Helpful Hints for Writing (and Editing) Cybersecurity Reports
#trustedsec
When it comes to reading (and editing) (and proofreading) technical documents, it's important to remember that the details are key, and can make all the difference. Not all readers of technical documents have technical…
via TrustedSec Blog (author: Julie Daymut)
#trustedsec
When it comes to reading (and editing) (and proofreading) technical documents, it's important to remember that the details are key, and can make all the difference. Not all readers of technical documents have technical…
via TrustedSec Blog (author: Julie Daymut)
Taming the Attack Graph: A Many Subgraphs Approach to Attack Path Analysis
#specterops
TL;DR This blog presents a framework using technology subgraphs, decomposition, and graph abstraction to model hybrid attack paths and scale attack path management across enterprise technology platforms. I am also releasing SecretHound to model secrets using BloodHound OpenGraph. Backstory While performing a recent red team assessment, my team came across the GitHub Secret Scanning service. […]
via SpecterOps BH Blog (author: JD Crandell)
#specterops
TL;DR This blog presents a framework using technology subgraphs, decomposition, and graph abstraction to model hybrid attack paths and scale attack path management across enterprise technology platforms. I am also releasing SecretHound to model secrets using BloodHound OpenGraph. Backstory While performing a recent red team assessment, my team came across the GitHub Secret Scanning service. […]
via SpecterOps BH Blog (author: JD Crandell)
Hacking with Burp AI in the Chesspocalypse: API expert Corey Ball showcases how Burp AI can support pentesters.
#portswigger
AI isn’t just reshaping cybersecurity - it’s challenging testers to rethink their entire playbook. In his latest article, “Hacking with Burp AI in the Chesspocalypse”, API expert Corey Ball draws less
via PortSwigger Blog
#portswigger
AI isn’t just reshaping cybersecurity - it’s challenging testers to rethink their entire playbook. In his latest article, “Hacking with Burp AI in the Chesspocalypse”, API expert Corey Ball draws less
via PortSwigger Blog
CVE-2025-23009 & CVE-2025-23010: Elevating Privileges with SonicWall NetExtender
#netspi
NetSPI discovered multiple arbitrary SYSTEM file delete vulnerabilities in SonicWall NetExtender for Windows. Learn how NetSPI discovered and leveraged these for local privilege escalation.
via NetSPI Technical Blog (author: Hayden Wright)
#netspi
NetSPI discovered multiple arbitrary SYSTEM file delete vulnerabilities in SonicWall NetExtender for Windows. Learn how NetSPI discovered and leveraged these for local privilege escalation.
via NetSPI Technical Blog (author: Hayden Wright)
Pew Pew, Precisely: The Physics and Practices Behind RayV Lite
#netspi
We began with a simple question: could laser fault injection be democratized? Our answer is a resounding yes. With back-of-the-envelope physics, modest optics, and basic spare parts, we created a replicable, low-cost method for laser-based hardware attacks.
via NetSPI Technical Blog (author: Sam. Beaumont)
#netspi
We began with a simple question: could laser fault injection be democratized? Our answer is a resounding yes. With back-of-the-envelope physics, modest optics, and basic spare parts, we created a replicable, low-cost method for laser-based hardware attacks.
via NetSPI Technical Blog (author: Sam. Beaumont)
CVE-2025-26685 – Spoofing to Elevate Privileges with Microsoft Defender for Identity
#netspi
Discover how NetSPI uncovered and reported a vulnerability in Microsoft Defender for Identity that allowed unauthenticated attackers to perform spoofing and elevate privileges.
via NetSPI Technical Blog (author: Joshua Murrell)
#netspi
Discover how NetSPI uncovered and reported a vulnerability in Microsoft Defender for Identity that allowed unauthenticated attackers to perform spoofing and elevate privileges.
via NetSPI Technical Blog (author: Joshua Murrell)
Extracting Sensitive Information from Azure Load Testing
#netspi
Learn how Azure Load Testing's JMeter JMX and Locust support enables code execution, metadata queries, reverse shells, and Key Vault secret extraction vulnerabilities.
via NetSPI Technical Blog (author: Karl Fosaaen)
#netspi
Learn how Azure Load Testing's JMeter JMX and Locust support enables code execution, metadata queries, reverse shells, and Key Vault secret extraction vulnerabilities.
