Reposted by Dima
Microsoft recently published a new feature for Defender for Endpoint (#MDE) called Custom Collection.
@olafhartong.nl explains what Custom Collection is and how it work in his blog: falconforce.nl/microsoft-de...
@olafhartong.nl explains what Custom Collection is and how it work in his blog: falconforce.nl/microsoft-de...
November 20, 2025 at 1:10 PM
Microsoft recently published a new feature for Defender for Endpoint (#MDE) called Custom Collection.
@olafhartong.nl explains what Custom Collection is and how it work in his blog: falconforce.nl/microsoft-de...
@olafhartong.nl explains what Custom Collection is and how it work in his blog: falconforce.nl/microsoft-de...
Reposted by Dima
Tradecraft Engineering with Aspect-Oriented Programming
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
Tradecraft Engineering with Aspect-Oriented Programming
It’s 2025 and apparently, I’m still a Java programmer. One of the things I never liked about Java’s culture, going back many years ago, was the tendency to hype frameworks that seemed to over-engin…
aff-wg.org
November 10, 2025 at 6:21 PM
Tradecraft Engineering with Aspect-Oriented Programming
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
@rastamouse.me pretty much predicted what was coming in his last blog post. attach (Win32 APIs), redirect (local funcs), capability right-sized IAT hooks, and PICO function exports.
Yes, attach can incept its PIC.
aff-wg.org/2025/11/10/t...
Reposted by Dima
Credential Guard was supposed to end credential dumping. It didn't.
Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.
Read for more: ghst.ly/4qtl2rm
Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.
Read for more: ghst.ly/4qtl2rm
Catching Credential Guard Off Guard - SpecterOps
Uncovering the protection mechanisms provided by modern Windows security features and identifying new methods for credential dumping.
ghst.ly
October 23, 2025 at 5:45 PM
Credential Guard was supposed to end credential dumping. It didn't.
Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.
Read for more: ghst.ly/4qtl2rm
Valdemar Carøe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.
Read for more: ghst.ly/4qtl2rm
Reposted by Dima
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...
One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens
While preparing for my Black Hat and DEF CON talks in July of this year, I found the most impactful Entra ID vulnerability that I will probably ever find. One that could have allowed me to compromise ...
dirkjanm.io
September 17, 2025 at 1:20 PM
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-gl...
Reposted by Dima
COFFing out the Night Soil
aff-wg.org/2025/09/10/c...
A COFF-focused Crystal Palace update:
* internal COFF normalization & section group merging
* Crystal Palace can now export COFF
* I added COFF merging to the spec language too
Linker stuff.
aff-wg.org/2025/09/10/c...
A COFF-focused Crystal Palace update:
* internal COFF normalization & section group merging
* Crystal Palace can now export COFF
* I added COFF merging to the spec language too
Linker stuff.
COFFing out the Night Soil
I’m back with another update to the Tradecraft Garden project. Again, this release is focused on the Crystal Palace linker. My priority in this young project is to build the foundation first, then …
aff-wg.org
September 10, 2025 at 9:37 PM
COFFing out the Night Soil
aff-wg.org/2025/09/10/c...
A COFF-focused Crystal Palace update:
* internal COFF normalization & section group merging
* Crystal Palace can now export COFF
* I added COFF merging to the spec language too
Linker stuff.
aff-wg.org/2025/09/10/c...
A COFF-focused Crystal Palace update:
* internal COFF normalization & section group merging
* Crystal Palace can now export COFF
* I added COFF merging to the spec language too
Linker stuff.
Reposted by Dima
Coming Soon: Cobalt Strike meets Claude. See how REST API automation and AI integration will level up engagements, allowing operators to:
- Execute commands via API
- Centralize artifact management
- Utilize AI-powered triage & analysis
ow.ly/KJbn50WVSK9
- Execute commands via API
- Centralize artifact management
- Utilize AI-powered triage & analysis
ow.ly/KJbn50WVSK9
Fortra's Cobalt Strike 4.12 Preview: Red Team Automation: Demo: Social
1 min 44 sec video
ow.ly
September 12, 2025 at 3:35 PM
Coming Soon: Cobalt Strike meets Claude. See how REST API automation and AI integration will level up engagements, allowing operators to:
- Execute commands via API
- Centralize artifact management
- Utilize AI-powered triage & analysis
ow.ly/KJbn50WVSK9
- Execute commands via API
- Centralize artifact management
- Utilize AI-powered triage & analysis
ow.ly/KJbn50WVSK9
Reposted by Dima
If you're in London, Will Burgess (x.com/joehowwolf) is speaking at Beacon %25 on "Linkers and Loaders: Experiments with Crystal Palace" this Thursday.
