-InjectedThread
Exploring SCCM by Unobfuscating Network Access Accounts
WAM BAM - Recovering Web Tokens From Office
Kernel Exploit Demo - Windows 10 privesc via WARBIRD
payload

LAPS 2.0 Internals
laps

LAPS 2.0 Internals
low-level

Analysing RPC With Ghidra and Neo4j
Building, Modifying, and Packing with Azure DevOps
Evading Sysmon DNS Monitoring
Exploring Mimikatz - Part 1 - WDigest
Exploring Mimikatz - Part 2 - SSP
g_CiOptions in a Virtualized World
How to Argue like Cobalt Strike
MacOS Injection via Third Party Frameworks
Object Overloading
PNG Steganography from First Principles
MacOS Filename Homoglyphs Revisited
Silencing Cylance: A Case Study in Modern EDRs
The .NET Export Portal
WAM BAM - Recovering Web Tokens From Office
We Need To Talk About MACL
Weird Ways to Run Unmanaged Code in .NET
reversing

Analysing RPC With Ghidra and Neo4j
Windows Anti-Debug techniques - OpenProcess filtering
Analysis of APT28 hospitality malware (Part 2)
Analysis of APT28 hospitality malware
Cisco AMP - Bypassing Self-Protection
ExplodingCan - A vulnerability review
Hiding your .NET - COMPlus_ETWEnabled
Hiding your .NET - ETW
Industroyer C2 Communication
Endpoint Security Self-Protection on MacOS
Exploiting with pwndbg - Solving PlaidCTF 2016 SmartStove
Radare2 - Using Emulation To Unpack Metasploit Encoders
MacOS Filename Homoglyphs Revisited
The .NET Export Portal
Kernel Exploit Demo - Windows 10 privesc via WARBIRD
malware

Analysis of APT28 hospitality malware (Part 2)
Analysis of APT28 hospitality malware
Reviewing the APT32 phishing malware
Using Hopper scripting to analyse MacRansom
Industroyer C2 Communication
apt28

Analysis of APT28 hospitality malware (Part 2)
apt32

Reviewing the APT32 phishing malware
phishing

Reviewing the APT32 phishing malware
cobalt strike

AWS Lambda Redirector
How to Argue like Cobalt Strike
Protecting Your Malware with blockdlls and ACG
redteam

AWS Lambda Redirector
Azure Application Proxy C2
Azure AD Connect for Red Teamers
Alternative methods of becoming SYSTEM
ActiveBreach, powered by Ethereum Blockchain
Bring Your Own VM - Mac Edition
Exploring Cobalt Strike's ExternalC2 framework
Exploring PowerShell AMSI and Logging Evasion
Hiding your .NET - COMPlus_ETWEnabled
Hiding your .NET - ETW
Identity Providers for RedTeamers
Kerberos AD Attacks - Kerberoasting
Kerberos AD Attacks - More Roasting with AS-REP
MacOS Injection via Third Party Frameworks
macOS Research Outtakes - File Extensions
Okta for Red Teamers
Protecting Your Malware with blockdlls and ACG
RunDLL32 your .NET (AKA DLL exports from .NET)
Setting Service Principal Names To Roast Accounts
Silencing Cylance: A Case Study in Modern EDRs
Tailoring Cobalt Strike on Target
Testing your RedTeam Infrastructure
Understanding and Evading Get-InjectedThread
Using machine account credentials during an engagement
aws

AWS Lambda Redirector
Designing The Adversary Simulation Lab
azure

Azure Application Proxy C2
WAM BAM - Recovering Web Tokens From Office
C2

Azure Application Proxy C2
active directory

Azure AD Connect for Red Teamers
Inter-Realm Key Roasting (well... within the first 30 days)
Kerberos AD Attacks - Kerberoasting
Kerberos AD Attacks - More Roasting with AS-REP
Setting Service Principal Names To Roast Accounts
Using machine account credentials during an engagement
azuread

Azure AD Connect for Red Teamers
Identity Providers for RedTeamers
meterpreter

Alternative methods of becoming SYSTEM
bettercap

Bettercap - Capturing NTLM Hashes
mitm

Bettercap - Capturing NTLM Hashes
SQL Server Authentication With Metasploit and MITM
c2

ActiveBreach, powered by Ethereum Blockchain
blog

New Blog and the Technology that powers it
devops

New Blog and the Technology that powers it
Designing The Adversary Simulation Lab
Testing your RedTeam Infrastructure
macos

Bring Your Own VM - Mac Edition
Building a Custom Mach-O Memory Loader for macOS - Part 1
Bypassing MacOS Privacy Controls
MacOS "DirtyNIB" Vulnerability
Disabling MacOS SIP via a VirtualBox kext Vulnerability
Escaping the Sandbox – Microsoft Office on MacOS
Endpoint Security Self-Protection on MacOS
MacOS Injection via Third Party Frameworks
macOS Research Outtakes - File Extensions
MacOS Filename Homoglyphs Revisited
Restoring Dyld Memory Loading
We Need To Talk About MACL
ctf

BSidesSF CTF: b-64-b-tuff Walkthrough
BSidesSF CTF - DNSCap Walkthrough
BSidesSF CTF - Steel Mountain: Sensors Walkthrough
Defcon 25 in Review
PlaidCTF - no_mo_flo writeup
Exploiting with pwndbg - Solving PlaidCTF 2016 SmartStove
Revisiting PlaidCTF - bigpicture
ROP Primer - Walkthrough of Level 0
ROP Primer - Walkthrough of Level 1
ROP Primer - Walkthrough of Level 2
loader

