😈 [ Rtl Dallas @RtlDallas ]

New update for Draugr! 🙂

Now supports indirect syscalls with a synthetic stack frame. I’ve removed Draugr-Strike and replaced it with Cobalt Strike's process injection kit (Thread Spoof or Early Bird) using indirect syscalls and a synthetic stack frame.

🔗 https://github.com/NtDallas/Draugr

🐥 [ tweet ]

😈 [ 0SKR @saab_sec ]

❗ Blog Alert ❗

🔴 Introducing a thread hijacking ttp variant called Phantom call.
🔴 Discussion on effect of stack alignment on SIM instructions/registers.
🔴 In depth analysis of Win32 api RtlRemoteCall
🔴 Weaponizing RtlRemoteCall

🔗 https://sabotagesec.com/thread-hijacking-iceberg-deep-dive-into-phantom-call-rtlremotecall/

🐥 [ tweet ]

😈 [ S3cur3Th1sSh1t @ShitSecure ]

Bypass AMSI in 2025, my newest blog post is published 🥳! A review on what changed over the last years and what's still efficient today.

🔗 https://en.r-tec.net/r-tec-blog-bypass-amsi-in-2025.html

🐥 [ tweet ]

😈 [ Synacktiv @Synacktiv ]

In our latest article, @croco_byte and @SScaum demonstrate a trick allowing to make Windows SMB clients fall back to WebDav HTTP authentication, enhancing the NTLM and Kerberos relaying capabilities of multicast poisoning attacks!

🔗 https://www.synacktiv.com/publications/taking-the-relaying-capabilities-of-multicast-poisoning-to-the-next-level-tricking

🐥 [ tweet ]

😈 [ T3nb3w @T3nb3w ]

🚀 New Blog & PoC: Abusing IDispatch for COM Object Access & PPL Injection

Leveraging STDFONT via IDispatch to inject into PPL processes & access LSASS. Inspired by James Forshaw's research!

Blog:
🔗 https://mohamed-fakroud.gitbook.io/red-teamings-dojo/abusing-idispatch-for-trapped-com-object-access-and-injecting-into-ppl-processes

Code:
🔗 https://github.com/T3nb3w/ComDotNetExploit

Original:
🔗 https://googleprojectzero.blogspot.com/2025/01/windows-bug-class-accessing-trapped-com.html

🐥 [ tweet ]

😈 [ Mayfly @M4yFly ]

New Active Directory Mindmap v2025.03! 🚀

📖 Readable version:

🔗 https://orange-cyberdefense.github.io/ocd-mindmaps/img/mindmap_ad_dark_classic_2025.03.excalidraw.noscript

🔧 Now fully generated from markdown files — way easier to update and maintain!

💡 Got improvements? PRs welcome! 👇

🔗 https://github.com/Orange-Cyberdefense/ocd-mindmaps/tree/main/excalimap/mindmap/ad

🐥 [ tweet ]

😈 [ TrustedSec @TrustedSec ]

A Red Team engagement is a serious commitment for any org who wants to improve their security posture. In our new blog, @curi0usJack breaks down some goals of a Red Team engagement so that you can better measure its success. Read it now!

🔗 https://trustedsec.com/blog/measuring-the-success-of-your-adversary-simulations

🐥 [ tweet ]

😈 [ 📔 Michael Grafnetter @MGrafnetter ]

New Indicator of Compromise (IoC) by the NTLM Relay Attack with Shadow Credentials, thanks to bugs in Impacket, a popular Python implementation. Will probably be fixed in the near future.

🔗 https://www.dsinternals.com/en/indicator-of-compromise-shadow-credentials-ntlm-relay-impacket/

🐥 [ tweet ]

😈 [ MrAle98 @MrAle_98 ]

Hey there,

Finally published the article on the exploit for CVE-2025-21333-POC exploit.

Here the link to the article:

🔗 https://medium.com/@ale18109800/cve-2025-21333-windows-heap-based-buffer-overflow-analysis-d1b597ae4bae

🐥 [ tweet ]

😈 [ c0rnbread @0xC0rnbread ]

Today I'm releasing Xenon, a custom Mythic agent for Windows targets written in C.

Notable features include:
📁 Modular command/code inclusion
🦠 Malleable C2 Profile support
🪨 Compatible with Cobalt Strike BOFs

🔗 https://github.com/MythicAgents/Xenon

Blog series:
🔗 https://c0rnbread.com/creating-mythic-c2-agent-part1/

🐥 [ tweet ]

😈 [ Andrea Pierini @decoder_it ]

KrbRelayEx-RPC tool is out! 🎉
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)

🔗 https://github.com/decoder-it/KrbRelayEx-RPC

🐥 [ tweet ]

😈 [ Thomas Seigneuret @_zblurx ]

Fear no more for LDAP Signing and Channel binding with Impacket based tools 😎

🔗 https://github.com/fortra/impacket/pull/1919

🐥 [ tweet ]

😈 [ 5pider @C5pider ]

spend some time rewriting stardust to be more minimalist and easier to use! I needed a generic minimal shellcode template that works for both x86 and x64 out of the box so I rewrote stardust to do so.

It is now written in C++20 and utilizing some of its language features. The template can be used to easily write shellcode fast in a more modern and less painful way.
The project can be compiled in release or debug mode, where as debug mode will just allow the use of DBG_PRINTF, which calls DbgPrint under the hood to print out strings to the currently attached debugger.

There are more things i have added so consider checking it out. I removed global variable access since i no longer use it nor require it (went for diff design heh). If u still need that feature I would recommend to change the branch to "globals-support" where the old version is hosted.

🔗 https://github.com/Cracked5pider/Stardust

🐥 [ tweet ]

😈 [ Bobby Cooke @0xBoku ]

Loki C2 blog drop! Thank you for all those who helped and all the support from the community. Big shoutout to @d_tranman and @chompie1337 for all their contributions to Loki C2! @IBM @IBMSecurity @XForce

🔗 https://securityintelligence.com/x-force/bypassing-windows-defender-application-control-loki-c2/

🐥 [ tweet ]

😈 [ NetSPI @NetSPI ]

Beacon Object Files (BOFs) in C2 platforms limit developers.

Read NetSPI's blog post to explore a reference design for a new BOF portable executable (PE) concept that bridges the gap between modern C++ development and memory-executable C2 integration.

🔗 https://www.netspi.com/blog/technical-blog/network-pentesting/the-future-of-beacon-object-files/

🐥 [ tweet ]