Security Obscurity

I’ve been meaning to watch this talk for ages, and wow! 🤩 @fabian_bader managed to explain such a complex topic so clearly. I finally feel like I actually get Passkeys now! !🙌 youtube.com/watch?v=DQ4dnX… Highly recommend giving this a watch

This is pretty cool. You can build consent URLs for Logic Apps for use in phishing, and it looks like Microsoft has added warnings to this consent dialog :) It's been a long time since I used the URL like this - anyone know when this change happened?

Just put your vbscript inside of html and put that inside of an mp3 in the middle of some frame data and mshta will just... Fucking execute it?!?!

My BlueHammer version ( now redhammer) implements my VDM version patch, deploys and loads the BYOVD for my exploitkit. It bypasses the new signature for BlueHammer aswell. How is this still unpatched?

Relayed NTLM creds are powerful, if you can use them. @senderend shows why browsers fail through ntlmrelayx SOCKS and introduces ghostsurf to make NTLM-authenticated web apps accessible. Read more ⤵️ ghst.ly/4tnJOtx

WSUS fake updates for LPE or RCE when HTTP is being used? This one took many days and troubleshooting with claude but now we have a C2-Capable tool for the full stack including poisoning plus fake update delivery - the only thing we need is a low privileged C2 session! 🔥

Guide to Windows identity and Kerberos research github.com/darkoperator/m…

Still seeing PoCs every week to dump LSASS @mcbroom_evan had dropped LSA Whisperer almost a year ago which talks to auth packages through LsaCallAuthenticationPackage. No LSASS handle. No injection. Works with PPL + Credential Guard. I ported it to BOF: github.com/dazzyddos/lsaw…

Part 2 of @tiraniddo’s Windows Administrator Protection journey is here! projectzero.google/2026/02/window…

Why yes, yes we can use ESTSAUTH captured from evilginx to automatically register a passkey

Excited to disclose my research allowing RCE in Kubernetes It allows running arbitrary commands in EVERY pod in a cluster using a commonly granted "read only" RBAC permission. This is not logged and and allows for trivial Pod breakout. Unfortunately, this will NOT be patched.

Exploiting race conditions in Seclogon to dump LSASS otter.gitbook.io/red-teaming/ar…

My first blog post in a while. This was a fun one. The endpoint management agent belonging to Quest Desktop Authority had native support for DLL injection, thread token manipulation and elevated admin execution... all remotely from a low privilege user. netspi.com/blog/technical…

A small rant: The State of Art in Red Team is whatever you want to believe x-c3ll.github.io/posts/Rant-Red…

Today Secorizon is releasing OffByWon, an advanced network protocol fuzzing framework. This tool allows you to bring chaos to drivers, servers, parsers. A minimal demo client performing a complete fuzzable LDAP NTLM authentication is included. Several advanced functionalities are included in this framework such as BER/ASN tag scan -> byte bruteforce (0-255)/tag, deltas len +1/-1|+2/-2|etc, array overflow builder, combined fuzzing: structured + byte flip, blind fuzzing: truncate/add/switch/etc bytes at random offsets, etc Happy fuzzing! github.com/secorizon/OffB…

You have NO IDEA, how many customers i see with malicious apps from years ago. This guy did a great research, please read it and use the tool! cirriustech.co.uk/blog/oidsee/ github.com/OID-See/OID-Se…

Credential Guard was supposed to end credential dumping. It didn't. @bytewreck just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled. Read for more ⤵️ ghst.ly/4qtl2rm

Let's start 2026 with a major Responder update! It now supports: - CLDAP ping pong to SMB auth. - SNMPv3 authentication and hashes. - New rogue Kerberos server forcing AS-REQ when receiving TGS-REQ + support for Kerberos type 17/18 hashes. - IMAP support for NTLM authentication. - SMTP support for AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM authentication. - DCE-RPC server now supports SAMR, SRVSVC, WKSSVC, WINREG, SVCCTL, ATSVC, DNSSERVER - DNS server now supports SOA, MX, SRV, ANY, etc -> SOA -> Appear as the authoritative DNS server -> MX poisoning → Email client connects to rogue SMTP/IMAP → capture credentials -> SRV poisoning → Domain services connect to rogue SMB/LDAP/Kerberos → capture NTLM/AS-REQ - LDAP GSSAPI, GSS-SPNEGO, NTLM, DIGEST-MD5 git pull or git clone github.com/lgandx/Respond… Happy new year to everyone!

This PR from fulc2um github.com/fortra/impacke… implements Shadow RDP on Impacket, this is so fking cool omgggg

SpecterOps released "DumpGuard" along with a detailed article on how they were able to bypass Windows Credential Guard in both privileged and unprivileged contexts. I learned a ton about Isolated LSA and friends: specterops.io/blog/2025/10/2…