Joined January 2010
- Tweets 1,325
- Following 1,051
- Followers 5,341
- Likes 1,357
25 Photos and videos
Pinned Tweet
8 Aug 2023
my latest post on abusing DES using Kerberos, I've not updated my RoastInTheMiddle tool yet but I'll be doing that shortly, enjoy:
exploit.ph/des-is-useful.htm…
5
128
223
39,497
Charlie Clark retweeted
25 Sep 2025
This release is probably going to be one of our biggest and most impactful! Kudos to the team @peterwintrsmith @modexpblog @s4ntiago_p @GigelV41464 @saab_sec 🙌
25 Sep 2025
We're really bringing the 🔥 with our next Nighthawk release - Janus - nighthawkc2.io/janus/
3
13
99
15,733
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-global…
138
903
3,186
475,264
Happy to finally share a new blog with @exploitph on our work revisiting the Kerberos Diamond Ticket.
✅ /opsec for a more genuine flow
✅ /ldap to populate the PAC
🆕 Forge a diamond service ticket using an ST
We finally gave it a proper cut 💎
huntress.com/blog/recutting-…
61
143
40,659
Charlie Clark retweeted
6 Jun 2025
Have you ever wondered if there was a way to deploy a "Remote EDR"? Today I'm excited to share research I've been working on for the past couple months.
This dives into DCOM Interfaces that enable remote ETW trace sessions without dropping an agent to disk.
Includes a detailed write-up: jonny-johnson.medium.com/no-…
And a new GitHub project "JonMon-Lite": github.com/jonny-jhnson/JonM…
15
127
373
53,390
Charlie Clark retweeted
10 May 2025
My #SOCON2025 talk is now live for those interested in credential guard research. youtu.be/9U_7u849yQQ?feature…
2
37
112
16,600
17 Feb 2025
fwiw, you can speed up cracking RC4 kerberoast tickets by requesting the ticket from the AS without a PAC
2
7
59
3,667
Charlie Clark retweeted
2 Nov 2024
Mine and @_dirkjan's @defcon talk, Abusing Windows Hello Without a Severed Hand went live yesterday. We discuss both privileged and unprivileged Windows Hello abuse. Hope you all enjoy it. youtu.be/mFJ-NUnFBac?feature…
2
87
254
23,495
Charlie Clark retweeted
9 May 2024
Spent some time updating the TelemetrySource project.
- Updated mappings for the Threat-Intelligence provider
- Added a folder for the Threat-Intelligence provider added a README
A lot more updates coming soon!
Project link: github.com/jsecurity101/Tele…
8
37
8,272
Charlie Clark retweeted
12 Apr 2024
Happy Friday! I have gotten a lot of questions around ETW Patching as of late. I decided to write a blog on understanding ETW Patching, check it out!
jsecurity101.medium.com/unde…
4
56
146
16,195
Wow did not have “be in a book” for my 2024 🤯🤩 Thank you Denis Isakov!
Thank you @exploitph for always including me in the journey of Kerberos with you 💜!
1
2
28
4,565
Charlie Clark retweeted
18 Dec 2023
Today I am releasing PowerParse. This is a PE Parser I've created that has helped me in the past perform initial triage on malware. I'll provide some examples in the threads below.
Link: github.com/jsecurity101/Powe…
1/x
9
79
206
35,601
Charlie Clark retweeted
4 Dec 2023
Today I am releasing a whitepaper and new tool (ADOKit) as part of my @XForce research I will be presenting at @BlackHatEvents #BHEU on Wednesday. Links are below 🔗
Whitepaper:
ibm.com/downloads/cas/5JKAPV…
Tool:
github.com/xforcered/ADOKit
9
126
276
40,465
Charlie Clark retweeted
22 Nov 2023
Working on a new tool that will be ready soon. One thing I can say from the research.... if your environment leverages Windows Hello without TPM's, DO NOT allow the default setting of a digit only based pin. Windows stores the pin length and can be brute forced in seconds.
9
96
406
62,949
6 Nov 2023
While I'm at it, I've published the PoC tool used in @4ndr3w6S, @jsecurity101 and my post:
trustedsec.com/blog/the-clie…
It's just a quick PoC but maybe someone will find it interesting:
github.com/0xe7/EventSniper
29
90
12,267
6 Nov 2023
Finally updated my RitM tool with the DES TGT session roasting code if anyone is interested.
Reminder, this isn't intended to be attack-ready code!
github.com/0xe7/RoastInTheMi…
The attack is described in detail in my DES post (currently pinned to my profile).
14
35
4,895
Charlie Clark retweeted
31 Oct 2023
Like the opsec of NightHawk but missing Aggressor-like scripting functionality? Check out DayBird, an extension I built for NightHawk to allow for automation of operator workflows and initial check-in actions via C# plugins.
b:securityintelligence.com/x-f…
gh:github.com/xforcered/DayBird
8
54
140
42,651
Happy to finally share our slide
deck/demo videos from our @texascyber talk, “You DISliked DCSync? Wait For NetSync!”
Thank you x3000 to @MindsEyeCCF, for help with the fantastic slides, & my co-presenter/friend/mentor/research partner @exploitph 🤗
github.com/4ndr3w6/Presentat…
8
70
176
29,480
Charlie Clark retweeted
12 Oct 2023
Continuing with Part 1- @4ndr3w6S and I take a look at the remainder of the attributes on the Hacker Recipies chart. Take a look! And get ready for Part 2! This is a series after all 😎
11 Oct 2023
Part 1B of our new #blog series by @mega_spl0it and @4ndr3W6S is out now! Continue diving into Active Directory (AD) attribute-based detections as they complete stepping through the Hacker Recipes flow chart to identify where an adversary may be hiding.
hubs.la/Q0256Z7V0
3
7
2,021
Charlie Clark retweeted
13 Oct 2023
Continuing on our deep exploration of DACL abuse based detections, @4ndr3w6S and I take a look at object abuses with PowerMad.
Remember, just because it may be banal, doesn't mean it doesn't have value! Many common attributes are great environmental baselineing tools!
12 Oct 2023
In Part 2 of our new #blog series by @mega_spl0it and @4ndr3W6S, they build detections for additional attributes, this time focusing on those that can be modified using the #PowerMad tool. Read it now! hubs.ly/Q025hFdr0
2
7
1,838
Charlie Clark retweeted
17 Oct 2023
Part 3 is out!! @4ndr3w6S and I cover several attributes that are, in our opinion, lesser known. However, some of these had some incredibly interesting attacks/detections. Check it out!
And thanks for joining us on this journey! 😁
17 Oct 2023
In the third and final installment of our #blog series by @mega_spl0it @4ndr3W6S DACL-based detections are built, identifying attacks that focus on obscure or lesser-known AD Attributes that fall outside of the scope of Parts 1 and 2. Read it now! hubs.la/Q025N0lk0
4
7
1,662