Nate Subra
@natesubra.com
Adversary Simulation, Red Team Lead, Security Research @ LFI
Posts are my own
He/Him
#redteam #offsec #malware #cybersecurity
https://secdsm.org
I use my real name. The trick is figuring out my handles
@natesubra@infosec.exchange
Posts are my own
He/Him
#redteam #offsec #malware #cybersecurity
https://secdsm.org
I use my real name. The trick is figuring out my handles
@natesubra@infosec.exchange
Reposted by Nate Subra
Reposted by Nate Subra
PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage and modular C2 implant made of PICOs.
github.com/pard0p/PICO-...
github.com/pard0p/PICO-...
GitHub - pard0p/PICO-Implant: PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible...
PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage...
github.com
November 7, 2025 at 4:10 PM
PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage and modular C2 implant made of PICOs.
github.com/pard0p/PICO-...
github.com/pard0p/PICO-...
Reposted by Nate Subra
LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes.
github.com/pard0p/LibIPC
github.com/pard0p/LibIPC
GitHub - pard0p/LibIPC: LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes.
LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes. - pard0p/LibIPC
github.com
November 2, 2025 at 11:29 AM
LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes.
github.com/pard0p/LibIPC
github.com/pard0p/LibIPC
Reposted by Nate Subra
Blog post about my recent CVE-2025-58726, aka “The Ghost Reflection” is out, read it here:
semperis.com/blog/exploit...
🙃
semperis.com/blog/exploit...
🙃
Exploiting Ghost SPNs and Kerberos Reflection for SMB Privilege Elevation
Understanding how attackers use Ghost Service Principal Names to initiate authentication reflection can help you avoid similar vulnerabilities.
semperis.com
October 29, 2025 at 5:19 PM
Blog post about my recent CVE-2025-58726, aka “The Ghost Reflection” is out, read it here:
semperis.com/blog/exploit...
🙃
semperis.com/blog/exploit...
🙃
Reposted by Nate Subra
LibGate - a Crystal Palace shared library for resolving and performing syscalls github.com/rasta-mouse/...
GitHub - rasta-mouse/LibGate: A Crystal Palace shared library to resolve & perform syscalls
A Crystal Palace shared library to resolve & perform syscalls - rasta-mouse/LibGate
github.com
October 29, 2025 at 5:15 PM
LibGate - a Crystal Palace shared library for resolving and performing syscalls github.com/rasta-mouse/...
Reposted by Nate Subra
Good News, Everyone! We have the official dates for #DEFCON34! And to make up for the delay, we also have the dates for #DEFCON35!
Please join us at the Las Vegas Convention Center August 6-9 in 2026 and August 5-8 in 2027.
Save the dates, friends. It'll be here before you know it.
#defcon
Please join us at the Las Vegas Convention Center August 6-9 in 2026 and August 5-8 in 2027.
Save the dates, friends. It'll be here before you know it.
#defcon
October 29, 2025 at 6:49 PM
Reposted by Nate Subra
NTLM relay research is evolving!
Join Nick Powers & @tw1sm.bsky.social TOMORROW as they share new methods to enumerate EPA enforcement across MSSQL, HTTP, & more—and intro RelayInformer, expanding attacker-perspective coverage for key protocols.
Grab your spot → ghst.ly/oct-web-bsky
Join Nick Powers & @tw1sm.bsky.social TOMORROW as they share new methods to enumerate EPA enforcement across MSSQL, HTTP, & more—and intro RelayInformer, expanding attacker-perspective coverage for key protocols.
Grab your spot → ghst.ly/oct-web-bsky
October 29, 2025 at 10:25 PM
NTLM relay research is evolving!
Join Nick Powers & @tw1sm.bsky.social TOMORROW as they share new methods to enumerate EPA enforcement across MSSQL, HTTP, & more—and intro RelayInformer, expanding attacker-perspective coverage for key protocols.
Grab your spot → ghst.ly/oct-web-bsky
Join Nick Powers & @tw1sm.bsky.social TOMORROW as they share new methods to enumerate EPA enforcement across MSSQL, HTTP, & more—and intro RelayInformer, expanding attacker-perspective coverage for key protocols.
Grab your spot → ghst.ly/oct-web-bsky
Reposted by Nate Subra
And it's released! 🎉
github.com/ofasgard/exe...
I've tested it with Rubeus and Seatbelt and a variety of different arguments, and it seems to be pretty stable as far as I can tell. If anyone uses this PICO and encounters bugs or instability, please let me know!
github.com/ofasgard/exe...
I've tested it with Rubeus and Seatbelt and a variety of different arguments, and it seems to be pretty stable as far as I can tell. If anyone uses this PICO and encounters bugs or instability, please let me know!
github.com
October 16, 2025 at 4:13 PM
And it's released! 🎉
github.com/ofasgard/exe...
I've tested it with Rubeus and Seatbelt and a variety of different arguments, and it seems to be pretty stable as far as I can tell. If anyone uses this PICO and encounters bugs or instability, please let me know!
github.com/ofasgard/exe...
