Lee Chagolla-Christensen
@tifkin.bsky.social
I like making computers misbehave. Does stuff at http://specterops.io.
Github: https://github.com/leechristensen
Mastodon: @tifkin_@infosec.exchange
Github: https://github.com/leechristensen
Mastodon: @tifkin_@infosec.exchange
Reposted by Lee Chagolla-Christensen
Credential Guard was supposed to end credential dumping. It didn't.
Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.
Read for more: ghst.ly/4qtl2rm
Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.
Read for more: ghst.ly/4qtl2rm
Catching Credential Guard Off Guard - SpecterOps
Uncovering the protection mechanisms provided by modern Windows security features and identifying new methods for credential dumping.
ghst.ly
October 23, 2025 at 5:45 PM
Credential Guard was supposed to end credential dumping. It didn't.
Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.
Read for more: ghst.ly/4qtl2rm
Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.
Read for more: ghst.ly/4qtl2rm
Reposted by Lee Chagolla-Christensen
Happy Friday! @tifkin.bsky.social and I are happy to announce that we have cut the release for Nemesis 2.0.0 - check out the CHANGELOG for a (brief) summary of changes, and dive into our new docs for more detail! We're extremely proud and excited for this release github.com/SpecterOps/N...
GitHub - SpecterOps/Nemesis: An offensive data enrichment pipeline
An offensive data enrichment pipeline. Contribute to SpecterOps/Nemesis development by creating an account on GitHub.
github.com
June 28, 2025 at 4:14 AM
Happy Friday! @tifkin.bsky.social and I are happy to announce that we have cut the release for Nemesis 2.0.0 - check out the CHANGELOG for a (brief) summary of changes, and dive into our new docs for more detail! We're extremely proud and excited for this release github.com/SpecterOps/N...
Reposted by Lee Chagolla-Christensen
So, here's a little thread on my new open source project:
The Tradecraft Garden.
tradecraftgarden.org
It's Crystal Palace, an open-source linker and linker script specialized to writing PIC DLL loaders.
And, a corpora of DLL loaders demonstrating design patterns building tradecraft with it.
The Tradecraft Garden.
tradecraftgarden.org
It's Crystal Palace, an open-source linker and linker script specialized to writing PIC DLL loaders.
And, a corpora of DLL loaders demonstrating design patterns building tradecraft with it.
June 5, 2025 at 2:36 PM
So, here's a little thread on my new open source project:
The Tradecraft Garden.
tradecraftgarden.org
It's Crystal Palace, an open-source linker and linker script specialized to writing PIC DLL loaders.
And, a corpora of DLL loaders demonstrating design patterns building tradecraft with it.
The Tradecraft Garden.
tradecraftgarden.org
It's Crystal Palace, an open-source linker and linker script specialized to writing PIC DLL loaders.
And, a corpora of DLL loaders demonstrating design patterns building tradecraft with it.
Reposted by Lee Chagolla-Christensen
Post-ex Weaponization: An Oral History
aff-wg.org/2025/04/10/p...
A walk-through of some history on post-ex eco-systems used by CS (PowerShell, Reflective DLLs, .NET, and BOFs).
Ends with a coffee conversation talking about magician's guilds, security research, and ideas about what's next.
aff-wg.org/2025/04/10/p...
A walk-through of some history on post-ex eco-systems used by CS (PowerShell, Reflective DLLs, .NET, and BOFs).
Ends with a coffee conversation talking about magician's guilds, security research, and ideas about what's next.
April 10, 2025 at 2:24 PM
Post-ex Weaponization: An Oral History
aff-wg.org/2025/04/10/p...
A walk-through of some history on post-ex eco-systems used by CS (PowerShell, Reflective DLLs, .NET, and BOFs).
Ends with a coffee conversation talking about magician's guilds, security research, and ideas about what's next.
aff-wg.org/2025/04/10/p...
A walk-through of some history on post-ex eco-systems used by CS (PowerShell, Reflective DLLs, .NET, and BOFs).
Ends with a coffee conversation talking about magician's guilds, security research, and ideas about what's next.
Reposted by Lee Chagolla-Christensen
I attended last week's Pall Mall Process conference in Paris.
I wanted to dump a few notes, writing from my perspective as a security researcher, hacker, former entrepreneur, and creator of a well-known C2 platform (one that, importantly, I'm no longer involved with).
I wanted to dump a few notes, writing from my perspective as a security researcher, hacker, former entrepreneur, and creator of a well-known C2 platform (one that, importantly, I'm no longer involved with).
