@stuk0v.bsky.social
Pentester
Wannabe Red Teamer
AD/Entra enthusiast
Wannabe Red Teamer
AD/Entra enthusiast
Pinned
GitHub - 5tuk0v/PointyTokenz: Windows Access token manipulation tool made in C#
Windows Access token manipulation tool made in C#. Contribute to 5tuk0v/PointyTokenz development by creating an account on GitHub.
github.com
Really liked the Windows Access Tokens course from Zero-Point / @rastamouse.me ! I made a little tool while going through the course, and it helped me understand and apply the knowledge. github.com/5tuk0v/Point...
Reposted
Tradecraft Engineering with Aspect-Oriented Programming
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
Tradecraft Engineering with Aspect-Oriented Programming
It’s 2025 and apparently, I’m still a Java programmer. One of the things I never liked about Java’s culture, going back many years ago, was the tendency to hype frameworks that seemed to over-engin…
aff-wg.org
November 10, 2025 at 6:21 PM
Tradecraft Engineering with Aspect-Oriented Programming
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
Reposted
Analysis of a Ransomware Breach
aff-wg.org/2025/09/26/a...
Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?
aff-wg.org/2025/09/26/a...
Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?
September 26, 2025 at 5:12 PM
Analysis of a Ransomware Breach
aff-wg.org/2025/09/26/a...
Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?
aff-wg.org/2025/09/26/a...
Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?
Reposted
Playing with @raphaelmudge.bsky.social's latest CP update (it's very cool). I have mixed feelings about merging COFFs though. It simplifies overall development and gives the loader fewer jobs to do, but on the other hand you lose some flexibility about where each "part" goes in memory.
September 12, 2025 at 12:49 PM
Playing with @raphaelmudge.bsky.social's latest CP update (it's very cool). I have mixed feelings about merging COFFs though. It simplifies overall development and gives the loader fewer jobs to do, but on the other hand you lose some flexibility about where each "part" goes in memory.
Reposted
COFFing out the Night Soil
aff-wg.org/2025/09/10/c...
A COFF-focused Crystal Palace update:
* internal COFF normalization & section group merging
* Crystal Palace can now export COFF
* I added COFF merging to the spec language too
Linker stuff.
aff-wg.org/2025/09/10/c...
A COFF-focused Crystal Palace update:
* internal COFF normalization & section group merging
* Crystal Palace can now export COFF
* I added COFF merging to the spec language too
Linker stuff.
COFFing out the Night Soil
I’m back with another update to the Tradecraft Garden project. Again, this release is focused on the Crystal Palace linker. My priority in this young project is to build the foundation first, then …
aff-wg.org
September 10, 2025 at 9:37 PM
COFFing out the Night Soil
aff-wg.org/2025/09/10/c...
A COFF-focused Crystal Palace update:
* internal COFF normalization & section group merging
* Crystal Palace can now export COFF
* I added COFF merging to the spec language too
Linker stuff.
aff-wg.org/2025/09/10/c...
A COFF-focused Crystal Palace update:
* internal COFF normalization & section group merging
* Crystal Palace can now export COFF
* I added COFF merging to the spec language too
Linker stuff.
Reposted
Trying to fly under EDR's radar?
@logangoins.bsky.social explains how to use HTTP-to-LDAP relay attacks to execute tooling completely off-host through the C2 payload context. Perfect for when you need LDAP access but want to avoid being caught stealing creds. ghst.ly/41mjMv7
@logangoins.bsky.social explains how to use HTTP-to-LDAP relay attacks to execute tooling completely off-host through the C2 payload context. Perfect for when you need LDAP access but want to avoid being caught stealing creds. ghst.ly/41mjMv7
Operating Outside the Box: NTLM Relaying Low-Privilege HTTP Auth to LDAP - SpecterOps
TL;DR When operating out of a ceded access or phishing payload with no credential material, you can use low-privilege HTTP authentication from the current user context to perform a proxied relay to LD...
ghst.ly
August 22, 2025 at 6:24 PM
Trying to fly under EDR's radar?
@logangoins.bsky.social explains how to use HTTP-to-LDAP relay attacks to execute tooling completely off-host through the C2 payload context. Perfect for when you need LDAP access but want to avoid being caught stealing creds. ghst.ly/41mjMv7
@logangoins.bsky.social explains how to use HTTP-to-LDAP relay attacks to execute tooling completely off-host through the C2 payload context. Perfect for when you need LDAP access but want to avoid being caught stealing creds. ghst.ly/41mjMv7
Reposted
What all do you need to know about BloodHound CE 8.0 & OpenGraph? @scoubi.bsky.social is joining @redsiege.com's Wednesday Offensive tomorrow to dive into the JSON schema for OpenGraph, how to ingest nodes & edges, best practices, & how to create custom icons.