I've tested it with Rubeus and Seatbelt and a variety of different arguments, and it seems to be pretty stable as far as I can tell. If anyone uses this PICO and encounters bugs or instability, please let me know!
Reposted by Nate Subra
October 19, 2025 at 1:13 AM
Reposted by Nate Subra
Pop a vendor website, replace their /.well-known/security.txt with your own rogue contact info, and wait for the bugs to roll in.
October 20, 2025 at 7:41 PM
Pop a vendor website, replace their /.well-known/security.txt with your own rogue contact info, and wait for the bugs to roll in.
Reposted by Nate Subra
Why plant a Tradecraft Garden?
April 2025, I talked to my camera about how tradecraft may go the route we saw vuln research go years ago, red teaming's retreat to self-protective secrecy, and the opportunity I see for a public tradecraft ecosystem. This starts @ 1:16:00
vimeo.com/1074106659#t...
April 2025, I talked to my camera about how tradecraft may go the route we saw vuln research go years ago, red teaming's retreat to self-protective secrecy, and the opportunity I see for a public tradecraft ecosystem. This starts @ 1:16:00
vimeo.com/1074106659#t...
Post-ex Weaponization: An Oral History
This is "Post-ex Weaponization: An Oral History" by AFF-WG on Vimeo, the home for high quality videos and the people who love them.
vimeo.com
October 14, 2025 at 4:57 PM
Why plant a Tradecraft Garden?
April 2025, I talked to my camera about how tradecraft may go the route we saw vuln research go years ago, red teaming's retreat to self-protective secrecy, and the opportunity I see for a public tradecraft ecosystem. This starts @ 1:16:00
vimeo.com/1074106659#t...
April 2025, I talked to my camera about how tradecraft may go the route we saw vuln research go years ago, red teaming's retreat to self-protective secrecy, and the opportunity I see for a public tradecraft ecosystem. This starts @ 1:16:00
vimeo.com/1074106659#t...
Reposted by Nate Subra
MacroPack v2.8.7 is out!
New GUI & updated EDR evasion! New features include Advanced LNK spoofing, expanded .NET obfuscation, and ML-evasion.
For authorized red-team use!
#RedTeam #offensivesecurity
New GUI & updated EDR evasion! New features include Advanced LNK spoofing, expanded .NET obfuscation, and ML-evasion.
For authorized red-team use!
#RedTeam #offensivesecurity
October 14, 2025 at 4:10 PM
MacroPack v2.8.7 is out!
New GUI & updated EDR evasion! New features include Advanced LNK spoofing, expanded .NET obfuscation, and ML-evasion.
For authorized red-team use!
#RedTeam #offensivesecurity
New GUI & updated EDR evasion! New features include Advanced LNK spoofing, expanded .NET obfuscation, and ML-evasion.
For authorized red-team use!
#RedTeam #offensivesecurity
Reposted by Nate Subra
Working on a fun Crystal Palace loader that hooks APIs and pushes them through a call stack spoofing PICO.
October 4, 2025 at 8:00 PM
Working on a fun Crystal Palace loader that hooks APIs and pushes them through a call stack spoofing PICO.
Reposted by Nate Subra
September 19, 2025 at 11:14 PM
Reposted by Nate Subra
Load shellcode without P/D Invoke and VirtualProtect call🕵️♂️
github.com/Mr-Un1k0d3r/...
#infosec #cybersecurity #pentest #redteam #malware #opensource
github.com/Mr-Un1k0d3r/...
#infosec #cybersecurity #pentest #redteam #malware #opensource
GitHub - Mr-Un1k0d3r/DotnetNoVirtualProtectShellcodeLoader: load shellcode without P/D Invoke and VirtualProtect call.
load shellcode without P/D Invoke and VirtualProtect call. - Mr-Un1k0d3r/DotnetNoVirtualProtectShellcodeLoader
github.com
September 16, 2025 at 1:33 PM
Load shellcode without P/D Invoke and VirtualProtect call🕵️♂️
github.com/Mr-Un1k0d3r/...
#infosec #cybersecurity #pentest #redteam #malware #opensource
github.com/Mr-Un1k0d3r/...
#infosec #cybersecurity #pentest #redteam #malware #opensource
Reposted by Nate Subra
Win32_Process has been the go to WMI class for remote command execution for years.
Steven Flores explores a new WMI class that functions like Win32_Process and offers further capability. Read more: ghst.ly/4gyPbkr
Steven Flores explores a new WMI class that functions like Win32_Process and offers further capability. Read more: ghst.ly/4gyPbkr
More Fun With WMI - SpecterOps
TL;DR Win32_Process has been the go to WMI class for remote command execution for years. In this post we will cover a new WMI class that functions like Win32_Process and offers further capability From...
ghst.ly
September 18, 2025 at 4:36 PM
Win32_Process has been the go to WMI class for remote command execution for years.
Steven Flores explores a new WMI class that functions like Win32_Process and offers further capability. Read more: ghst.ly/4gyPbkr
Steven Flores explores a new WMI class that functions like Win32_Process and offers further capability. Read more: ghst.ly/4gyPbkr
Reposted by Nate Subra
This report from @interseclab.bsky.social on how a Chinese company is exporting some of the capabilities of "The Great Wall of China" to other autocratic countries is INSANELY INTERESTING:
interseclab.org/wp-content/u...