April 7, 2025 at 10:21 PM
I attended last week's Pall Mall Process conference in Paris.
I wanted to dump a few notes, writing from my perspective as a security researcher, hacker, former entrepreneur, and creator of a well-known C2 platform (one that, importantly, I'm no longer involved with).
I wanted to dump a few notes, writing from my perspective as a security researcher, hacker, former entrepreneur, and creator of a well-known C2 platform (one that, importantly, I'm no longer involved with).
Reposted by Lee Chagolla-Christensen
BIG NEWS: SpecterOps raises $75M Series B to strengthen identity security! Led by Insight Partners with Ansa Capital, M12, Ballistic Ventures, Decibel, and Cisco Investments. ghst.ly/seriesb
#IdentitySecurity #CyberSecurity
(1/6)
#IdentitySecurity #CyberSecurity
(1/6)
March 5, 2025 at 5:33 PM
BIG NEWS: SpecterOps raises $75M Series B to strengthen identity security! Led by Insight Partners with Ansa Capital, M12, Ballistic Ventures, Decibel, and Cisco Investments. ghst.ly/seriesb
#IdentitySecurity #CyberSecurity
(1/6)
#IdentitySecurity #CyberSecurity
(1/6)
Ghidra 11.3 is out! There's some awesome new features, but I want to highlight how responsive the dev team is to questions, issues, and feature suggestions. They've addressed several issues I've opened, notably a bunch of quality of life UI/UX things I've had while using Ghidra.
February 7, 2025 at 9:00 PM
Ghidra 11.3 is out! There's some awesome new features, but I want to highlight how responsive the dev team is to questions, issues, and feature suggestions. They've addressed several issues I've opened, notably a bunch of quality of life UI/UX things I've had while using Ghidra.
Reposted by Lee Chagolla-Christensen
The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2024! portswigger.net/research/top...
Top 10 web hacking techniques of 2024
Welcome to the Top 10 Web Hacking Techniques of 2024, the 18th edition of our annual community-powered effort to identify the most innovative must-read web security research published in the last year
portswigger.net
February 4, 2025 at 3:02 PM
The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2024! portswigger.net/research/top...
@tiraniddo.dev Did you by chance check if the MUP redirector supports port specification in UNC paths?
January 31, 2025 at 6:18 PM
@tiraniddo.dev Did you by chance check if the MUP redirector supports port specification in UNC paths?
Reposted by Lee Chagolla-Christensen
SlackPirate sets sail again! 🏴☠️
In his latest blog post, Dan Mayer intros his new PR to SlackPirate that lets you loot Slack again out of the box, a BOF to get you all the data you need to do it, & how to bee the most active slacker in your group chat. 🐝 ghst.ly/4hgwMIt
In his latest blog post, Dan Mayer intros his new PR to SlackPirate that lets you loot Slack again out of the box, a BOF to get you all the data you need to do it, & how to bee the most active slacker in your group chat. 🐝 ghst.ly/4hgwMIt
SlackPirate Set Sails Again! Or: How to Send the Entire “Bee Movie” Script to Your Friends in Slack
TLDR: SlackPirate has been defunct for a few years due to a breaking change in how the Slack client interacts with the Slack API. It has a…
ghst.ly
January 31, 2025 at 4:27 PM
SlackPirate sets sail again! 🏴☠️
In his latest blog post, Dan Mayer intros his new PR to SlackPirate that lets you loot Slack again out of the box, a BOF to get you all the data you need to do it, & how to bee the most active slacker in your group chat. 🐝 ghst.ly/4hgwMIt
In his latest blog post, Dan Mayer intros his new PR to SlackPirate that lets you loot Slack again out of the box, a BOF to get you all the data you need to do it, & how to bee the most active slacker in your group chat. 🐝 ghst.ly/4hgwMIt
Reposted by Lee Chagolla-Christensen
New blog post on the abuse of the IDispatch COM interface to get unexpected objects loaded into a process. Demoed by using this to get arbitrary code execution in a PPL process. googleprojectzero.blogspot.com/2025/01/wind...
Windows Bug Class: Accessing Trapped COM Objects with IDispatch
Posted by James Forshaw, Google Project Zero Object orientated remoting technologies such as DCOM and .NET Remoting make it very easy ...
googleprojectzero.blogspot.com
January 30, 2025 at 6:37 PM
New blog post on the abuse of the IDispatch COM interface to get unexpected objects loaded into a process. Demoed by using this to get arbitrary code execution in a PPL process. googleprojectzero.blogspot.com/2025/01/wind...
