Just me!
Joined March 2013
- Tweets 590
- Following 131
- Followers 108
- Likes 618
8 Photos and videos
@cookietheft@ioc.exchange retweeted
Apr 25
@cookieTheft and I have been accepted to speak at Troopers this yearđ
Hope you all are eager to learn a thing or two about ADCS and ESC17. See you there!
More talks for the @WEareTROOPERS #TROOPERS26 AD & Entra ID Security Track accepted, featuring @kidtronnix, @LeGuideDuSecOps, @_dirkjan, @DrAzureAD, @al3x_n3ff & others
linkedin.com/feed/update/urnâŠ
1
4
44
3,898
@cookietheft@ioc.exchange retweeted
Jan 5
âSo WSUS with HTTPS is secure, you said? đâ
Turns out⊠not really.
According to the excellent research by Alexander Neff and Phil KnĂŒfer in âUsing ADCS to Attack HTTPSâEnabled WSUS Clients,â a misconfigured ADCS environment can completely undermine HTTPSâprotected WSUS.
They demonstrate how overly permissive certificate templatesâespecially those allowing userâdefined subject names and limited to the Server Authentication EKUâlet an attacker obtain a trusted certificate and impersonate a WSUS server. Combine that with classic WSUS interception techniques, and suddenly you can push malicious updates that run with full admin privileges on Windows clients, all while the traffic looks perfectly valid and encrypted.
From a defenderâs point of view, the big question becomes:
How do you detect if your WSUS clients have been talking to a hijacked WSUS server? đ
Good news: it is detectableâand hereâs the KQL to help you spot it.
#Cyberesecurity #WSUSHiJackAttack
3
45
216
16,430
We did a thing
Jan 4
Using ADCS to Attack HTTPS-Enabled WSUS Clients:
@cookieTheft and I have extended the research by @Coontzy1 on WSUS attacks and explored how to leverage misconfigured ADCS templates to gain code execution on HTTPS-enabled WSUS clients.
1/2đ§”
ALT So WSUS with HTTPS is secure u said?
1
1
4
581
@cookietheft@ioc.exchange retweeted
15 Nov 2025
This key takeaways from this report:
- Agentic AI lowers the bar for cyber attacks (we knew this)
- Dramatically increases scale (we knew this)
- without a human in the loop, success rate is low (we knew this)
The report itself leaves a lot to be desired from a technical aspect , I caution reporters to not read too deeply into the conclusions.
If youâre an org, standard defense in depth still applies here as defense against these AI assisted attacks.
13 Nov 2025
We disrupted a highly sophisticated AI-led espionage campaign.
The attack targeted large tech companies, financial institutions, chemical manufacturing companies, and government agencies. We assess with high confidence that the threat actor was a Chinese state-sponsored group.
2
12
47
10,858
@cookietheft@ioc.exchange retweeted
30 Oct 2025
I have released an OpenGraph collector for network shares and my first blogpost at @SpecterOps on the subject!
You can now visualize attack paths to network shares in BloodHound đ
specterops.io/blog/2025/10/3âŠ
4
97
232
26,178
@cookietheft@ioc.exchange retweeted
30 Oct 2025
''Abusing sAMAccountName Hijacking in GPP: Local Users and Groups - Cogiceo''
#infosec #pentest #redteam #blueteam
cogiceo.com/en/whitepaper_gpâŠ
4
7
1,917
@cookietheft@ioc.exchange retweeted
28 Oct 2025
Raw NTFS parsing for SAM/SYSTEM/NTDS.dit access?
github.com/kfallahi/UnderlayâŠ
400 lines Powershell - easy peasy â€ïžđ„
4
87
319
34,987
@cookietheft@ioc.exchange retweeted
8 Sep 2025
Until now, if you lost or broke your phone, your Signal message history was *gone,* a real challenge for everyone whose most important conversations happen in Signal. So, with careful design and development, weâre rolling out opt-in secure backups.
signal.org/blog/introducing-âŠ
Secure backups will let you save an archive of your Signal messages remotely in privacy-preserving form, refreshed every day.
Now available in the latest Android beta release, rolling out to iOS and Desktop in the near future.
