« Back to home
windows

LAPS 2.0 Internals
Cisco AMP - Bypassing Self-Protection
Alternative methods of becoming SYSTEM
AppLocker CLM Bypass via COM
Debugging into .NET
Exploring PowerShell AMSI and Logging Evasion
Exploiting Windows 10 Kernel Drivers - Stack Overflow
g_CiOptions in a Virtualized World
Hiding your .NET - ETW
Inter-Realm Key Roasting (well... within the first 30 days)
Kerberos AD Attacks - Kerberoasting
NTLMquic
Object Overloading
Protecting Your Malware with blockdlls and ACG
Exploiting Windows 10 Kernel Drivers - NULL Pointer Dereference
RunDLL32 your .NET (AKA DLL exports from .NET)
Exploiting CVE-2018-1038 - Total Meltdown
Understanding and Evading Get-InjectedThread
Exploring SCCM by Unobfuscating Network Access Accounts
WAM BAM - Recovering Web Tokens From Office
Kernel Exploit Demo - Windows 10 privesc via WARBIRD
payload

LAPS 2.0 Internals
laps

LAPS 2.0 Internals
reversing

Windows Anti-Debug techniques - OpenProcess filtering
Analysis of APT28 hospitality malware (Part 2)
Analysis of APT28 hospitality malware
Analysing RPC With Ghidra and Neo4j
Cisco AMP - Bypassing Self-Protection
ExplodingCan - A vulnerability review
Hiding your .NET - COMPlus_ETWEnabled
Hiding your .NET - ETW
Industroyer C2 Communication
Endpoint Security Self-Protection on MacOS
MacOS Filename Homoglyphs Revisited
Exploiting with pwndbg - Solving PlaidCTF 2016 SmartStove
Radare2 - Using Emulation To Unpack Metasploit Encoders
The .NET Export Portal
Kernel Exploit Demo - Windows 10 privesc via WARBIRD
malware

Analysis of APT28 hospitality malware (Part 2)
Reviewing the APT32 phishing malware
Analysis of APT28 hospitality malware
Using Hopper scripting to analyse MacRansom
Industroyer C2 Communication
apt28

Analysis of APT28 hospitality malware (Part 2)
apt32

Reviewing the APT32 phishing malware
phishing

Reviewing the APT32 phishing malware
cobalt strike

AWS Lambda Redirector
How to Argue like Cobalt Strike
Protecting Your Malware with blockdlls and ACG
redteam

AWS Lambda Redirector
Azure Application Proxy C2
Azure AD Connect for Red Teamers
ActiveBreach, powered by Ethereum Blockchain
Bring Your Own VM - Mac Edition
Alternative methods of becoming SYSTEM
Exploring Cobalt Strike's ExternalC2 framework
Exploring PowerShell AMSI and Logging Evasion
Hiding your .NET - COMPlus_ETWEnabled
Hiding your .NET - ETW
Kerberos AD Attacks - Kerberoasting
MacOS Injection via Third Party Frameworks
Kerberos AD Attacks - More Roasting with AS-REP
macOS Research Outtakes - File Extensions
Protecting Your Malware with blockdlls and ACG
RunDLL32 your .NET (AKA DLL exports from .NET)
Tailoring Cobalt Strike on Target
Setting Service Principal Names To Roast Accounts
Silencing Cylance: A Case Study in Modern EDRs
Testing your RedTeam Infrastructure
Understanding and Evading Get-InjectedThread
Using machine account credentials during an engagement
aws

AWS Lambda Redirector
Designing The Adversary Simulation Lab
low-level

Analysing RPC With Ghidra and Neo4j
Building, Modifying, and Packing with Azure DevOps
Evading Sysmon DNS Monitoring
Exploring Mimikatz - Part 1 - WDigest
Exploring Mimikatz - Part 2 - SSP
g_CiOptions in a Virtualized World
How to Argue like Cobalt Strike
MacOS Filename Homoglyphs Revisited
MacOS Injection via Third Party Frameworks
Object Overloading
PNG Steganography from First Principles
Silencing Cylance: A Case Study in Modern EDRs
The .NET Export Portal
WAM BAM - Recovering Web Tokens From Office
We Need To Talk About MACL
Weird Ways to Run Unmanaged Code in .NET
azure

Azure Application Proxy C2
WAM BAM - Recovering Web Tokens From Office
C2

Azure Application Proxy C2
active directory

Azure AD Connect for Red Teamers
Inter-Realm Key Roasting (well... within the first 30 days)
Kerberos AD Attacks - Kerberoasting
Kerberos AD Attacks - More Roasting with AS-REP
Setting Service Principal Names To Roast Accounts
Using machine account credentials during an engagement
azuread

Azure AD Connect for Red Teamers
bettercap

Bettercap - Capturing NTLM Hashes
mitm

Bettercap - Capturing NTLM Hashes
SQL Server Authentication With Metasploit and MITM
c2

ActiveBreach, powered by Ethereum Blockchain
blog

New Blog and the Technology that powers it
devops

New Blog and the Technology that powers it
Designing The Adversary Simulation Lab
Testing your RedTeam Infrastructure
macos

Bring Your Own VM - Mac Edition
Building a Custom Mach-O Memory Loader for macOS - Part 1
Bypassing MacOS Privacy Controls
Disabling MacOS SIP via a VirtualBox kext Vulnerability
Escaping the Sandbox – Microsoft Office on MacOS
Endpoint Security Self-Protection on MacOS
MacOS Filename Homoglyphs Revisited
MacOS Injection via Third Party Frameworks
macOS Research Outtakes - File Extensions
Restoring Dyld Memory Loading
We Need To Talk About MACL
ctf

BSidesSF CTF: b-64-b-tuff Walkthrough
BSidesSF CTF - DNSCap Walkthrough
BSidesSF CTF - Steel Mountain: Sensors Walkthrough
Defcon 25 in Review
Exploiting with pwndbg - Solving PlaidCTF 2016 SmartStove
PlaidCTF - no_mo_flo writeup
ROP Primer - Walkthrough of Level 0
Revisiting PlaidCTF - bigpicture
ROP Primer - Walkthrough of Level 1
ROP Primer - Walkthrough of Level 2
loader

Building a Custom Mach-O Memory Loader for macOS - Part 1
PNG Steganography from First Principles
.net

Building, Modifying, and Packing with Azure DevOps
Debugging into .NET
Hiding your .NET - ETW
RunDLL32 your .NET (AKA DLL exports from .NET)
The .NET Export Portal
meterpreter

Alternative methods of becoming SYSTEM
privacy

Bypassing MacOS Privacy Controls
powershell

AppLocker CLM Bypass via COM
security

Foomatic-RIP (CVE-2015-8560)
From CSV to Meterpreter
Linux ptrace introduction AKA injecting into sshd for fun
MS15-099 - Sharepoint XSS
foomatic-rip

Foomatic-RIP (CVE-2015-8560)
exploit

Foomatic-RIP (CVE-2015-8560)
Moving jobs and exploiting flash (CVE-2018-4878)
Linux USBIP overflow (CVE-2016-3955)
Disabling MacOS SIP via a VirtualBox kext Vulnerability
Escaping the Sandbox – Microsoft Office on MacOS
Universal XSS via Evernote WebClipper
ExplodingCan - A vulnerability review
Exploiting Windows 10 Kernel Drivers - Stack Overflow
Kentico CMS (< 9.0.42) SQLi
MS15-099 - Sharepoint XSS
GitHub Desktop - RCE
Github Desktop - DOM XSS
Exploiting Windows 10 Kernel Drivers - NULL Pointer Dereference
ROP Primer - Walkthrough of Level 0
ROP Primer - Walkthrough of Level 1
ROP Primer - Walkthrough of Level 2
Exploiting CVE-2018-1038 - Total Meltdown
Windows Server 2016 / Docker Privilege Escalation
Kernel Exploit Demo - Windows 10 privesc via WARBIRD
cve