www.eventbrite.co.uk/e/beacon-25-...
beac0n.org
From his X: "If you enjoy filthy PIC tradecraft it may be of interest!"
www.eventbrite.co.uk/e/beacon-25-...
beac0n.org
From his X: "If you enjoy filthy PIC tradecraft it may be of interest!"
Beacon %25
The fourth year of Beacon: London's home of hackers, hunters and EDR dodgers.
www.eventbrite.co.uk
September 9, 2025 at 8:46 PM
If you're in London, Will Burgess (x.com/joehowwolf) is speaking at Beacon %25 on "Linkers and Loaders: Experiments with Crystal Palace" this Thursday.
www.eventbrite.co.uk/e/beacon-25-...
beac0n.org
From his X: "If you enjoy filthy PIC tradecraft it may be of interest!"
www.eventbrite.co.uk/e/beacon-25-...
beac0n.org
From his X: "If you enjoy filthy PIC tradecraft it may be of interest!"
Reposted by Dima
DLL ForwardSideloading
www.hexacorn.com/blog/2025/08...
using forwarded DLL functions for sideloading purposes
www.hexacorn.com/blog/2025/08...
using forwarded DLL functions for sideloading purposes
August 19, 2025 at 10:32 PM
DLL ForwardSideloading
www.hexacorn.com/blog/2025/08...
using forwarded DLL functions for sideloading purposes
www.hexacorn.com/blog/2025/08...
using forwarded DLL functions for sideloading purposes
Reposted by Dima
Position Independent Code (PIC) Development Crash Course.
My July 2025 overview of PIC writing fundamentals.
Don't know why jump tables are bad? Got a __chkstk relocation error? Watch this video.
#GoodLuckAndHappyHacking
vimeo.com/1100089433/d...
My July 2025 overview of PIC writing fundamentals.
Don't know why jump tables are bad? Got a __chkstk relocation error? Watch this video.
#GoodLuckAndHappyHacking
vimeo.com/1100089433/d...
PIC Development Crash Course
Some helpful content for writing position independent code.
vimeo.com
July 16, 2025 at 3:40 PM
Position Independent Code (PIC) Development Crash Course.
My July 2025 overview of PIC writing fundamentals.
Don't know why jump tables are bad? Got a __chkstk relocation error? Watch this video.
#GoodLuckAndHappyHacking
vimeo.com/1100089433/d...
My July 2025 overview of PIC writing fundamentals.
Don't know why jump tables are bad? Got a __chkstk relocation error? Watch this video.
#GoodLuckAndHappyHacking
vimeo.com/1100089433/d...
Reposted by Dima
[BLOG]
My thoughts (and code examples) for writing modular PIC C2 agents.
rastamouse.me/modular-pic-...
My thoughts (and code examples) for writing modular PIC C2 agents.
rastamouse.me/modular-pic-...
Modular PIC C2 Agents
All post-exploitation C2 agents that I'm aware of are implemented as a single rDLL or PIC blob. This means that all of their core logic such as check-in's, processing tasks, sending output, etc, are a...
rastamouse.me
July 20, 2025 at 12:25 PM
[BLOG]
My thoughts (and code examples) for writing modular PIC C2 agents.
rastamouse.me/modular-pic-...
My thoughts (and code examples) for writing modular PIC C2 agents.
rastamouse.me/modular-pic-...
Reposted by Dima
Taking them to the SHITTER: an analysis of vendor abuse of security research in-the-wild
aff-wg.org/2025/07/13/t...
(There is no benefit modulating my voice for anyone's comfort. This is my fair take, but unapologetic truth. This phenomena has gone unchecked for too long)
aff-wg.org/2025/07/13/t...
