[Blog] Abusing .NET Core CLR Diagnostic Features ( CVE-2023-33127) - Analysis of .NET diagnostic features and tradecraft - Walkthrough of a .NET Cross-Session Local Priv Esc (LPE) - Defensive Recommendations bohops.com/2023/11/27/abusin…

Dad Rule #1: When you promise your kids something, you do everything you can to make that happen, even if it is just a silly game in the end.

Trying to vibe code a Pacman-like game for the kids with a local model. This pretty much sums up how that adventure is going...

Releasing DCOMIllusionist as part of our talk on DCOM at @x33fcon with @k3vinTell. It's a remote in memory fileless lateral movement technique based on some research of @tiraniddo github.com/synacktiv/DCOMIll…

IPv6 was a failed experiment and thus a mistake.

One day you burned your last CD

As yall may have realized, I disappeared from the community for a little while we fight the most difficult fight of our life. My wife Angela was diagnosed with stage 3 cancer. We need all the help we can get, please consider supporting our fight. givesendgo.com/anchors-for-a…

New blog post is up looking at what GEPA is, and how it can be used for refining prompts for security agents. specterops.io/blog/2026/06/0…

Notably, those approved by the current Cyber Verification Program aren’t included in this group. Bummer, I have some cool experiments to test it 😔

shipping v5 of LitterBox after way too many late nights real EDR in the loop now. drop an agent on your VM, fire payloads at it, alerts land back with full call stacks. Elastic Defend Fibratus work. new UI better performance — notes in the release. github.com/BlackSnufkin/Litt…

For more than 20 years, I have supported MSRC, dating back to my times as a security researchers at eEye. I have spoken at conferences, defended their program & methods publicly, & shared examples and results of productive collaboration even when many, many researchers strongly disagreed with me. That history makes this especially difficult to say. The current treatment of security researchers is deeply disappointing. Trust between vendors & the research community is hard-earned & easily lost. Researchers are not the enemy. They are often the first line of defense for customers, helping identify and responsibly report issues before malicious actors can exploit them. Alienating these individuals carries real consequences for the security ecosystem as a whole. I've spent decades advocating for constructive engagement between Microsoft & the security community. What we all are seeing today falls short of the standards that built that relationship in the first place. I hope this message reaches the people who still remember why that relationship mattered. Not because researchers are asking for special treatment but because mutual respect, transparency & good-faith engagement have always produced better outcomes for everyone involved. Microsoft's relationship with the security community was once viewed as a model for the industry. I truly hope it can be again.

It has never been about "safety" or "security". It's about compute. And the cost for that compute is coming to a frontier model near you soon.

Asked folks what they actually want from a SIEM. the answer: just make it work, and a little AI is fine. So I built nano, an open-core (AGPL), rust on clickhouse, fast search, a real detection lifecycle, 1-line install. Let me know what you think! nano.rs

This is fun: "nano is a lightweight SIEM in Rust on ClickHouse, with a piped query language, a real detection lifecycle, and AI that does actual investigation work." blog.nano.rs/posts/introduci…

Agents need better tools for reversing! I'm releasing declib (previously libbs), with a new CLI today that gives agents CLI access to 4 decompilers (IDA, Ghidra, Binja, angr), parity feature support to most MCP (12 features), and the ability to sync those changes across decs!

Very cool. Unwind data means we can stomp PIC over a DLL and get nice call stacks.

‼️🚨 BREAKING: Another researcher skipped coordinated disclosure entirely and dropped a critical 1-click GitHub token theft in public because he doesn't want to deal with MSRC. In his own words: "I really don't want to deal with MSRC on VSCode bugs." The bug: just clicking a link can hand an attacker a GitHub token that reads AND writes to all your repos, including private ones. It lives in github[.]dev, GitHub's browser-based VSCode editor, which passes the browser an OAuth token that isn't scoped to a single repo. That token can touch everything you can. Researcher Ammar Askar found that VSCode's sandboxed "webviews" leak keyboard events to the main editor. A malicious repo opened via one link can simulate keystrokes, install a local extension that skips VSCode's publisher-trust check, and exfiltrate your token. He published a working proof-of-concept. He says when he reports github[.]dev bugs, GitHub tells him they're out of scope and to go report to MSRC, and a prior VSCode bug he reported was silently fixed with no credit. One commenter summed up the mood: "MSRC has turned into Feedback Hub."

OAIC's CFP is now open! The first conference dedicated to the cutting edge of the offensive use of AI is returning for its second year. Speakers will enjoy three nights at a four-star beachfront resort, which includes all meals and drinks, three exclusive parties, and a Michelin-star welcome dinner. Please see sessionize.com/offensive-ai-… for accepted topics.

RIP @drericcole linkedin.com/posts/ericcole1…

Over the past several days, we have been listening to the conversation around coordinated disclosure and the relationship between security researchers and vendors. We recognize that this relationship is both critical and, at times, fragile. We deeply value the security community, and will continue to take your feedback seriously. To be clear about our approach to legal matters, we have no intention to pursue action against individuals conducting or publishing their security research. When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate. We recognize the work that goes into researching and submitting a vulnerability. We are committed to approaching every interaction with transparency, clear communication, and professionalism. We continue to believe strongly in Coordinated Vulnerability Disclosure as the foundation for protecting customers and improving our products. Each year we process a high volume of vulnerability reports. That volume continues to grow and will continue with the rise of AI-enabled research. We acknowledge that some interactions have fallen short and are working to learn from them. Many of us have experience on both sides of this work, as researchers reporting vulnerabilities and as responders triaging and assessing them. That perspective informs how we approach this feedback and the importance we place on getting it right, particularly as the volume and complexity of research continues to grow. The security community plays a vital role in helping us protect customers. We are committed to maintaining a constructive and respectful relationship and growing together. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.