via NetSPI Technical Blog (author: Karl Fosaaen)
Set Sail: Remote Code Execution in SailPoint IQService via Default Encryption Key
#netspi
NetSPI discovered a remote code execution vulnerability in SailPoint IQService using default encryption keys. Exploit details, discovery methods, and remediation guidance included.
via NetSPI Technical Blog (author: Jason Juntunen)
#netspi
NetSPI discovered a remote code execution vulnerability in SailPoint IQService using default encryption keys. Exploit details, discovery methods, and remediation guidance included.
via NetSPI Technical Blog (author: Jason Juntunen)
Detecting Authorization Flaws in Java Spring via Source Code Review (SCR)
#netspi
Discover how secure code review catches privilege escalation vulnerabilities in Java Spring apps that pentests miss - identify insecure patterns early.
via NetSPI Technical Blog (author: Mayuri Bochare)
#netspi
Discover how secure code review catches privilege escalation vulnerabilities in Java Spring apps that pentests miss - identify insecure patterns early.
via NetSPI Technical Blog (author: Mayuri Bochare)
CVE-2025-4660: Forescout SecureConnector RCE
#netspi
Learn about the high-risk RCE vulnerability in Forescout SecureConnector allows attackers to turn security agents into C2 channels.
via NetSPI Technical Blog (author: Ceri Coburn)
#netspi
Learn about the high-risk RCE vulnerability in Forescout SecureConnector allows attackers to turn security agents into C2 channels.
via NetSPI Technical Blog (author: Ceri Coburn)
Automating Azure App Services Token Decryption
#netspi
Discover how to decrypt Azure App Services authentication tokens automatically using MicroBurst’s tooling to extract encrypted tokens for security testing.
via NetSPI Technical Blog (author: Karl Fosaaen)
#netspi
Discover how to decrypt Azure App Services authentication tokens automatically using MicroBurst’s tooling to extract encrypted tokens for security testing.
via NetSPI Technical Blog (author: Karl Fosaaen)
We Know What You Did (in Azure) Last Summer
#netspi
At DEF CON 33, NetSPI presented a talk about how Azure resources supporting Entra ID authentication expose tenant IDs, enabling attackers to attribute cloud resources to specific organizations at scale.
via NetSPI Technical Blog (author: Karl Fosaaen)
#netspi
At DEF CON 33, NetSPI presented a talk about how Azure resources supporting Entra ID authentication expose tenant IDs, enabling attackers to attribute cloud resources to specific organizations at scale.
via NetSPI Technical Blog (author: Karl Fosaaen)
Decrypting VM Extension Settings with Azure WireServer
#netspi
The Azure WireServer service provides configuration data to Azure Virtual Machines. Join us as we walkthrough the process of decrypting that data to find sensitive information.
via NetSPI Technical Blog (author: Karl Fosaaen)
#netspi
The Azure WireServer service provides configuration data to Azure Virtual Machines. Join us as we walkthrough the process of decrypting that data to find sensitive information.
via NetSPI Technical Blog (author: Karl Fosaaen)
SCCM Hierarchy Takeover via Entra Integration…Because of the Implication
#specterops
TL;DR SCCM sites (prior to KB35360093) integrated with Entra ID can be abused to compromise the entire hierarchy. Introduction Despite several attempts to convince myself that “I’m done with SCCM”, here we are again. Last time, I wrote about abusing the Management Point’s role in the SCCM site database to recover and decrypt credentials from […]
via SpecterOps Blog (author: Garrett Foster)
#specterops
TL;DR SCCM sites (prior to KB35360093) integrated with Entra ID can be abused to compromise the entire hierarchy. Introduction Despite several attempts to convince myself that “I’m done with SCCM”, here we are again. Last time, I wrote about abusing the Management Point’s role in the SCCM site database to recover and decrypt credentials from […]
via SpecterOps Blog (author: Garrett Foster)
Fortinet FortiWeb Authentication Bypass – CVE-2025-64446
#bishopfox
Bishop Fox researchers discovered an authentication bypass in FortiWeb that lets attackers add their own admin accounts, take over the device, and erase evidence. Organizations can quickly check if they’re exposed using a new Bishop Fox scanner and should remove public access and update immediately.