Join 👉 ghst.ly/46MNltn
Join 👉 ghst.ly/46MNltn
August 12, 2025 at 4:00 PM
What all do you need to know about BloodHound CE 8.0 & OpenGraph? @scoubi.bsky.social is joining @redsiege.com's Wednesday Offensive tomorrow to dive into the JSON schema for OpenGraph, how to ingest nodes & edges, best practices, & how to create custom icons.
Join 👉 ghst.ly/46MNltn
Join 👉 ghst.ly/46MNltn
Reposted
PDQ SmartDeploy versions prior to 3.0.2046 used static, hardcoded encryption keys for cred storage. Low-privileged users could potentially access admin creds from registry or deployment files.
@unsignedsh0rt.bsky.social unpacks his testing in his latest blog post. ghst.ly/4mjyuvw
@unsignedsh0rt.bsky.social unpacks his testing in his latest blog post. ghst.ly/4mjyuvw
HKLM\SYSTEM\Setup\sMarTdEpLoY - The (Static) Keys to Abusing PDQ SmartDeploy - SpecterOps
TL;DR: Prior to version 3.0.2046, PDQ SmartDeploy used static, hardcoded, and universal encryption keys for secure credential storage. Low-privileged users may recover and decrypt privileged credentials, such as Local Administrator or Active Directory domain-joined accounts, from the registry of managed devices or from operating system (OS) deployment files stored on deployment servers. Introduction PDQ SmartDeploy […]
ghst.ly
August 12, 2025 at 9:53 PM
PDQ SmartDeploy versions prior to 3.0.2046 used static, hardcoded encryption keys for cred storage. Low-privileged users could potentially access admin creds from registry or deployment files.
@unsignedsh0rt.bsky.social unpacks his testing in his latest blog post. ghst.ly/4mjyuvw
@unsignedsh0rt.bsky.social unpacks his testing in his latest blog post. ghst.ly/4mjyuvw
Reposted
The AD CS security landscape keeps evolving, and so does our tooling. 🛠️
Valdemar Carøe drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements. ghst.ly/45IrBxI
Valdemar Carøe drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements. ghst.ly/45IrBxI
Certify 2.0 - SpecterOps
Certify 2.0 features a suite of new capabilities and usability enhancements. This blogpost introduces changes and features additions.
ghst.ly
August 11, 2025 at 8:38 PM
The AD CS security landscape keeps evolving, and so does our tooling. 🛠️
Valdemar Carøe drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements. ghst.ly/45IrBxI
Valdemar Carøe drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements. ghst.ly/45IrBxI
Reposted
During my #BHUSA talk I've released many ETW research tools, of which the most notable is BamboozlEDR. This tool allows you to inject events into ETW, allowing you to generate fake alerts and blind EDRs.
github.com/olafhartong/...
Slides available here:
github.com/olafhartong/...
github.com/olafhartong/...
Slides available here:
github.com/olafhartong/...
GitHub - olafhartong/BamboozlEDR: A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes.
A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes. - olafhartong/BamboozlEDR
github.com
August 6, 2025 at 8:49 PM
During my #BHUSA talk I've released many ETW research tools, of which the most notable is BamboozlEDR. This tool allows you to inject events into ETW, allowing you to generate fake alerts and blind EDRs.
github.com/olafhartong/...
Slides available here:
github.com/olafhartong/...
github.com/olafhartong/...
Slides available here:
github.com/olafhartong/...
Reposted
The ADSyncCertDump tool is now part of the adconnectdump tools and can be used to extract SP credentials from Entra ID connect hosts. I will cover that during my BH/DC talks today and Friday! Tool is heavily based on Shwmae by @ethicalchaos.bsky.social
Link: github.com/dirkjanm/adc...
Link: github.com/dirkjanm/adc...
August 6, 2025 at 3:24 PM
The ADSyncCertDump tool is now part of the adconnectdump tools and can be used to extract SP credentials from Entra ID connect hosts. I will cover that during my BH/DC talks today and Friday! Tool is heavily based on Shwmae by @ethicalchaos.bsky.social
Link: github.com/dirkjanm/adc...
Link: github.com/dirkjanm/adc...
Reposted
Last LWIS before DEF CON. Come see us in the Embedded Systems Village where we have a mini-workshop hosting an emulated camera on Ludus for you to hack!
blog.badsectorlabs.com/last-week-in...
blog.badsectorlabs.com/last-week-in...
Last Week in Security (LWiS) - 2025-08-04
AEM RCE (@infosec_au), Intune cert abuse (@_dirkjan), Entra tradecraft (@hotnops), LLMs for R&D (@kyleavery_), File System API research (@Print3M_), and more!
blog.badsectorlabs.com
August 5, 2025 at 3:47 PM
Last LWIS before DEF CON. Come see us in the Embedded Systems Village where we have a mini-workshop hosting an emulated camera on Ludus for you to hack!
blog.badsectorlabs.com/last-week-in...
blog.badsectorlabs.com/last-week-in...
Reposted
👋 Say hello to Nemesis 2.0, a streamlined, Docker Compose-based platform that is laser-focused on file triage. After introducing v1 two years ago, the team has reworked the platform to better serve what people need from it.
Read more from @harmj0y.bsky.social: ghst.ly/4mxQzFU
Read more from @harmj0y.bsky.social: ghst.ly/4mxQzFU
Nemesis 2.0 - SpecterOps
Nemesis 2.0 is a complete rewrite of the Nemesis file enrichment pipeline with a simplified and extensible architecture, new interface, and a focus on file triage and operator workflows.
ghst.ly
August 5, 2025 at 4:52 PM
👋 Say hello to Nemesis 2.0, a streamlined, Docker Compose-based platform that is laser-focused on file triage. After introducing v1 two years ago, the team has reworked the platform to better serve what people need from it.
Read more from @harmj0y.bsky.social: ghst.ly/4mxQzFU
Read more from @harmj0y.bsky.social: ghst.ly/4mxQzFU
Reposted
Reverse engineering Microsoft’s SQLCMD.exe to implement Channel Binding support for MSSQL into Impacket’s mssqlclient.py. Storytime from Aurelien (@Defte_ on the bird site), including instructions for reproducing the test environment yourself.
sensepost.com/blog/2025/a-...
sensepost.com/blog/2025/a-...
July 31, 2025 at 4:19 PM
Reverse engineering Microsoft’s SQLCMD.exe to implement Channel Binding support for MSSQL into Impacket’s mssqlclient.py. Storytime from Aurelien (@Defte_ on the bird site), including instructions for reproducing the test environment yourself.
sensepost.com/blog/2025/a-...
sensepost.com/blog/2025/a-...
Reposted
Entra Connect sync accounts can be exploited to hijack device userCertificate properties, enabling device impersonation and conditional access bypass.
@hotnops.bsky.social explores cross-domain compromise tradecraft within the same tenant.
Read more: ghst.ly/3ISMGN9
@hotnops.bsky.social explores cross-domain compromise tradecraft within the same tenant.
Read more: ghst.ly/3ISMGN9
Entra Connect Attacker Tradecraft: Part 3 - SpecterOps
How Entra Connect and Intune can be abused via userCertificate hijacking to bypass conditional access and compromise hybrid domains
ghst.ly
July 30, 2025 at 5:01 PM
Entra Connect sync accounts can be exploited to hijack device userCertificate properties, enabling device impersonation and conditional access bypass.
@hotnops.bsky.social explores cross-domain compromise tradecraft within the same tenant.
Read more: ghst.ly/3ISMGN9
@hotnops.bsky.social explores cross-domain compromise tradecraft within the same tenant.
Read more: ghst.ly/3ISMGN9
Reposted
It's been almost a year since my last blog... So, here is a new one: Extending AD CS attack surface to the cloud with Intune certificates.
Also includes ESC1 over Intune (in some cases).
dirkjanm.io/extending-ad...
Oh, and a new tool for SCEP: github.com/dirkjanm/sce...
Also includes ESC1 over Intune (in some cases).
dirkjanm.io/extending-ad...
Oh, and a new tool for SCEP: github.com/dirkjanm/sce...
Extending AD CS attack surface to the cloud with Intune certificates
Active Directory Certificate Services (AD CS) attack surface is pretty well explored in Active Directory itself, with *checks notes* already 16 “ESC” attacks being publicly described. Hybrid attack pa...
dirkjanm.io
July 30, 2025 at 3:46 PM
It's been almost a year since my last blog... So, here is a new one: Extending AD CS attack surface to the cloud with Intune certificates.
Also includes ESC1 over Intune (in some cases).
dirkjanm.io/extending-ad...
Oh, and a new tool for SCEP: github.com/dirkjanm/sce...
Also includes ESC1 over Intune (in some cases).
dirkjanm.io/extending-ad...
Oh, and a new tool for SCEP: github.com/dirkjanm/sce...
Reposted
BloodHound v8.0 is here! 🎉
This update introduces BloodHound OpenGraph, revolutionizing Identity Attack Path Management by exposing attack paths throughout your entire tech stack, not just AD/Entra ID.
Read more from Justin Kohler: ghst.ly/bloodhoundv8
🧵: 1/7
This update introduces BloodHound OpenGraph, revolutionizing Identity Attack Path Management by exposing attack paths throughout your entire tech stack, not just AD/Entra ID.
Read more from Justin Kohler: ghst.ly/bloodhoundv8
🧵: 1/7
July 29, 2025 at 1:13 PM
BloodHound v8.0 is here! 🎉
This update introduces BloodHound OpenGraph, revolutionizing Identity Attack Path Management by exposing attack paths throughout your entire tech stack, not just AD/Entra ID.
Read more from Justin Kohler: ghst.ly/bloodhoundv8
🧵: 1/7
This update introduces BloodHound OpenGraph, revolutionizing Identity Attack Path Management by exposing attack paths throughout your entire tech stack, not just AD/Entra ID.
Read more from Justin Kohler: ghst.ly/bloodhoundv8
🧵: 1/7
Reposted
VMware Tools LPE (@justbronzebee), Adaptix C2 0.7 (@hacker_ralf), Ludus MCP (@__Mastadon), SOAP(y) (@_logangoins), and more!
blog.badsectorlabs.com/last-week-in...
blog.badsectorlabs.com/last-week-in...
Last Week in Security (LWiS) - 2025-07-28
VMware Tools LPE (@justbronzebee), Adaptix C2 0.7 (@hacker_ralf), Ludus MCP (@__Mastadon), SOAP(y) (@_logangoins), and more!
blog.badsectorlabs.com
July 29, 2025 at 3:58 PM
VMware Tools LPE (@justbronzebee), Adaptix C2 0.7 (@hacker_ralf), Ludus MCP (@__Mastadon), SOAP(y) (@_logangoins), and more!
blog.badsectorlabs.com/last-week-in...
blog.badsectorlabs.com/last-week-in...
Reposted
The industry recommendation for DPAPI backup key compromise remediation is to destroy and rebuild the environment.
Alexander Sou explores why this is the current industry guidance. ghst.ly/40DTLHk
Alexander Sou explores why this is the current industry guidance. ghst.ly/40DTLHk
DPAPI Backup Key Compromise Pt. 1: Some Forests Must Burn - SpecterOps
Industry guidance for DPAPI backup key compromise remediation is drastic. Let's explore why.
ghst.ly
July 28, 2025 at 6:55 PM
The industry recommendation for DPAPI backup key compromise remediation is to destroy and rebuild the environment.
Alexander Sou explores why this is the current industry guidance. ghst.ly/40DTLHk
Alexander Sou explores why this is the current industry guidance. ghst.ly/40DTLHk
Reposted
Published a small collection of PIC loaders for Cobalt Strike, based on my experiments with Crystal Palace.
github.com/rasta-mouse/...
github.com/rasta-mouse/...
GitHub - rasta-mouse/Crystal-Loaders: A small collection of Crystal Palace PIC loaders designed for use with Cobalt Strike
A small collection of Crystal Palace PIC loaders designed for use with Cobalt Strike - rasta-mouse/Crystal-Loaders
github.com
July 26, 2025 at 11:21 AM
Published a small collection of PIC loaders for Cobalt Strike, based on my experiments with Crystal Palace.
github.com/rasta-mouse/...
github.com/rasta-mouse/...
Reposted
[BLOG]
Here's the post - I demonstrate my QoL improvements for working with the TCG codebase. This includes vscode with intellisense support, and producing debug builds for use in WinDbg.
rastamouse.me/debugging-th...
Here's the post - I demonstrate my QoL improvements for working with the TCG codebase. This includes vscode with intellisense support, and producing debug builds for use in WinDbg.
rastamouse.me/debugging-th...
I think I've got a nice way to produce debug builds for Crystal Palace loaders. It produces an EXE that works with WinDbg so you can debug against the source code, with locals, etc.