Reposted by Lee Chagolla-Christensen
The Misconfiguration Manager DETECT section has been updated with fresh guidance to help defensive operators spot the most prolific attack techniques.
Check out the blog post from @bouj33boy.bsky.social to learn more. ghst.ly/3VJ5y4F
Check out the blog post from @bouj33boy.bsky.social to learn more. ghst.ly/3VJ5y4F
Misconfiguration Manager: Detection Updates
TL;DR: The Misconfiguration Manager DETECT section has been updated with relevant guidance to help defensive operators identify the most…
ghst.ly
December 16, 2024 at 4:08 PM
The Misconfiguration Manager DETECT section has been updated with fresh guidance to help defensive operators spot the most prolific attack techniques.
Check out the blog post from @bouj33boy.bsky.social to learn more. ghst.ly/3VJ5y4F
Check out the blog post from @bouj33boy.bsky.social to learn more. ghst.ly/3VJ5y4F
Reposted by Lee Chagolla-Christensen
A new fun way to set shadow credentials
posts.specterops.io/attacking-en...
posts.specterops.io/attacking-en...
Attacking Entra Metaverse: Part 1
This is part one in a two (maybe three…) part series regarding attacker tradecraft around the syncing mechanics between Active Directory…
posts.specterops.io
December 13, 2024 at 4:48 PM
A new fun way to set shadow credentials
posts.specterops.io/attacking-en...
posts.specterops.io/attacking-en...
Reposted by Lee Chagolla-Christensen
Want to run roadrecon, but a device compliance policy is getting in your way? You can use the Intune Company Portal client ID, which is a hardcoded and undocumented exclusion in CA for device compliance. It has user_impersonation rights on the AAD Graph 😃
December 12, 2024 at 3:59 PM
Want to run roadrecon, but a device compliance policy is getting in your way? You can use the Intune Company Portal client ID, which is a hardcoded and undocumented exclusion in CA for device compliance. It has user_impersonation rights on the AAD Graph 😃
Reposted by Lee Chagolla-Christensen
I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...
November 25, 2024 at 5:31 PM
I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...
Reposted by Lee Chagolla-Christensen
If you missed Part 4 in our What is Tier Zero webinar series hosted by Jonas Bülow Knudsen, @martinsohn.dk & @tifkin.bsky.social last week, you can watch the full presentation on demand now!
👀: ghst.ly/4eSssxL
👀: ghst.ly/4eSssxL
November 19, 2024 at 9:51 PM
If you missed Part 4 in our What is Tier Zero webinar series hosted by Jonas Bülow Knudsen, @martinsohn.dk & @tifkin.bsky.social last week, you can watch the full presentation on demand now!
👀: ghst.ly/4eSssxL
👀: ghst.ly/4eSssxL
So long and thanks for the CVEs!
Tomorrow, 10am, BinaryFormatter dies.
November 12, 2024 at 10:41 PM
So long and thanks for the CVEs!
Reposted by Lee Chagolla-Christensen
Tomorrow, 10am, BinaryFormatter dies.
November 12, 2024 at 4:19 AM
Tomorrow, 10am, BinaryFormatter dies.
Reposted by Lee Chagolla-Christensen
🆕 New blog post! "Exploiting KsecDD through Server Silos"
In my latest mini research project, I've been working with my teammate @PMa1n (X) on extending the work of @floesen_ (X) on the KsecDD driver. I'm thrilled to finally share the results.
👉 blog.scrt.ch/2024/11/11/e...
In my latest mini research project, I've been working with my teammate @PMa1n (X) on extending the work of @floesen_ (X) on the KsecDD driver. I'm thrilled to finally share the results.
👉 blog.scrt.ch/2024/11/11/e...
Exploiting KsecDD through Server Silos – SCRT Team Blog
blog.scrt.ch
November 11, 2024 at 1:40 PM
🆕 New blog post! "Exploiting KsecDD through Server Silos"
In my latest mini research project, I've been working with my teammate @PMa1n (X) on extending the work of @floesen_ (X) on the KsecDD driver. I'm thrilled to finally share the results.
👉 blog.scrt.ch/2024/11/11/e...
In my latest mini research project, I've been working with my teammate @PMa1n (X) on extending the work of @floesen_ (X) on the KsecDD driver. I'm thrilled to finally share the results.
👉 blog.scrt.ch/2024/11/11/e...