134
315
2,105
410,531
@cookietheft@ioc.exchange retweeted
13 Aug 2025
44
251
1,345
86,234
@cookietheft@ioc.exchange retweeted
7 Jul 2025
Opening a new chapter đ
From tinkering with old systems to giving talks at @BlackHatEvents, itâs been a wild ride.
I am thrilled to share that Iâm joining @SpecterOps as a Senior Security Researcher! Time to go full-time into deep technical security researchđ„°
18
12
145
6,826
@cookietheft@ioc.exchange retweeted
26 Jun 2025
An attacker on your network is indistinctable from IT admins. As long as this is true, attackers win. (Loosely borrowing Lambertâs list/graph quote.
Solution: tiering and clean source
25 Jun 2025
Thatâs essentially my thesis on pentesting and low skill TA behaviors. Using known good/admin/defensive tools.
3
11
42
6,390
@cookietheft@ioc.exchange retweeted
22 Jun 2025
Releasing a side project of mine: wsuks - automating the WSUS mitm attackđ„
github.com/NeffIsBack/wsuks
TL;DR:
If the Windows Server Update Service (WSUS) is configured to use HTTP instead of HTTPS, it's possible to take control of any Windows machine on your local network.
1/4đ§”
5
150
486
33,246
@cookietheft@ioc.exchange retweeted
17 Jun 2025
Use Signal.
We promise, no AI clutter, no surveillance adsâwhatever the rest of the industry does.
We lead we donât followâ€ïž
ALT Image of a screenshot of news headline, saying, "WhatsApp is getting ads using personal data from Instagram and Facebook Forced Consent & Consent Bypass / 16 June 2025 Meta announced today that it also wants to introduce ads on WhatsApp, which will be based on personal data from Facebook and Instagram. This further integrates WhatsApp into other Meta services - an originally independent app, which initially was available for just $1 per year without ads or data usage. This also means that Meta is consolidating its social networking monopoly. EU law was actually supposed to prevent this."
152
611
3,246
304,884
2
3
16
5,862
@cookietheft@ioc.exchange retweeted
15 May 2025
The feature rundown of the NetExec v1.4.0 release is now live on our wiki: netexec.wiki/news/v1.4.0-smoâŠ
Give them a read, there are so many great new features!
Kali has updated NetExec to v1.4.0, so all the new changes are also available via aptđ
13 Apr 2025
NetExec v1.4.0 has been released! đ
There is a HUGE number of new features and improvements, including:
- backup_operator: Automatic priv esc for backup operators
- Certificate authentication
- NFS escape to root file system
And much more!
Full rundown:
github.com/Pennyw0rth/NetExeâŠ
ALT NetExec release v1.4.0
5
60
180
11,761
@cookietheft@ioc.exchange retweeted
15 May 2025
16
127
298
37,091
@cookietheft@ioc.exchange retweeted
4 May 2025
A new module has been merged into NetExec: change-passwordđ„
Accounts with STATUS_PASSWORD_EXPIRED aren't a problem anymore, just reset their password.
You can also abuse ForceChangePassword to reset another user's password.
Made by @kriyosthearcane, @mehmetcanterman and me
ALT Abuse ForceChangePassword or reset your own password when encountering STATUS_PASSWORD_MUST_CHANGE
3
117
406
21,385
@cookietheft@ioc.exchange retweeted
14 Apr 2025
You have got a valid NTLM relay but SMB and LDAP are signed, LDAPS has got Channel Binding and ESC8 is not available... What about WinRMS ? :D
Blogpost: sensepost.com/blog/2025/is-tâŠ
Tool: github.com/fortra/impacket/pâŠ
And also, big thanks to jmk (Joe Mondloch) for the collab' :D!
9
203
596
30,486
@cookietheft@ioc.exchange retweeted
18 Mar 2025
Together with @pavelfor, we have created the ultimate guide and tooling for configuring host-based firewalls on #ActiveDirectory domain controllers in enterprise environments. Blocks most remote command execution and authentication coercion techniques.
firewall.dsinternals.com
ALT Configuring Windows Firewall Group Policy settings using a JSON file in Visual Studio Code with code completion. We took the infrastructure-as-code approach.
ALT Screenshot from GPO results.
ALT Screenshot from a PowerShell script showing a list of dropped packets from the event log.
7
71
231
19,690