Releasing Tunnel Vision Toolkit, part of my @x33fcon talk on Microsoft Global Secure Access. Includes BOFs to assist in engagements where you face GSA, plus a rogue client that lets you connect to internal resources from unmanaged devices. github.com/ar0x4/tunnel-visi…

At #x33fcon currently @_ar0x4 presenting "#Tunnel Vision: What #Microsoft's Secure Edge Can't See" - x33fcon.com/#!/s/ArshiaReisi… - #red, #purple, #research, #windows

After “The Art of Evasion” @x33fcon I’m publishing NimSyscallPacker to the public. This is the most advanced public Packer/Loader I’m aware of: github.com/S3cur3Th1sSh1t/Ni…

MSSQL has always been a favorite target. Now it ships its own egress channel. @gershsec's latest research breaks down how SQL Server 2025's native AI features enable exfil, NTLM coercion, and C2 transport, all functioning as intended. Read more 👇 ghst.ly/4e2L3JX

👨🏻‍💻 Did you know that it’s possible to perform RCE in Internet Explorer via clickjacking? Igor Sak-Sakovsky's (@Psych0tr1a) new article will explain how! swarm.ptsecurity.com/the-cli…

Found an unpatched RCE in Gogs 👀 Any authenticated user can get code execution on the server through argument injection into git rebase. Full @rapid7 writeup @metasploit module available now! 🔗rapid7.com/blog/post/ve-auth…

Stop burning RDP persistence with 4732 alerts. Bypass the "Remote Desktop Users" group entirely. GUI access only requires: - SeRemoteInteractiveLogonRight (Inject SID via secedit) - RDP-Tcp listener permissions (Modify CIM class) OPSEC: Trades 4732 for 4704. Most SOCs don't tune 4704 with the same aggression. h/t @Cptjesus for the concept.

If you were wondering why NTLM reflection isn't working on windows < 2016, here you go, thanks for the RE @azoxlpf github.com/Pennyw0rth/NetExe…

Really hyped to be speaking at #x33fcon this year! Can’t wait, it’s gonna be a good one 🔥

New small Blog Post from my side - anyone faced 429 too many requests on Microsoft Graph in your projects? This blog provides more insights on how to bypass those. 🫡 r-tec.net/r-tec-blog-the-429…

Impacket 0.13.1 is live! This release includes new relay surfaces, stronger support for modern Windows and SQL Server environments, and a set of practical improvements across the examples scripts. Check out the blog post to get more details> coresecurity.com/blog/whats-…

Abusing ESC1 to get domain admin.

shipping: WinSSHound maps SSH access in AD as BloodHound paths. because Windows OpenSSH cheerfully ignores your "Deny Logon" GPOs (pre-2025) and on a default sshd_config every Authenticated User in the domain can walk right in. Why? Because Microsoft. github.com/1r0BIT/WinSSHound

I checked and it's been 2 years since my last blog post??? So anyway, here's a quick blog post about KDP pool - the latest KDP feature that will replace the secure pool in future Windows versions: windows-internals.com/goodby…

Every JWT writeup online covers 2–3 attacks and stops. I got tired of jumping between 40 blog posts, so I wrote the whole thing. All in one place. rmrf.tips/en #infosec #appsec #bugbounty #websec #jwt

Finally, it is published 😁 Making Vulnerable Drivers Exploitable Without Hardware - my latest research on driver vulnerability hardware-gating, explaining the concept of hardware-dependent code and diving deep into creative deployment techniques - software-emulated phantom devices, driver restacking, and forced driver replacement — all explored through the lens of Bring Your Own Vulnerable Driver (BYOVD) attacks: atos.net/wp-content/uploads/…

Attacking heavy applications through named pipes: an attack surface often overlooked due to its complexity. In this article, @TurboThonSec explains how we designed a tool abusing legitimate processes to attack higly privileged components of heavy clients. Article⬇️ synacktiv.com/en/publication…

New Titanis release => github.com/trustedsec/Titani… The new Dsrep lets you dump secrets from AD, Ldap supports queries for DNS records and timestamp conversions, Dcom supports dotted-property notation, along with other enhancements and fixes.

Just put your vbscript inside of html and put that inside of an mp3 in the middle of some frame data and mshta will just... Fucking execute it?!?!

most aligned claude: