« Back to home
windows

LAPS 2.0 Internals
Administrator Protection Review
Alternative methods of becoming SYSTEM
Cisco AMP - Bypassing Self-Protection
AppLocker CLM Bypass via COM
Debugging into .NET
Exploring PowerShell AMSI and Logging Evasion
g_CiOptions in a Virtualized World
Exploiting Windows 10 Kernel Drivers - Stack Overflow
Exploiting Windows 10 Kernel Drivers - NULL Pointer Dereference
Hiding your .NET - ETW
Inter-Realm Key Roasting (well... within the first 30 days)
Kerberos AD Attacks - Kerberoasting
NTLMquic
Object Overloading
Protecting Your Malware with blockdlls and ACG
RunDLL32 your .NET (AKA DLL exports from .NET)
Exploiting CVE-2018-1038 - Total Meltdown
Understanding and Evading Get-InjectedThread
WAM BAM - Recovering Web Tokens From Office
Exploring SCCM by Unobfuscating Network Access Accounts
Kernel Exploit Demo - Windows 10 privesc via WARBIRD
payload

LAPS 2.0 Internals
laps

LAPS 2.0 Internals
redteam

Administrator Protection Review
ADFS - Living in the Legacy of DRS
AWS Lambda Redirector
Azure AD Connect for Red Teamers
Azure Application Proxy C2
Alternative methods of becoming SYSTEM
ActiveBreach, powered by Ethereum Blockchain
Bring Your Own VM - Mac Edition
Exploring Cobalt Strike's ExternalC2 framework
Exploring PowerShell AMSI and Logging Evasion
Hiding your .NET - COMPlus_ETWEnabled
Hiding your .NET - ETW
Identity Providers for RedTeamers
Kerberos AD Attacks - Kerberoasting
Kerberos AD Attacks - More Roasting with AS-REP
macOS Research Outtakes - File Extensions
MacOS Injection via Third Party Frameworks
Okta for Red Teamers
Protecting Your Malware with blockdlls and ACG
RunDLL32 your .NET (AKA DLL exports from .NET)
Setting Service Principal Names To Roast Accounts
Silencing Cylance: A Case Study in Modern EDRs
Tailoring Cobalt Strike on Target
Testing your RedTeam Infrastructure
The SQL Server Crypto Detour
Understanding and Evading Get-InjectedThread
Using machine account credentials during an engagement
reversing

Administrator Protection Review
Analysing RPC With Ghidra and Neo4j
Windows Anti-Debug techniques - OpenProcess filtering
Analysis of APT28 hospitality malware (Part 2)
Analysis of APT28 hospitality malware
Cisco AMP - Bypassing Self-Protection
ExplodingCan - A vulnerability review
Hiding your .NET - COMPlus_ETWEnabled
Hiding your .NET - ETW
Industroyer C2 Communication
Endpoint Security Self-Protection on MacOS
MacOS Filename Homoglyphs Revisited
Exploiting with pwndbg - Solving PlaidCTF 2016 SmartStove
Radare2 - Using Emulation To Unpack Metasploit Encoders
The .NET Export Portal
Kernel Exploit Demo - Windows 10 privesc via WARBIRD
adfs

ADFS - Living in the Legacy of DRS
oauth2

ADFS - Living in the Legacy of DRS
low-level

Analysing RPC With Ghidra and Neo4j
Building, Modifying, and Packing with Azure DevOps
Evading Sysmon DNS Monitoring
Exploring Mimikatz - Part 1 - WDigest
Exploring Mimikatz - Part 2 - SSP
g_CiOptions in a Virtualized World
How to Argue like Cobalt Strike
MacOS Filename Homoglyphs Revisited
MacOS Injection via Third Party Frameworks
Object Overloading
PNG Steganography from First Principles
Silencing Cylance: A Case Study in Modern EDRs
The .NET Export Portal
WAM BAM - Recovering Web Tokens From Office
We Need To Talk About MACL
Weird Ways to Run Unmanaged Code in .NET
malware

Analysis of APT28 hospitality malware (Part 2)
Analysis of APT28 hospitality malware
Reviewing the APT32 phishing malware
Using Hopper scripting to analyse MacRansom
Industroyer C2 Communication
apt28