(There is no benefit modulating my voice for anyone's comfort. This is my fair take, but unapologetic truth. This phenomena has gone unchecked for too long)
July 14, 2025 at 2:05 PM
Taking them to the SHITTER: an analysis of vendor abuse of security research in-the-wild
aff-wg.org/2025/07/13/t...
(There is no benefit modulating my voice for anyone's comfort. This is my fair take, but unapologetic truth. This phenomena has gone unchecked for too long)
aff-wg.org/2025/07/13/t...
(There is no benefit modulating my voice for anyone's comfort. This is my fair take, but unapologetic truth. This phenomena has gone unchecked for too long)
Reposted by Dima
Tradecraft Garden: Tilling the Soil
aff-wg.org/2025/07/09/t...
Some updates to... the Tradecraft Garden and Crystal Palace. Info in the 🧵 below:
aff-wg.org/2025/07/09/t...
Some updates to... the Tradecraft Garden and Crystal Palace. Info in the 🧵 below:
Tradecraft Garden: Tilling the Soil
Today, I’m releasing another update to the various Tradecraft Garden projects. This update is a dose of Future C2 and some cool updates to the Crystal Palace tech. Here’s the latest: Code Mutation …
aff-wg.org
July 9, 2025 at 9:06 PM
Tradecraft Garden: Tilling the Soil
aff-wg.org/2025/07/09/t...
Some updates to... the Tradecraft Garden and Crystal Palace. Info in the 🧵 below:
aff-wg.org/2025/07/09/t...
Some updates to... the Tradecraft Garden and Crystal Palace. Info in the 🧵 below:
Reposted by Dima
1/ During a recent incident response case, we observed the following file access: \\localhost\C$\@ GMT-2025.06.21-10.53.43\Windows\NTDS\ntds.dit
This is a clever method of accessing a Volume Shadow Copy (VSS) snapshot.
This is a clever method of accessing a Volume Shadow Copy (VSS) snapshot.
July 10, 2025 at 2:05 PM
1/ During a recent incident response case, we observed the following file access: \\localhost\C$\@ GMT-2025.06.21-10.53.43\Windows\NTDS\ntds.dit
This is a clever method of accessing a Volume Shadow Copy (VSS) snapshot.
This is a clever method of accessing a Volume Shadow Copy (VSS) snapshot.
Reposted by Dima
Beacon Object Files... Five Years On
aff-wg.org/2025/06/26/b...
I released BOFs with Cobalt Strike 4.1 five years ago. This is some history on the feature and what led to it. My thinking at the time. A few thoughts on current discourse.
aff-wg.org/2025/06/26/b...
I released BOFs with Cobalt Strike 4.1 five years ago. This is some history on the feature and what led to it. My thinking at the time. A few thoughts on current discourse.
Beacon Object Files – Five Years On…
When I was active in the red teaming space, one of my stated goals was to act on problems with solutions that would have utility 5-10 years from the time of their release. This long-term thinking w…
aff-wg.org
June 26, 2025 at 6:48 PM
Beacon Object Files... Five Years On
aff-wg.org/2025/06/26/b...
I released BOFs with Cobalt Strike 4.1 five years ago. This is some history on the feature and what led to it. My thinking at the time. A few thoughts on current discourse.
aff-wg.org/2025/06/26/b...
I released BOFs with Cobalt Strike 4.1 five years ago. This is some history on the feature and what led to it. My thinking at the time. A few thoughts on current discourse.
Reposted by Dima
June 8, 2025 at 1:43 AM
Reposted by Dima
So, here's a little thread on my new open source project:
The Tradecraft Garden.
tradecraftgarden.org
It's Crystal Palace, an open-source linker and linker script specialized to writing PIC DLL loaders.
And, a corpora of DLL loaders demonstrating design patterns building tradecraft with it.
The Tradecraft Garden.
tradecraftgarden.org
It's Crystal Palace, an open-source linker and linker script specialized to writing PIC DLL loaders.
And, a corpora of DLL loaders demonstrating design patterns building tradecraft with it.
June 5, 2025 at 2:36 PM
So, here's a little thread on my new open source project:
The Tradecraft Garden.
tradecraftgarden.org
It's Crystal Palace, an open-source linker and linker script specialized to writing PIC DLL loaders.
