😈 [ Ilan Kalendarov @IKalendarov ]
My team has found another CVE!
This time on windows, it’s a NTLM credential leakage vulnerability that bypasses Microsoft’s patch for CVE-2025-24054
🔗 https://cymulate.com/blog/zero-click-one-ntlm-microsoft-security-patch-bypass-cve-2025-50154/
🐥 [ tweet ]
My team has found another CVE!
This time on windows, it’s a NTLM credential leakage vulnerability that bypasses Microsoft’s patch for CVE-2025-24054
🔗 https://cymulate.com/blog/zero-click-one-ntlm-microsoft-security-patch-bypass-cve-2025-50154/
🐥 [ tweet ]
👍1
😈 [ eversinc33 🤍🔪⋆。˚ ⋆ @eversinc33 ]
As a little follow up, I wrote a small blog post/tutorial on how to reverse engineer windows drivers with IDA - this is aimed at people that newer touched drivers before and covers IOCTL codes, IRPs and some IDA shenanigans with unions.
Enjoy :3
🔗 https://eversinc33.com/posts/driver-reversing.html
🐥 [ tweet ]
As a little follow up, I wrote a small blog post/tutorial on how to reverse engineer windows drivers with IDA - this is aimed at people that newer touched drivers before and covers IOCTL codes, IRPs and some IDA shenanigans with unions.
Enjoy :3
🔗 https://eversinc33.com/posts/driver-reversing.html
🐥 [ tweet ]
🔥11👍4
😈 [ Smukx.E @5mukx ]
Mega Malware Analysis Tutorial Featuring Donut
🔗 https://github.com/PaloAltoNetworks/Unit42-Threat-Intelligence-Article-Information/blob/main/Mega-Malware-Analysis-Tutorial-Featuring-Donut.pdf
TL;DR The purpose of this blog post is to walk our readers, particularly those who are just stepping into
the realm of malware analysis, through our process of analyzing a unique .NET PE malware
that loads.
🐥 [ tweet ]
Mega Malware Analysis Tutorial Featuring Donut
🔗 https://github.com/PaloAltoNetworks/Unit42-Threat-Intelligence-Article-Information/blob/main/Mega-Malware-Analysis-Tutorial-Featuring-Donut.pdf
TL;DR The purpose of this blog post is to walk our readers, particularly those who are just stepping into
the realm of malware analysis, through our process of analyzing a unique .NET PE malware
that loads.
🐥 [ tweet ]
🔥6
😈 [ Steven @0xthirteen ]
I wanted to find out if you could start the WebClient service remotely, so I ended up digging into it:
🔗 https://specterops.io/blog/2025/08/19/will-webclient-start/
🐥 [ tweet ]
I wanted to find out if you could start the WebClient service remotely, so I ended up digging into it:
🔗 https://specterops.io/blog/2025/08/19/will-webclient-start/
🐥 [ tweet ]
🔥7
😈 [ Daniel @0x64616e ]
I stumbled upon this tweet and dug a bit deeper into the internals of ksetup.exe:
🔗 https://pentest.party/posts/2025/ksetup-machine-password/
When you are local admin and need machine account credentials this could be a viable alternative to the good old LSA dump.
🐥 [ tweet ][ quote ]
I stumbled upon this tweet and dug a bit deeper into the internals of ksetup.exe:
🔗 https://pentest.party/posts/2025/ksetup-machine-password/
When you are local admin and need machine account credentials this could be a viable alternative to the good old LSA dump.
🐥 [ tweet ][ quote ]
🔥7
😈 [ Two Seven One Three @TwoSevenOneT ]
"clipup.exe" in System32 is very powerful. It can destroy the executable file of the EDR service 😉 Experimenting with overwriting the MsMpEng.exe file.
Proactively creating processes with Protected Process Light (PPL) protection will give you more opportunities to abuse these processes. Detailed article:
🔗 https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html
🐥 [ tweet ]
"clipup.exe" in System32 is very powerful. It can destroy the executable file of the EDR service 😉 Experimenting with overwriting the MsMpEng.exe file.
Proactively creating processes with Protected Process Light (PPL) protection will give you more opportunities to abuse these processes. Detailed article:
🔗 https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html
🐥 [ tweet ]
🔥12😁1
😈 [ spencer @techspence ]
A quick and easy way to find services with unquoted service paths is to open up PowerShell and run the following:
🐥 [ tweet ]
A quick and easy way to find services with unquoted service paths is to open up PowerShell and run the following:
Get-WmiObject win32_service | select Name,PathName,StartMode,StartName | where {$_.StartMode -ne "Disabled" -and $_.StartName -eq "LocalSystem" -and $_.PathName🐥 [ tweet ]
👍21🍌7
😈 [ SpecterOps @SpecterOps ]
Cookie theft has evolved 🍪
Over the last year, stealing cookies on Windows devices has changed significantly for Chromium browsers like Chrome and Edge. Andrew Gomez dives into these changes, how threat actors adapt, & new detection opportunities.