Analysis of APT28 hospitality malware (Part 2)
apt32

Reviewing the APT32 phishing malware
phishing

Reviewing the APT32 phishing malware
cobalt strike

AWS Lambda Redirector
How to Argue like Cobalt Strike
Protecting Your Malware with blockdlls and ACG
aws

AWS Lambda Redirector
Designing The Adversary Simulation Lab
active directory

Azure AD Connect for Red Teamers
Inter-Realm Key Roasting (well... within the first 30 days)
Kerberos AD Attacks - Kerberoasting
Kerberos AD Attacks - More Roasting with AS-REP
Setting Service Principal Names To Roast Accounts
Using machine account credentials during an engagement
azuread

Azure AD Connect for Red Teamers
Identity Providers for RedTeamers
azure

Azure Application Proxy C2
WAM BAM - Recovering Web Tokens From Office
C2

Azure Application Proxy C2
bettercap

Bettercap - Capturing NTLM Hashes
mitm

Bettercap - Capturing NTLM Hashes
SQL Server Authentication With Metasploit and MITM
meterpreter

Alternative methods of becoming SYSTEM
c2

ActiveBreach, powered by Ethereum Blockchain
blog

New Blog and the Technology that powers it
devops

New Blog and the Technology that powers it
Designing The Adversary Simulation Lab
Testing your RedTeam Infrastructure
macos

Bring Your Own VM - Mac Edition
Building a Custom Mach-O Memory Loader for macOS - Part 1
Bypassing MacOS Privacy Controls
MacOS "DirtyNIB" Vulnerability
Disabling MacOS SIP via a VirtualBox kext Vulnerability
Escaping the Sandbox – Microsoft Office on MacOS
Endpoint Security Self-Protection on MacOS
MacOS Filename Homoglyphs Revisited
macOS Research Outtakes - File Extensions
MacOS Injection via Third Party Frameworks
Restoring Dyld Memory Loading
We Need To Talk About MACL
ctf

BSidesSF CTF: b-64-b-tuff Walkthrough
BSidesSF CTF - DNSCap Walkthrough
BSidesSF CTF - Steel Mountain: Sensors Walkthrough
Defcon 25 in Review
PlaidCTF - no_mo_flo writeup
Exploiting with pwndbg - Solving PlaidCTF 2016 SmartStove
Revisiting PlaidCTF - bigpicture
ROP Primer - Walkthrough of Level 0
ROP Primer - Walkthrough of Level 1
ROP Primer - Walkthrough of Level 2
loader

Building a Custom Mach-O Memory Loader for macOS - Part 1
PNG Steganography from First Principles
privacy

Bypassing MacOS Privacy Controls
.net

Building, Modifying, and Packing with Azure DevOps
Debugging into .NET
Hiding your .NET - ETW
RunDLL32 your .NET (AKA DLL exports from .NET)
The .NET Export Portal
powershell

AppLocker CLM Bypass via COM
security

Foomatic-RIP (CVE-2015-8560)
From CSV to Meterpreter
Linux ptrace introduction AKA injecting into sshd for fun
MS15-099 - Sharepoint XSS
foomatic-rip

Foomatic-RIP (CVE-2015-8560)
exploit

Foomatic-RIP (CVE-2015-8560)
Moving jobs and exploiting flash (CVE-2018-4878)
Linux USBIP overflow (CVE-2016-3955)
MacOS "DirtyNIB" Vulnerability
Disabling MacOS SIP via a VirtualBox kext Vulnerability
Escaping the Sandbox – Microsoft Office on MacOS
Universal XSS via Evernote WebClipper
ExplodingCan - A vulnerability review
Github Desktop - DOM XSS
GitHub Desktop - RCE
Exploiting Windows 10 Kernel Drivers - Stack Overflow
Exploiting Windows 10 Kernel Drivers - NULL Pointer Dereference
Kentico CMS (< 9.0.42) SQLi
MS15-099 - Sharepoint XSS
ROP Primer - Walkthrough of Level 0
ROP Primer - Walkthrough of Level 1
ROP Primer - Walkthrough of Level 2
Exploiting CVE-2018-1038 - Total Meltdown
Windows Server 2016 / Docker Privilege Escalation
Kernel Exploit Demo - Windows 10 privesc via WARBIRD
cve