via BishopFox Blog
#bishopfox
Bishop Fox researchers discovered an authentication bypass in FortiWeb that lets attackers add their own admin accounts, take over the device, and erase evidence. Organizations can quickly check if they’re exposed using a new Bishop Fox scanner and should remove public access and update immediately.
via BishopFox Blog
PICing AOP
#rastamouse
The 11.10.25 Crystal Palace release added more new commands in one go than I think I've seen thus far. Many of them seemed really similar at first blush, and it took me a while to get an understanding of where each one is applicable (I failed
via Rasta Mouse Blog
#rastamouse
The 11.10.25 Crystal Palace release added more new commands in one go than I think I've seen thus far. Many of them seemed really similar at first blush, and it took me a while to get an understanding of where each one is applicable (I failed
via Rasta Mouse Blog
An Evening with Claude (Code)
#specterops
TL;DR – A new vulnerability was found one evening in Claude Code (CVE-2025-64755). I’d love to start this blog post with something really click-baity (“How I pwn3d Claude Code using ChatGPT Codex” or something similar to bring some interest) but, alas, it was not meant to be. This blog post explores a bug I found […]
via SpecterOps Blog (author: Adam Chester)
#specterops
TL;DR – A new vulnerability was found one evening in Claude Code (CVE-2025-64755). I’d love to start this blog post with something really click-baity (“How I pwn3d Claude Code using ChatGPT Codex” or something similar to bring some interest) but, alas, it was not meant to be. This blog post explores a bug I found […]
via SpecterOps Blog (author: Adam Chester)
Reflecting Your Authentication: When Windows Ends Up Talking to Itself
#decoder
Authentication reflection has been around for more than 20 years, but its implications in modern Windows networks are far from obsolete. Even after all the patches Microsoft has rolled out over the years, reflection attacks are still very much exploitable 😉 This post walks through what authentication reflection actually is, why it remains dangerous today,…
via Decoder's Blog
#decoder
Authentication reflection has been around for more than 20 years, but its implications in modern Windows networks are far from obsolete. Even after all the patches Microsoft has rolled out over the years, reflection attacks are still very much exploitable 😉 This post walks through what authentication reflection actually is, why it remains dangerous today,…
via Decoder's Blog
Restoring Reflective Code Loading on macOS (Part II)
#objectivesee
Let's continue our research into fully restoring reflective code loading on macOS — now with support for macOS 26 and in-memory Objective-C payloads. And what about detection? We cover that too!
via Objective-See Blog
#objectivesee
Let's continue our research into fully restoring reflective code loading on macOS — now with support for macOS 26 and in-memory Objective-C payloads. And what about detection? We cover that too!
via Objective-See Blog
Cobalt Strike 4.12: Fix Up, Look Sharp!
#cobaltstrike
Cobalt Strike 4.12 is now available. We are excited to introduce a new look and feel for the Cobalt Strike GUI, a REST API, User Defined Command and Control (UDC2), new process injection options, new UAC bypasses, a new BOF API BeaconDownload for in-memory buffers, and new drip loading Malleable C2 options. Additionally, we have overhauled pivot Beacons so that they now support the novel Sleepmask introduced in 4.11, fixed [...]
via Cobalt Strike Blog (author: William Burgess)
#cobaltstrike
Cobalt Strike 4.12 is now available. We are excited to introduce a new look and feel for the Cobalt Strike GUI, a REST API, User Defined Command and Control (UDC2), new process injection options, new UAC bypasses, a new BOF API BeaconDownload for in-memory buffers, and new drip loading Malleable C2 options. Additionally, we have overhauled pivot Beacons so that they now support the novel Sleepmask introduced in 4.11, fixed [...]
via Cobalt Strike Blog (author: William Burgess)
❤1
A Note on AI from Christie Terrill, CISO, Bishop Fox
#bishopfox
After a month of conferences and CISO conversations, one thing is clear: AI is reshaping security—fast. But the excitement comes with uncertainty, risk, and big unanswered questions. Here’s what leaders are really saying.
via BishopFox Blog
#bishopfox
After a month of conferences and CISO conversations, one thing is clear: AI is reshaping security—fast. But the excitement comes with uncertainty, risk, and big unanswered questions. Here’s what leaders are really saying.
via BishopFox Blog