🔗 https://specterops.io/blog/2025/08/27/dough-no-revisiting-cookie-theft/
🐥 [ tweet ]
Cookie theft has evolved 🍪
Over the last year, stealing cookies on Windows devices has changed significantly for Chromium browsers like Chrome and Edge. Andrew Gomez dives into these changes, how threat actors adapt, & new detection opportunities.
🔗 https://specterops.io/blog/2025/08/27/dough-no-revisiting-cookie-theft/
🐥 [ tweet ]
🔥11
😈 [ Yuval Gordon @YuG0rd ]
BadSuccessor is dead… or is it?
The patch for CVE-2025-53779 fixed the priv-esc. While no longer a vulnerability, the tactic still applies in certain scenarios.
Defenders should be aware of it.
Details:
🔗 https://www.akamai.com/blog/security-research/badsuccessor-is-dead-analyzing-badsuccessor-patch
🐥 [ tweet ]
BadSuccessor is dead… or is it?
The patch for CVE-2025-53779 fixed the priv-esc. While no longer a vulnerability, the tactic still applies in certain scenarios.
Defenders should be aware of it.
Details:
🔗 https://www.akamai.com/blog/security-research/badsuccessor-is-dead-analyzing-badsuccessor-patch
🐥 [ tweet ]
👍2🔥2
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Tijme Gommers @tijme ]
Exciting times. I'm publishing Dittobytes today after presenting it at @OrangeCon_nl !
Dittobytes is a true metamorphic cross-compiler aimed at evasion. Use Dittobytes to compile your malware. Each compilation produces unique, functional shellcode.
🔗 https://github.com/tijme/dittobytes
🐥 [ tweet ]
Exciting times. I'm publishing Dittobytes today after presenting it at @OrangeCon_nl !
Dittobytes is a true metamorphic cross-compiler aimed at evasion. Use Dittobytes to compile your malware. Each compilation produces unique, functional shellcode.
🔗 https://github.com/tijme/dittobytes
🐥 [ tweet ]
🔥14👍2
😈 [ Kurosh Dabbagh @_Kudaes_ ]
I just released MFTool, an NTFS parser that builds an in-memory map of a volume, allowing you to:
- Read any file without opening a handle
- Get the contents of locked/deleted files (registry hives, pagefile.sys, etc)
- Perform fast, in-memory searches across the entire disk
Although direct access to disk is not new at all, especially when it comes to forensics, I think this approach could be useful in a number of contexts during a RT engagement.
🔗 https://github.com/Kudaes/MFTool
🐥 [ tweet ]
I just released MFTool, an NTFS parser that builds an in-memory map of a volume, allowing you to:
- Read any file without opening a handle
- Get the contents of locked/deleted files (registry hives, pagefile.sys, etc)
- Perform fast, in-memory searches across the entire disk
Although direct access to disk is not new at all, especially when it comes to forensics, I think this approach could be useful in a number of contexts during a RT engagement.
🔗 https://github.com/Kudaes/MFTool
🐥 [ tweet ]
🔥13👍2
😈 [ Unit 42 @Unit42_Intel ]
We discuss an uptick in use of the relatively unknown AdaptixC2, an open-source C2 framework, by attackers. Our research details its functionality, configuration as well as observed deployment techniques, including novel AI-assisted methods.
🔗 https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/
🐥 [ tweet ]
We discuss an uptick in use of the relatively unknown AdaptixC2, an open-source C2 framework, by attackers. Our research details its functionality, configuration as well as observed deployment techniques, including novel AI-assisted methods.
🔗 https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/
🐥 [ tweet ]
🔥9😁3
😈 [ @zephrfish.yxz.red @ZephrFish ]
Made a thing, mucking about with python and a LDAP browser concept to ingest straight into BloodHound, simple LDAP browser using PyQt as a GUI and neo4j-driver to ingest into BH.
🔗 https://github.com/ZephrFish/pyLDAPGui
🐥 [ tweet ]
Made a thing, mucking about with python and a LDAP browser concept to ingest straight into BloodHound, simple LDAP browser using PyQt as a GUI and neo4j-driver to ingest into BH.
🔗 https://github.com/ZephrFish/pyLDAPGui
🐥 [ tweet ]
👍11
😈 [ kr0tt @_kr0tt ]
Wrote a blog about creating an early exception handler for hooking and threadless process injection without relying on VEH or SEH.
You can definitely use it for more than what is described in the post, enjoy :)
🔗 https://kr0tt.github.io/posts/early-exception-handling/
🐥 [ tweet ]
Wrote a blog about creating an early exception handler for hooking and threadless process injection without relying on VEH or SEH.
You can definitely use it for more than what is described in the post, enjoy :)
🔗 https://kr0tt.github.io/posts/early-exception-handling/
🐥 [ tweet ]
🔥6
😈 [ Dirk-jan @_dirkjan ]
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog:
🔗 https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/
🐥 [ tweet ]
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog:
🔗 https://dirkjanm.io/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens/
🐥 [ tweet ]
🔥12👍2😁1