The Fragile Lock: Novel Bypasses For SAML Authentication
#portswigger
TLDR This post shows how to achieve a full authentication bypass in the Ruby and PHP SAML ecosystem by exploiting several parser-level inconsistencies: including attribute pollution, namespace confusi
via PortSwigger Research
#portswigger
TLDR This post shows how to achieve a full authentication bypass in the Ruby and PHP SAML ecosystem by exploiting several parser-level inconsistencies: including attribute pollution, namespace confusi
via PortSwigger Research
Holy Shuck! Weaponizing NTLM Hashes as a Wordlist
#trustedsec
<p>Password reuse is common in Active Directory (AD). From an attacker’s perspective, it is a reliable path to lateral movement or privilege escalation. Most IT teams recognize the risk, but longer passwords and password…</p>
via TrustedSec Blog (author: Austin Coontz)
#trustedsec
<p>Password reuse is common in Active Directory (AD). From an attacker’s perspective, it is a reliable path to lateral movement or privilege escalation. Most IT teams recognize the risk, but longer passwords and password…</p>
via TrustedSec Blog (author: Austin Coontz)
Git SCOMmit – Putting the Ops in OpsMgr
#specterops
TL;DR Yet another System Center Ludus configuration for your collection. https://github.com/Synzack/ludus_scom Intro As you may know, here at SpecterOps we have been big on SCCM. See https://specterops.io/blog/category/research/?s=sccm. But SCCM is only a part of the larger Microsoft System Center product suite. Among the suite’s other offerings is System Center Operations Manager, more commonly recognized by […]
via SpecterOps Blog (author: Zach Stein)
#specterops
TL;DR Yet another System Center Ludus configuration for your collection. https://github.com/Synzack/ludus_scom Intro As you may know, here at SpecterOps we have been big on SCCM. See https://specterops.io/blog/category/research/?s=sccm. But SCCM is only a part of the larger Microsoft System Center product suite. Among the suite’s other offerings is System Center Operations Manager, more commonly recognized by […]
via SpecterOps Blog (author: Zach Stein)
Linux Process Injection via Seccomp Notifier
#outflank
This post demonstrates the use of seccomp user notifications to inject a shared library into a Linux process. I haven’t seen this combination documented as a process injection technique before, and it has some benefits over alternatives. In summary, seccomp user notifications enable user-space injection from parent to child without any
1. Seccomp user notifications were introduced in Linux kernel version 5.0, but this PoC relies on
2. Requires you to create the target process (parent-to-child injection only).
3. The injected code runs with the same UID, namespaces, and LSM label as the target process.
via Outflank Blog (author: Kyle Avery)
#outflank
This post demonstrates the use of seccomp user notifications to inject a shared library into a Linux process. I haven’t seen this combination documented as a process injection technique before, and it has some benefits over alternatives. In summary, seccomp user notifications enable user-space injection from parent to child without any
LD_* environment variables or privileged capabilities, regardless of the ptrace_scope configuration. However, seccomp user notifications have some notable limitations:1. Seccomp user notifications were introduced in Linux kernel version 5.0, but this PoC relies on
SECCOMP_ADDFD_FLAG_SEND (Linux 5.14+) to avoid TOCTOU issues when hooking openat.2. Requires you to create the target process (parent-to-child injection only).
3. The injected code runs with the same UID, namespaces, and LSM label as the target process.
via Outflank Blog (author: Kyle Avery)
Operationalizing BloodHound Enterprise: Security automation with Tines
#specterops
BloodHound Enterprise gives you all the pieces you need: the data, the analysis, the visualizations. What we don’t dictate is how you put it all together. Your workflows, your tools, your SOC. This is the first post in our ‘Operationalizing BloodHound Enterprise’ series, showing practical ways to integrate BHE into your security operations. Theoretical risk […]
via SpecterOps BH Blog (author: Hugo van den Toorn)
#specterops
BloodHound Enterprise gives you all the pieces you need: the data, the analysis, the visualizations. What we don’t dictate is how you put it all together. Your workflows, your tools, your SOC. This is the first post in our ‘Operationalizing BloodHound Enterprise’ series, showing practical ways to integrate BHE into your security operations. Theoretical risk […]
via SpecterOps BH Blog (author: Hugo van den Toorn)
A Hacker Holiday Gift Guide: 2025 Edition
#bishopfox
Shopping for a hacker? Skip the gimmicks. Here are the tools, training, and books they actually want: Flipper Zero, Proxmark3, Shodan, HTB, and must-read vuln research picks, perfect for deal-season lab upgrades.
