Introducing Cyllex - Advanced APT Emulation Framework. cyllex.io/ I've been working on this for a while, pouring real effort and love into it. Not a quick release, I'm going step by step, building something solid. Some of the current features include: ▸ APT database with real-world campaign emulation ▸ Cross-platform agents via binary patching ▸ Agent, Agentless (WinRM/SSH), and Cloud execution ▸ Direct shell access for real-time interaction ▸ Interactive MITRE ATT&CK detection coverage tracking ▸ Calendar-based campaign scheduling ▸ Webhook notifications (Slack, Teams...) ▸ Robust TTPs: On-Premise (Windows/Linux), Cloud, and Containers I'll be sharing updates as the project evolves. Thank you, and happy new year!

Cobalt Strike 4.13 is live! Say "Hello World" to our Beacon Interpreter for native C scripting - plus an LLVM Beacon, smoother docking UX, sharper payload management and more. Read about all the new features in the release blog! cobaltstrike.com/blog/cobalt…

Why Mythos doesn't matter (for us) - @LiveOverflow hacktron.ai/blog/why-mythos-…

New Release Havoc Professional 0.7: K-Noir 🐺 - Linux Implant for x86_64 and AArch64 - Stack Spoofing: Callstack Function Rule System - Stack Spoofing: CET Compliance and evasion improvements. - New Registry manipulation extension with anti-forensic features - TCP based channels for direct and p2p communication - New thread injection and memory allocation techniques via the Inject-kit - Embedded Python Debug Server into the Havoc Client And major Quality-of-Life improvements and features for operational use while making it more stable and modular. Link down below 🔗

This cheatsheet maps common impacket workflows to their modern alternatives - @n00py1 github.com/n00py/Outpacket

Microsoft has addressed a one-click NTLM leak vulnerability affecting Windows Snipping Tool (CVE-2026-33829), discovered by our researcher Marcos Díaz (@Calvaruga). ➡️ Read the write-up: github.com/blackarrowsec/red… ➡️ Microsoft bulletin: msrc.microsoft.com/update-gu…

[BLOG] This post demonstrates how to weave evasion tradecraft (using Crystal Palace) into a merged COFF suitable for use as Beacon's sleepmask. It's actually more of an exploration as to whether evasion knowledge in a capability is good or bad (or both). rastamouse.me/crystal-mask/

I’ve been grinding hard on AI for the better part of the last 8 months - learning, building, adapting, and pulling late nights just like so many others right now. Cutting through the FUD and hype, there is real potential here. Industry-breaking potential. The era we’ve been waiting for - to finally supercharge and develop the tools and platforms we’ve wanted to build for years - is here, and agent assistance is accelerating everything. With coding agents, I’ve built solid tools and had research breakthroughs that would have taken weeks or months before. These should feel like real wins worth celebrating. But honestly? I don’t feel victorious. In many ways, it just feels necessary to keep pace. As Dave said: adapt or be left behind - and for good reason. I’m not ready to be left behind. But damn, I’m tired. I’m tired of constantly reinventing myself. Tired of constantly re-tooling. Tired of the endless cycle of keeping up, the late nights, and the personal sacrifices that come with it. I’ve even lost the desire to share knowledge and research with the community the way I used to. From the conversations I’ve had, I’m far from alone - many others in this space feel the same but don’t necessarily vocalize it outside of smaller circles. Is it because I see AI purely as a threat? Not really. The offensive side of our industry has been heading this way for a while, and I’ve been moving with it. The truth is, the excitement Dave describes is real - but for me right now, it’s mixed with exhaustion. I’m grateful for the breakthroughs, yet I catch myself wondering how long I can sustain this level of constant reinvention without something giving. The early-2000s energy is back, sure… but so is the burnout that often came with it. Being a bit older now, with young kids at home, the pace hits differently. I don’t have the same endless energy I once did, and the late nights and constant context-switching carry a heavier weight. Finding balance is tough, but it feels more important than ever. Hopefully we can all figure out how to ride this wave more sustainably - without burning out in the process.

🔥🤖Excited to share a new blog I co-authored with @h4wkst3r and @kulinacs - Automating the Operator: Integrating LLMs into Offensive Security armadin.com/blog-posts/autom… We show how LLMs make offensive work more operationally useful, introduce 2 new MCP servers, and an NTLM relaying Gemini extension POC

Releasing one of my research tools: EVENmonitor🖥️ Inspired by LDAPmonitor, I implemented a monitoring tool for the Windows Event log in pure python. You can just attach it via the network and then filter for specific event IDs or keywords. Available at: github.com/NeffIsBack/EVENmo…

Cyllex v0.4.0: 604 TTPs across 7 platforms. Full Azure & GCP cloud coverage, Kubernetes & Docker container testing, 4 SIEM integrations, and 21 APT group profiles in the new APT Codex. Beta is targeting late March / early April. I track progress publicly, you can see exactly where things stand at any point. One last thing: thank you. Building this solo takes time, and knowing people are actually following along makes it worth it. Every subscription, every piece of feedback, every message asking about the beta reminds me why I started this in the first place. Genuinely appreciate the support. #purpleteam #cyllexframework #aptemulation #mitre #attacksimulation

Havoc Professional Finally Released! 🕸️🕷️ Since our last blog post introducing the Havoc Professional framework and the Kaine-Kit, we've been refining the framework behind the scenes. infinitycurve.org/blog/relea…

Today is the day and I'm sorry it's been so long, and also provisionally delayed by nearly a week. lms.zsec.red launches today with my Malwareless Adversarial Emulation (MAE) course. If you signed up for the waitlist, you should have received an email.

Spent the weekend working on Cyllex and added a Splunk integration for log correlation. Also added detection events for each TTP. There's still a lot of work ahead, but it's starting to look great! I'll keep working on more integrations. Thanks to everyone who's been showing interest and supporting the project! :)

A small rant: The State of Art in Red Team is whatever you want to believe x-c3ll.github.io/posts/Rant-…

Self shadow cred is back again 🔥🔥🔥🔥🔥🔥🔥🔥🥳

Create local administrators with the SAMR API ✅Implemented in C#, Python, Rust or Crystal github.com/ricardojoserf/Add…

Anyone know if Microsoft silently patch the Shadow Creds attack recently ? Looks like a computer object cannot write its own attribute anymore :D

I just installed a clean version of Server 2022 (20348.169), setup it up as a DC, and tried to create a keycredential. That worked. Than I installed the latest cumulative update (KB5073457) and now it does not work anymore. So it seems to be a recent change.

🛠️ SharePointDumper: PowerShell SharePoint extraction auditing tool. ✅Enumerates all SharePoint sites/drives a user can access via Microsoft Graph, recursively downloads files, and logs every Graph SharePoint HTTP request github.com/zh54321/SharePoin…