Foomatic-RIP (CVE-2015-8560)
Moving jobs and exploiting flash (CVE-2018-4878)
Linux USBIP overflow (CVE-2016-3955)
flash

Moving jobs and exploiting flash (CVE-2018-4878)
defcon

Defcon 25 in Review
iot

Defcon 25 in Review
kernel

Disabling MacOS SIP via a VirtualBox kext Vulnerability
Exploiting Windows 10 Kernel Drivers - Stack Overflow
Exploiting Windows 10 Kernel Drivers - NULL Pointer Dereference
Exploiting CVE-2018-1038 - Total Meltdown
office

Escaping the Sandbox – Microsoft Office on MacOS
sysmon

Evading Sysmon DNS Monitoring
etw

Evading Sysmon DNS Monitoring
Hiding your .NET - COMPlus_ETWEnabled
web

Universal XSS via Evernote WebClipper
MS15-099 - Sharepoint XSS
xss

Universal XSS via Evernote WebClipper
secarma

ExplodingCan - A vulnerability review
Industroyer C2 Communication
Setting Service Principal Names To Roast Accounts
Using machine account credentials during an engagement
cobaltstrike

Exploring Cobalt Strike's ExternalC2 framework
Tailoring Cobalt Strike on Target
externalc2

Exploring Cobalt Strike's ExternalC2 framework
mimikatz

Exploring Mimikatz - Part 1 - WDigest
Exploring Mimikatz - Part 2 - SSP
amsi

Exploring PowerShell AMSI and Logging Evasion
csv

From CSV to Meterpreter
mdf

Extracting SQL Server Hashes From master.mdf
forensics

Extracting SQL Server Hashes From master.mdf
Offensive Forensics - Recovering Files
hevd

Exploiting Windows 10 Kernel Drivers - Stack Overflow
Exploiting Windows 10 Kernel Drivers - NULL Pointer Dereference
drivers

g_CiOptions in a Virtualized World
hopper

Using Hopper scripting to analyse MacRansom
non-security

How GitHub login detection banner works
javascript

How GitHub login detection banner works
kerberos

Inter-Realm Key Roasting (well... within the first 30 days)
Kerberos AD Attacks - Kerberoasting
Kerberos AD Attacks - More Roasting with AS-REP
Setting Service Principal Names To Roast Accounts
kentico

Kentico CMS (< 9.0.42) SQLi
ptrace

Linux ptrace introduction AKA injecting into sshd for fun
linux

Linux ptrace introduction AKA injecting into sshd for fun
sharepoint

MS15-099 - Sharepoint XSS
tools

NTLMquic
Exploring SCCM by Unobfuscating Network Access Accounts
smb

NTLMquic
vba

Protecting Your Malware with blockdlls and ACG
plaidctf

Exploiting with pwndbg - Solving PlaidCTF 2016 SmartStove
PlaidCTF - no_mo_flo writeup
Revisiting PlaidCTF - bigpicture
radare2

Radare2 - Using Emulation To Unpack Metasploit Encoders
github

GitHub Desktop - RCE
Github Desktop - DOM XSS
rop

ROP Primer - Walkthrough of Level 0
ROP Primer - Walkthrough of Level 1
ROP Primer - Walkthrough of Level 2
dyld

Restoring Dyld Memory Loading
sql

SQL Server Authentication With Metasploit and MITM
metasploit

SQL Server Authentication With Metasploit and MITM
sccm

Exploring SCCM by Unobfuscating Network Access Accounts
docker

Windows Server 2016 / Docker Privilege Escalation
dotnet

Weird Ways to Run Unmanaged Code in .NET
xbox

Xbox One Controller Hacking
usb

Xbox One Controller Hacking