via BishopFox Blog
#bishopfox
Shopping for a hacker? Skip the gimmicks. Here are the tools, training, and books they actually want: Flipper Zero, Proxmark3, Shodan, HTB, and must-read vuln research picks, perfect for deal-season lab upgrades.
via BishopFox Blog
SCOMmand and Conquer – Attacking System Center Operations Manager (Part 1)
#specterops
TL:DR SCOM suffers from similar insecure default configurations as its SCCM counterpart, enabling attackers to escalate privileges, harvest credentials, and ultimately compromise the entire management group and its monitored infrastructure. Intro At this point, I think it’s acceptable for me to just start each blog with a screenshot of Duane triggering me to look into […]
via SpecterOps Blog (author: Garrett Foster)
#specterops
TL:DR SCOM suffers from similar insecure default configurations as its SCCM counterpart, enabling attackers to escalate privileges, harvest credentials, and ultimately compromise the entire management group and its monitored infrastructure. Intro At this point, I think it’s acceptable for me to just start each blog with a screenshot of Duane triggering me to look into […]
via SpecterOps Blog (author: Garrett Foster)
SCOMmand And Conquer – Attacking System Center Operations Manager (Part 2)
#specterops
TL;DR: We found that SCOM RunAs credentials could be obtained on-host and also off-host in certain configurations and wrote a tool to help automate their recovery. To skip straight to the tool, go here https://github.com/breakfix/SharpSCOM Introduction In our previous blog post, we demonstrated a series of attacks focused on attacking the SCOM server directly. Specifically, […]
via SpecterOps Blog (author: Matt Johnson)
#specterops
TL;DR: We found that SCOM RunAs credentials could be obtained on-host and also off-host in certain configurations and wrote a tool to help automate their recovery. To skip straight to the tool, go here https://github.com/breakfix/SharpSCOM Introduction In our previous blog post, we demonstrated a series of attacks focused on attacking the SCOM server directly. Specifically, […]
via SpecterOps Blog (author: Matt Johnson)
DAST without disruption: Burp Suite DAST winter update 2025
#portswigger
AppSec teams are under constant pressure to secure fast-moving applications without slowing anything down. But scanning windows, fragile authentication, and sprawling API estates often get in the way
via PortSwigger Blog
#portswigger
AppSec teams are under constant pressure to secure fast-moving applications without slowing anything down. But scanning windows, fragile authentication, and sprawling API estates often get in the way
via PortSwigger Blog
Azure Seamless SSO: When Cookie Theft Doesn’t Cut It
#specterops
TL;DR The cookie crumbled when it expired, but the attack path didn’t. Learn how BloodHound graph analysis and Azure Seamless SSO enabled pivoting into the cloud. There’s nothing worse than stealing some cookies, just to find out they’ve gone bad and expired. However, that doesn’t mean lateral movement into the cloud is off the table. […]
via SpecterOps Blog (author: Andrew Gomez)
#specterops
TL;DR The cookie crumbled when it expired, but the attack path didn’t. Learn how BloodHound graph analysis and Azure Seamless SSO enabled pivoting into the cloud. There’s nothing worse than stealing some cookies, just to find out they’ve gone bad and expired. However, that doesn’t mean lateral movement into the cloud is off the table. […]
via SpecterOps Blog (author: Andrew Gomez)
Burp On Tour 2025: bringing the AppSec community together around the world
#portswigger
In 2025, we set out with a simple mission: take Burp Suite on the road and meet the global AppSec community where you are. Burp On Tour was born from our desire to learn from you; the brilliant people
via PortSwigger Blog
#portswigger
In 2025, we set out with a simple mission: take Burp Suite on the road and meet the global AppSec community where you are. Burp On Tour was born from our desire to learn from you; the brilliant people
via PortSwigger Blog
ActivID administrator account takeover : the story behind HID-PSA-2025-002
#synacktiv
via Synacktiv Blog (author: Vincent Herbulot)
#synacktiv
via Synacktiv Blog (author: Vincent Herbulot)
Top 10 Blogs of 2025
#trustedsec
Everyone has a year-end list, and this is ours. See what our top-performing cybersecurity blogs were in 2025, there could be some you might have missed!