Building a Custom Mach-O Memory Loader for macOS - Part 1
PNG Steganography from First Principles
.net

Building, Modifying, and Packing with Azure DevOps
Debugging into .NET
Hiding your .NET - ETW
RunDLL32 your .NET (AKA DLL exports from .NET)
The .NET Export Portal
privacy

Bypassing MacOS Privacy Controls
powershell

AppLocker CLM Bypass via COM
security

Foomatic-RIP (CVE-2015-8560)
From CSV to Meterpreter
Linux ptrace introduction AKA injecting into sshd for fun
MS15-099 - Sharepoint XSS
foomatic-rip

Foomatic-RIP (CVE-2015-8560)
exploit

Foomatic-RIP (CVE-2015-8560)
Linux USBIP overflow (CVE-2016-3955)
Moving jobs and exploiting flash (CVE-2018-4878)
MacOS "DirtyNIB" Vulnerability
Disabling MacOS SIP via a VirtualBox kext Vulnerability
Escaping the Sandbox – Microsoft Office on MacOS
Universal XSS via Evernote WebClipper
ExplodingCan - A vulnerability review
Github Desktop - DOM XSS
GitHub Desktop - RCE
Exploiting Windows 10 Kernel Drivers - NULL Pointer Dereference
Exploiting Windows 10 Kernel Drivers - Stack Overflow
Kentico CMS (< 9.0.42) SQLi
MS15-099 - Sharepoint XSS
ROP Primer - Walkthrough of Level 0
ROP Primer - Walkthrough of Level 1
ROP Primer - Walkthrough of Level 2
Exploiting CVE-2018-1038 - Total Meltdown
Windows Server 2016 / Docker Privilege Escalation
Kernel Exploit Demo - Windows 10 privesc via WARBIRD
cve

Foomatic-RIP (CVE-2015-8560)
Linux USBIP overflow (CVE-2016-3955)
Moving jobs and exploiting flash (CVE-2018-4878)
flash

Moving jobs and exploiting flash (CVE-2018-4878)
defcon

Defcon 25 in Review
iot

Defcon 25 in Review
kernel

Disabling MacOS SIP via a VirtualBox kext Vulnerability
Exploiting Windows 10 Kernel Drivers - NULL Pointer Dereference
Exploiting Windows 10 Kernel Drivers - Stack Overflow
Exploiting CVE-2018-1038 - Total Meltdown
office

Escaping the Sandbox – Microsoft Office on MacOS
sysmon

Evading Sysmon DNS Monitoring
etw

Evading Sysmon DNS Monitoring
Hiding your .NET - COMPlus_ETWEnabled
web

Universal XSS via Evernote WebClipper
MS15-099 - Sharepoint XSS
xss

Universal XSS via Evernote WebClipper
secarma

ExplodingCan - A vulnerability review
Industroyer C2 Communication
Setting Service Principal Names To Roast Accounts
Using machine account credentials during an engagement
cobaltstrike

Exploring Cobalt Strike's ExternalC2 framework
Tailoring Cobalt Strike on Target
externalc2

Exploring Cobalt Strike's ExternalC2 framework
mimikatz

Exploring Mimikatz - Part 1 - WDigest
Exploring Mimikatz - Part 2 - SSP
amsi

Exploring PowerShell AMSI and Logging Evasion
mdf

Extracting SQL Server Hashes From master.mdf
forensics

Extracting SQL Server Hashes From master.mdf
Offensive Forensics - Recovering Files
csv

From CSV to Meterpreter
drivers

g_CiOptions in a Virtualized World
github

Github Desktop - DOM XSS
GitHub Desktop - RCE
hevd

Exploiting Windows 10 Kernel Drivers - NULL Pointer Dereference
Exploiting Windows 10 Kernel Drivers - Stack Overflow
hopper

Using Hopper scripting to analyse MacRansom
non-security

How GitHub login detection banner works
javascript

How GitHub login detection banner works
idp

Identity Providers for RedTeamers
okta

Identity Providers for RedTeamers
Okta for Red Teamers
ping

Identity Providers for RedTeamers
onelogin

Identity Providers for RedTeamers
entraid

Identity Providers for RedTeamers
kerberos

Inter-Realm Key Roasting (well... within the first 30 days)
Kerberos AD Attacks - Kerberoasting
Kerberos AD Attacks - More Roasting with AS-REP
Setting Service Principal Names To Roast Accounts
kentico

Kentico CMS (< 9.0.42) SQLi
ptrace

Linux ptrace introduction AKA injecting into sshd for fun
linux

Linux ptrace introduction AKA injecting into sshd for fun
sharepoint

MS15-099 - Sharepoint XSS
tools

NTLMquic
Exploring SCCM by Unobfuscating Network Access Accounts
smb

NTLMquic
plaidctf

PlaidCTF - no_mo_flo writeup
Exploiting with pwndbg - Solving PlaidCTF 2016 SmartStove
Revisiting PlaidCTF - bigpicture
vba

Protecting Your Malware with blockdlls and ACG
radare2

Radare2 - Using Emulation To Unpack Metasploit Encoders
dyld

Restoring Dyld Memory Loading
rop

ROP Primer - Walkthrough of Level 0
ROP Primer - Walkthrough of Level 1
ROP Primer - Walkthrough of Level 2
sql

SQL Server Authentication With Metasploit and MITM
metasploit

SQL Server Authentication With Metasploit and MITM
sccm

Exploring SCCM by Unobfuscating Network Access Accounts
dotnet

Weird Ways to Run Unmanaged Code in .NET
docker

Windows Server 2016 / Docker Privilege Escalation
xbox

Xbox One Controller Hacking
usb

Xbox One Controller Hacking