Foomatic-RIP (CVE-2015-8560)
Moving jobs and exploiting flash (CVE-2018-4878)
Linux USBIP overflow (CVE-2016-3955)
flash

Moving jobs and exploiting flash (CVE-2018-4878)
defcon

Defcon 25 in Review
iot

Defcon 25 in Review
kernel

Disabling MacOS SIP via a VirtualBox kext Vulnerability
Exploiting Windows 10 Kernel Drivers - Stack Overflow
Exploiting Windows 10 Kernel Drivers - NULL Pointer Dereference
Exploiting CVE-2018-1038 - Total Meltdown
office

Escaping the Sandbox – Microsoft Office on MacOS
sysmon

Evading Sysmon DNS Monitoring
etw

Evading Sysmon DNS Monitoring
Hiding your .NET - COMPlus_ETWEnabled
web

Universal XSS via Evernote WebClipper
MS15-099 - Sharepoint XSS
xss

Universal XSS via Evernote WebClipper
secarma

ExplodingCan - A vulnerability review
Industroyer C2 Communication
Setting Service Principal Names To Roast Accounts
Using machine account credentials during an engagement
cobaltstrike

Exploring Cobalt Strike's ExternalC2 framework
Tailoring Cobalt Strike on Target
externalc2

Exploring Cobalt Strike's ExternalC2 framework
mimikatz

Exploring Mimikatz - Part 1 - WDigest
Exploring Mimikatz - Part 2 - SSP
amsi

Exploring PowerShell AMSI and Logging Evasion
csv

From CSV to Meterpreter
mdf

Extracting SQL Server Hashes From master.mdf
forensics

Extracting SQL Server Hashes From master.mdf
Offensive Forensics - Recovering Files
github

Github Desktop - DOM XSS
GitHub Desktop - RCE
drivers

g_CiOptions in a Virtualized World
hevd

Exploiting Windows 10 Kernel Drivers - Stack Overflow
Exploiting Windows 10 Kernel Drivers - NULL Pointer Dereference
hopper

Using Hopper scripting to analyse MacRansom
non-security

How GitHub login detection banner works
javascript

How GitHub login detection banner works
idp

Identity Providers for RedTeamers
okta

Identity Providers for RedTeamers
Okta for Red Teamers
ping

Identity Providers for RedTeamers
onelogin

Identity Providers for RedTeamers
entraid

Identity Providers for RedTeamers
kentico

Kentico CMS (< 9.0.42) SQLi
kerberos

Inter-Realm Key Roasting (well... within the first 30 days)
Kerberos AD Attacks - Kerberoasting
Kerberos AD Attacks - More Roasting with AS-REP
Setting Service Principal Names To Roast Accounts
ptrace

Linux ptrace introduction AKA injecting into sshd for fun
linux

Linux ptrace introduction AKA injecting into sshd for fun
sharepoint

MS15-099 - Sharepoint XSS
tools

NTLMquic
Exploring SCCM by Unobfuscating Network Access Accounts
smb

NTLMquic
plaidctf

PlaidCTF - no_mo_flo writeup
Exploiting with pwndbg - Solving PlaidCTF 2016 SmartStove
Revisiting PlaidCTF - bigpicture
vba

Protecting Your Malware with blockdlls and ACG
radare2

Radare2 - Using Emulation To Unpack Metasploit Encoders
dyld

Restoring Dyld Memory Loading
rop

ROP Primer - Walkthrough of Level 0
ROP Primer - Walkthrough of Level 1
ROP Primer - Walkthrough of Level 2
sql

SQL Server Authentication With Metasploit and MITM
metasploit

SQL Server Authentication With Metasploit and MITM
sqlserver

The SQL Server Crypto Detour
llm

Tokenization Confusion
machine-learning

Tokenization Confusion
sccm

Exploring SCCM by Unobfuscating Network Access Accounts
docker

Windows Server 2016 / Docker Privilege Escalation
xbox

Xbox One Controller Hacking
usb

Xbox One Controller Hacking
dotnet

Weird Ways to Run Unmanaged Code in .NET