And, a corpora of DLL loaders demonstrating design patterns building tradecraft with it.
The Tradecraft Garden.
tradecraftgarden.org
It's Crystal Palace, an open-source linker and linker script specialized to writing PIC DLL loaders.
And, a corpora of DLL loaders demonstrating design patterns building tradecraft with it.
Reposted by Dima
Looking for the keys to BeaconGate? In our latest blog, get a walk through of techniques that show how BeaconGate can be used to quickly PoC, debug, and weaponize custom call stack spoofing routines in Cobalt Strike.
www.cobaltstrike.com/blog/instrum...
www.cobaltstrike.com/blog/instrum...
June 5, 2025 at 3:38 PM
Looking for the keys to BeaconGate? In our latest blog, get a walk through of techniques that show how BeaconGate can be used to quickly PoC, debug, and weaponize custom call stack spoofing routines in Cobalt Strike.
www.cobaltstrike.com/blog/instrum...
www.cobaltstrike.com/blog/instrum...
Reposted by Dima
🤘 We're doing the Infosec Kart Cup again! 🏎️
June 19. Be quick to reserve your spot. 2024 was fully booked.
Oh, and check out our awesome website: www.infoseckartcup.nl
June 19. Be quick to reserve your spot. 2024 was fully booked.
Oh, and check out our awesome website: www.infoseckartcup.nl
April 11, 2025 at 7:33 AM
🤘 We're doing the Infosec Kart Cup again! 🏎️
June 19. Be quick to reserve your spot. 2024 was fully booked.
Oh, and check out our awesome website: www.infoseckartcup.nl
June 19. Be quick to reserve your spot. 2024 was fully booked.
Oh, and check out our awesome website: www.infoseckartcup.nl
Reposted by Dima
[Blog] This ended up being a great applied research project with my co-worker Dylan Tran on weaponizing a technique for fileless DCOM lateral movement based on the original work of James Forshaw. Defensive recommendations provided.
- Blog: ibm.com/think/news/f...
- PoC: github.com/xforcered/Fo...
- Blog: ibm.com/think/news/f...
- PoC: github.com/xforcered/Fo...
Fileless lateral movement with trapped COM objects | IBM
New research from IBM X-Force Red has led to the development of a proof-of-concept fileless lateral movement technique by abusing trapped Component Object Model (COM) objects. Get the details.
ibm.com
March 25, 2025 at 9:21 PM
[Blog] This ended up being a great applied research project with my co-worker Dylan Tran on weaponizing a technique for fileless DCOM lateral movement based on the original work of James Forshaw. Defensive recommendations provided.
- Blog: ibm.com/think/news/f...
- PoC: github.com/xforcered/Fo...
- Blog: ibm.com/think/news/f...
- PoC: github.com/xforcered/Fo...
Reposted by Dima
Automatic browser SSO with a PRT on a victim device over an Outflank C2 implant 🥰 using ROADtools and some hackery from Max Grim.
March 27, 2025 at 11:52 AM
Automatic browser SSO with a PRT on a victim device over an Outflank C2 implant 🥰 using ROADtools and some hackery from Max Grim.
Reposted by Dima
[BLOG]
This post summarises how to tie Cobalt Strike's UDRL, SleepMask, and BeaconGate together for your syscall and call stack spoofing needs.
rastamouse.me/udrl-sleepma...
This post summarises how to tie Cobalt Strike's UDRL, SleepMask, and BeaconGate together for your syscall and call stack spoofing needs.
rastamouse.me/udrl-sleepma...
UDRL, SleepMask, and BeaconGate
I've been looking into Cobalt Strike's UDRL, SleepMask, and BeaconGate features over the last couple of days. It took me some time to understand the relationship between these capabilities, so the aim...
rastamouse.me
November 30, 2024 at 2:05 AM
[BLOG]
This post summarises how to tie Cobalt Strike's UDRL, SleepMask, and BeaconGate together for your syscall and call stack spoofing needs.
rastamouse.me/udrl-sleepma...
This post summarises how to tie Cobalt Strike's UDRL, SleepMask, and BeaconGate together for your syscall and call stack spoofing needs.
rastamouse.me/udrl-sleepma...