July 25, 2025 at 11:17 AM
[BLOG]
Here's the post - I demonstrate my QoL improvements for working with the TCG codebase. This includes vscode with intellisense support, and producing debug builds for use in WinDbg.
rastamouse.me/debugging-th...
Here's the post - I demonstrate my QoL improvements for working with the TCG codebase. This includes vscode with intellisense support, and producing debug builds for use in WinDbg.
rastamouse.me/debugging-th...
Reposted
Classic NTLM relay problem: Stuck on port 445/TCP, can't use WMI (needs 135/TCP), and dumping hashes triggers EDR alerts.
So what's a stealthy attacker to do? 🤔
Our latest blog post explores evasive alternatives beyond the old techniques. ghst.ly/3ILR1l0
So what's a stealthy attacker to do? 🤔
Our latest blog post explores evasive alternatives beyond the old techniques. ghst.ly/3ILR1l0
Escaping the Confines of Port 445 - SpecterOps
NTLM relay attacks targeting SMB restrict lateral movement options to those that solely require port 445/TCP. Learn at least one method of overcoming this restriction to enable additional lateral move...
ghst.ly
July 25, 2025 at 12:02 AM
Classic NTLM relay problem: Stuck on port 445/TCP, can't use WMI (needs 135/TCP), and dumping hashes triggers EDR alerts.
So what's a stealthy attacker to do? 🤔
Our latest blog post explores evasive alternatives beyond the old techniques. ghst.ly/3ILR1l0
So what's a stealthy attacker to do? 🤔
Our latest blog post explores evasive alternatives beyond the old techniques. ghst.ly/3ILR1l0
Reposted
Real-time collaboration has landed in Ghostwriter v6.0! 👻
Multiple users can now edit observations, findings, & report fields simultaneously w/o the chaos of overwriting each other's work.
@printingprops.com dives into the details in his latest blog update. ghst.ly/3TTSrwc
Multiple users can now edit observations, findings, & report fields simultaneously w/o the chaos of overwriting each other's work.
@printingprops.com dives into the details in his latest blog update. ghst.ly/3TTSrwc
Ghostwriter v6 is Live! - SpecterOps
TL;DR: Ghostwriter now supports real-time collaborative editing for observations, findings, and report fields using the YJS framework, Tiptap editor, and Hocuspocus server, enabling multiple users to ...
ghst.ly
July 23, 2025 at 6:15 PM
Real-time collaboration has landed in Ghostwriter v6.0! 👻
Multiple users can now edit observations, findings, & report fields simultaneously w/o the chaos of overwriting each other's work.
@printingprops.com dives into the details in his latest blog update. ghst.ly/3TTSrwc
Multiple users can now edit observations, findings, & report fields simultaneously w/o the chaos of overwriting each other's work.
@printingprops.com dives into the details in his latest blog update. ghst.ly/3TTSrwc
Reposted
PIC agents (@_RastaMouse), ToolShell, Async BOFs (@Cneelis), SCCM MP relays (@unsigned_sh0rt), RAITrigger (@ShitSecure), and more!
blog.badsectorlabs.com/last-week-in...
blog.badsectorlabs.com/last-week-in...
Last Week in Security (LWiS) - 2025-07-21
PIC agents (@_RastaMouse), ToolShell, Async BOFs (@Cneelis), SCCM MP relays (@unsigned_sh0rt), RAITrigger (@ShitSecure), and more!
blog.badsectorlabs.com
July 22, 2025 at 9:38 PM
PIC agents (@_RastaMouse), ToolShell, Async BOFs (@Cneelis), SCCM MP relays (@unsigned_sh0rt), RAITrigger (@ShitSecure), and more!
blog.badsectorlabs.com/last-week-in...
blog.badsectorlabs.com/last-week-in...
Reposted
[BLOG]
My thoughts (and code examples) for writing modular PIC C2 agents.
rastamouse.me/modular-pic-...
My thoughts (and code examples) for writing modular PIC C2 agents.
rastamouse.me/modular-pic-...
Modular PIC C2 Agents
All post-exploitation C2 agents that I'm aware of are implemented as a single rDLL or PIC blob. This means that all of their core logic such as check-in's, processing tasks, sending output, etc, are a...
rastamouse.me
July 20, 2025 at 12:25 PM
[BLOG]
My thoughts (and code examples) for writing modular PIC C2 agents.
rastamouse.me/modular-pic-...
My thoughts (and code examples) for writing modular PIC C2 agents.
rastamouse.me/modular-pic-...
Reposted
July 22, 2025 at 1:38 PM