In the previous post, I went through a very brief overview of some machine learning concepts, talked about the Revoke-Obfuscation project…

In the first post in this series we covered a brief background on machine learning, the Revoke-Obfuscation approach for detecting…

Loading malicious dylibs into the Tclsh binary

EntropyCapture extracts the DPAPI optional entropy using API hooking.

One of the routine tasks operators regularly encounter on most engagements is data mining. While exactly what operators are after varies…

Ghostwriter is a part of your team. It helps you manage clients, projects, reports, and infrastructure in one application.

Intro and Prior Work

The Ghostwriter team recently released v3.0.0. This release represents a significant milestone for the project, and there has never been a…

Preventing escalation from initial access in your Active Directory (AD) environment to Domain Admins can feel impossible, especially after…

Explore the risks lurking within SCCM's Network Access Accounts, why transitioning to Enhanced HTTP isn't enough, and why disabling NAAs from AD is crucial.

Abuse primitives have a longer shelf life than bugs and zero-days and are cheaper to maintain. They're also much harder for defenders to detect and block.

Learn to perform manual Active Directory queries with dsquery and ldapsearch. Master basic commands to efficiently navigate AD environments.

tl;dr: Seriously, please disable NTLM

For as long as I’ve been working in security, initial access has generally looked the same. While there are high degrees of variation…

Edit 07/13/22: After an awesome back and forth with Clément Notin and @SteveSyfuhs on Twitter on the effects of “TokenLeakDetectDelaySecs”…

Offensive tooling built upon the .NET framework and its runtime environment, the Common Language Runtime (CLR), is an important part of…

Part 1: Discovering API Function Usage through Source Code Review

Thank you to SpecterOps for supporting this research and to Duane and Matt for proofreading and editing! Crossposted on GitHub.

Welcome back to my On Detection: Tactical to Functional series. In the first post in this series, we explored the source code for Mimikatz’s sekurlsa::logonPasswords command. We discovered that…

The BloodHound Enterprise team is proud to announce the release of BloodHound 4.2 — The Azure Refactor.