This morning I have made public an internal repo on relaying available to everyone. I call it the relay bible. I still have a few more additional tweaks and techniques to add in here but for the most part. It's ready. Hope everyone enjoys my reference. github.com/rootsecdev/relay_…

Good to see people researching and publishing on this. Worth paying attention to Passkey and FIDO 2FA security in the context of malicious client-side JS and supply chain attacks. We’re not seeing this attack often yet, but we'll likely see more now that everything moves faster.

seems to be hot. a 6-year old LPE what was fixed(?) in 2020 by MS is still (again?) working on Win11 (and Server 2025). just tried the freshly weaponized PoC by @ChaoticEclipse0. regular user -> SYSTEM works like a charm on an up-to-date Win11. 🎉 deadeclipse666.blogspot.com/…

Earlier today Cloudflare's CSO shared how they tested Anthropic Mythos using an unreleased 8-stage vulnerability-discovery agent. So I asked Opus to implement the agent for me, it works via Claude SDK with a Pro or Max subscription, no API. Enjoy github.com/evilsocket/audit

Built a fun little project this weekend: surface-watch It’s a lightweight external attack surface monitoring framework that builds scope from known FQDNs and IPs plus automatic root-domain discovery using passive providers like DNSDumpster, Chaos, and OTX, resolves candidate hosts, scans externally reachable ports with nmap, stores history in SQLite, detects meaningful changes between scans, and sends grouped alerts to Slack, Teams, or Discord I also added an AGENTS.md setup guide so you can just point your agent at the repo, answer a few setup questions, and get going pretty quickly github.com/Nextron-Labs/surf…

Been very interested in Async BOFs lately and implemented a few for use with Conquest. The first implements Rubeus monitor as a BOF and notifies when TGTs are collected. The second monitors for clipboard changes and returns them. github.com/jakobfriedl/tgt-m… github.com/jakobfriedl/clipb…

github.com/n00py/Outpacket Maybe useful

Had some fun making this credential dumper BOF implementing the Silent Harvest mechanism from @haider_kabibo . Thanks to him as well as @R0h1rr1m for his SilentNimvest implementation of the research! github.com/Octoberfest7/Sile…

26 LLM routers are secretly injecting malicious tool calls and stealing creds. One drained our client $500k wallet. We also managed to poison routers to forward traffic to us. Within several hours, we can directly take over ~400 hosts. Check our paper: arxiv.org/abs/2604.08407

Small updated to DRSAT just pushed that will also allow Group Policy Editor and Certificate Authority / Templates MMC snap-ins work over a TCP only SOCKS connection. github.com/CCob/DRSAT

LLMs have changed the way offensive security practitioners reason about problems and build offensive capabilities. @evan_pena2003 and I wrote how our @ArmadinSecurity red team approaches this in the new age of LLMs ⬇️ armadin.com/blog-posts/think…

We found that Wi-Fi client isolation can often be bypassed. This allows an attacker who can connect to a network, either as a malicious insider or by connecting to a co-located open network, to attack others. NDSS'26 paper: ndss-symposium.org/wp-conten… GitHub: github.com/vanhoefm/airsnitc…

This is Cloudflare’s encryption and i am not kidding Amazes me every time i think about it

Update: Thanks to @RedTeamPT, I created a pull request for ntlmrelayx to reflect the new requirements: github.com/fortra/impacket/p… Now Shadow Creds are working again 😀

Added a feature to ADExplorerSnapshot script today to gather useful information about the environment via the classes, now it will tell you if SCCM, ADCS etc are active in the environment github.com/c3c/ADExplorerSna… . Thank you @c3c for the awesome tool and the quick PR approval

Just released a new @SpecterOps blog! I discovered that during client push in SCCM env's it's possible to remotely start WebClient and coerce HTTP from site servers for a relay to LDAP resulting in hierarchy takeover when WebClient is installed! 🫠 specterops.io/blog/2026/01/1…

ProfileHound is a post-escalation tool to help find and achieve red-teaming objectives by locating domain user profiles on machines. It uses the BloodHound OpenGraph format to build a new edge called which determines if a user profile exists on a computer. This edge allows operators to make informed decisions about which computers to target for looting secrets. github.com/m4lwhere/profileh…

So this is a fun one. I previously wrote about relaying a management point (or site server) to the site database to dump TaskSequence and NAA policies and steal credentials. Turns out we can take advantage of this a bit more after taking over the site. specterops.io/blog/2025/07/1…

Hello folks, inspired by @lefterispan , I’m releasing a BOF implementation of COM-Hunter for @_CobaltStrike. The BOF version includes the exact same features as the .NET implementation, and I recently added a remove-mode feature to both versions. I hope this BOF proves useful in your operations. Project Link: github.com/nickvourd/COM-Hun… #redtea #cobaltstrike #bof #beacon #persistence

Implemented a number of persistence methods in a BOF. Nothing ground breaking but might be useful to some. github.com/leftp/RegPersist