via TrustedSec Blog
#trustedsec
Everyone has a year-end list, and this is ours. See what our top-performing cybersecurity blogs were in 2025, there could be some you might have missed!
via TrustedSec Blog
MITRE AADAPT Framework as a Red Team Roadmap
#bishopfox
MITRE’s AADAPT framework exposes how attackers target digital-asset systems but the real value comes from testing those threats. Learn how red teaming turns AADAPT into evidence-driven detection, stronger controls, and measurable protection against economic loss.
via BishopFox Blog
#bishopfox
MITRE’s AADAPT framework exposes how attackers target digital-asset systems but the real value comes from testing those threats. Learn how red teaming turns AADAPT into evidence-driven detection, stronger controls, and measurable protection against economic loss.
via BishopFox Blog
Limiting Domain Controller Attack Surface: Why Less Services, Less Software, Less Agents = Less Exposure
#trustedsec
<p>Before we dive in, let’s get all the TrustedSec Certified Absolutes out of the way:All software presents some level of inherent risk.Only required software that cannot live on other systems should be installed on Domain…</p>
via TrustedSec Blog (author: Scott Blake)
#trustedsec
<p>Before we dive in, let’s get all the TrustedSec Certified Absolutes out of the way:All software presents some level of inherent risk.Only required software that cannot live on other systems should be installed on Domain…</p>
via TrustedSec Blog (author: Scott Blake)
Me, Myself and AI: Internal Experiments with the CS REST API
#cobaltstrike
This blog is all about experimenting and having fun with the new CS REST API and the generative AI ecosystem. We’ll demonstrate how we used Claude Desktop and its Model Context Protocol (MCP) integration to automate and orchestrate attacks through the CS REST API. We will also share the following internal (vibe-coded) experiments, intended to [...]
via Cobalt Strike Blog (author: Pablo A. Zurro)
#cobaltstrike
This blog is all about experimenting and having fun with the new CS REST API and the generative AI ecosystem. We’ll demonstrate how we used Claude Desktop and its Model Context Protocol (MCP) integration to automate and orchestrate attacks through the CS REST API. We will also share the following internal (vibe-coded) experiments, intended to [...]
via Cobalt Strike Blog (author: Pablo A. Zurro)
Livewire : exécution de commandes à distance via unmarshaling
#synacktiv
via Synacktiv Blog (author: Rémi Matasse)
#synacktiv
via Synacktiv Blog (author: Rémi Matasse)
Mapping Deception with BloodHound OpenGraph
#specterops
TL;DR As defensive postures continue to mature, deception technologies provide organizations the opportunity to harden defenses and take a more proactive approach in securing their environment. In large enterprises, it can be difficult to determine where and how to deploy effective deception techniques which are discoverable and believable for attackers. By utilizing OpenGraph, we can […]
via SpecterOps BH Blog (author: Ben Schroeder)
#specterops
TL;DR As defensive postures continue to mature, deception technologies provide organizations the opportunity to harden defenses and take a more proactive approach in securing their environment. In large enterprises, it can be difficult to determine where and how to deploy effective deception techniques which are discoverable and believable for attackers. By utilizing OpenGraph, we can […]
via SpecterOps BH Blog (author: Ben Schroeder)
Bishop Fox Wrapped: Research Worth Replaying
#bishopfox
This is Bishop Fox Wrapped. A snapshot of the research, blogs, virtual sessions, and tools that security teams kept coming back to, and what that tells us about what they needed this year.
via BishopFox Blog
#bishopfox
This is Bishop Fox Wrapped. A snapshot of the research, blogs, virtual sessions, and tools that security teams kept coming back to, and what that tells us about what they needed this year.
via BishopFox Blog