*EVERY Page is worth reading*
Some interesting tidbits in the thread
interseclab.org/wp-content/u...
*EVERY Page is worth reading*
Some interesting tidbits in the thread
interseclab.org
September 14, 2025 at 6:15 PM
This report from @interseclab.bsky.social on how a Chinese company is exporting some of the capabilities of "The Great Wall of China" to other autocratic countries is INSANELY INTERESTING:
interseclab.org/wp-content/u...
*EVERY Page is worth reading*
Some interesting tidbits in the thread
interseclab.org/wp-content/u...
*EVERY Page is worth reading*
Some interesting tidbits in the thread
Reposted by Nate Subra
DLL ForwardSideloading
www.hexacorn.com/blog/2025/08...
using forwarded DLL functions for sideloading purposes
www.hexacorn.com/blog/2025/08...
using forwarded DLL functions for sideloading purposes
August 19, 2025 at 10:32 PM
DLL ForwardSideloading
www.hexacorn.com/blog/2025/08...
using forwarded DLL functions for sideloading purposes
www.hexacorn.com/blog/2025/08...
using forwarded DLL functions for sideloading purposes
Reposted by Nate Subra
September 3, 2025 at 11:36 PM
Reposted by Nate Subra
The DSInternals PowerShell module just got an upgrade! 🔥
Updates include:
✅ Golden dMSA Attack
✅ Full LAPS support
✅ Trust password & BitLocker recovery key extraction
✅ Read-only domain controller database compatibility
Read more from Michael Grafnetter: ghst.ly/412rZ7F
Updates include:
✅ Golden dMSA Attack
✅ Full LAPS support
✅ Trust password & BitLocker recovery key extraction
✅ Read-only domain controller database compatibility
Read more from Michael Grafnetter: ghst.ly/412rZ7F
Juicing ntds.dit Files to the Last Drop - SpecterOps
Discover the latest enhancements to the DSInternals PowerShell module, including the Golden dMSA Attack and support for LAPS, trust passwords, or BitLocker recovery keys.
ghst.ly
August 14, 2025 at 5:21 PM
The DSInternals PowerShell module just got an upgrade! 🔥
Updates include:
✅ Golden dMSA Attack
✅ Full LAPS support
✅ Trust password & BitLocker recovery key extraction
✅ Read-only domain controller database compatibility
Read more from Michael Grafnetter: ghst.ly/412rZ7F
Updates include:
✅ Golden dMSA Attack
✅ Full LAPS support
✅ Trust password & BitLocker recovery key extraction
✅ Read-only domain controller database compatibility
Read more from Michael Grafnetter: ghst.ly/412rZ7F
Reposted by Nate Subra
The AD CS security landscape keeps evolving, and so does our tooling. 🛠️
Valdemar Carøe drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements. ghst.ly/45IrBxI
Valdemar Carøe drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements. ghst.ly/45IrBxI
Certify 2.0 - SpecterOps
Certify 2.0 features a suite of new capabilities and usability enhancements. This blogpost introduces changes and features additions.
ghst.ly
August 11, 2025 at 8:38 PM
The AD CS security landscape keeps evolving, and so does our tooling. 🛠️
Valdemar Carøe drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements. ghst.ly/45IrBxI
Valdemar Carøe drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements. ghst.ly/45IrBxI
Reposted by Nate Subra
BloodHound 8.0 is here.
A big leap forward in identity security prevention.
Now we’re able to model attack paths across the entire modern enterprise stack.
Our folks will be at #BlackHat next week to show off a few examples. Check it out:
A big leap forward in identity security prevention.
Now we’re able to model attack paths across the entire modern enterprise stack.
Our folks will be at #BlackHat next week to show off a few examples. Check it out:
BloodHound v8.0 is here! 🎉
This update introduces BloodHound OpenGraph, revolutionizing Identity Attack Path Management by exposing attack paths throughout your entire tech stack, not just AD/Entra ID.
Read more from Justin Kohler: ghst.ly/bloodhoundv8
🧵: 1/7
This update introduces BloodHound OpenGraph, revolutionizing Identity Attack Path Management by exposing attack paths throughout your entire tech stack, not just AD/Entra ID.
Read more from Justin Kohler: ghst.ly/bloodhoundv8
🧵: 1/7
July 29, 2025 at 5:23 PM
BloodHound 8.0 is here.
A big leap forward in identity security prevention.
Now we’re able to model attack paths across the entire modern enterprise stack.
Our folks will be at #BlackHat next week to show off a few examples. Check it out:
A big leap forward in identity security prevention.
Now we’re able to model attack paths across the entire modern enterprise stack.
Our folks will be at #BlackHat next week to show off a few examples. Check it out:
Reposted by Nate Subra
July 31, 2025 at 11:00 AM
Reposted by Nate Subra
June 8, 2025 at 1:43 AM