EAGAIIN

The proof of concept for this issue is live - contact me if you have any issues. I am not very experienced in C#, nor in publishing on GitHub, so any feedback is appreciated. github.com/L1v1ng0ffTh3L4…

It's been a while since I wrote a blog post. My new post writes about some cool updates to the MS-RPC-Fuzzer for recursively fuzzing complex structures, logging using ETW, and we found a way to escalate to nt\authority system! incendium.rocks/posts/Fuzzing-…

@yaumn_ Very juicy bonus! Relays are not dead. Thanks for the research 💪🏼

Part 2 just dropped! Funniest part of the research imo 😄 Don’t forget to read the bonus!

@haider_kabibo @0xocdsec If you need SeImpersonatePrivilege, why is this not another Potato?

So here is new local privilege escalation zero-day I discovered, not patched yet too :). In simple terms, if you have a service like RDP that exposes an RPC server, there many system services running as SYSTEM connect to it as RPC clients. If that service is turned off (RDP is off by default), it seems that any other process in Windows can expose the same RPC server using the same endpoint. Now all the RPC calls from that SYSTEM processes will come to this fake server and If the process that deployed the server has SeImpersonatePrivilege, it can escalate to SYSTEM by impersonate the RPC client. In the white paper below, I describe five exploit paths you can abuse. However it's architecture problem and maybe there are more. It's Not A Potato securelist.com/phantomrpc-rpc…

@vxunderground Malware roulette should be a thing

I don't use an anti-virus. If I detonate malware on my machine (which I have several times) I yank the CAT cable and then let out an audible and dramatic sigh.

Had a Threat Actor ask for an anti-virus recommendation DAWG, YOU ARE THE THREAT. WHY DO YOU NEED AN AV?

gopacket is live! Check it out, it is intended to be a full reimplementation of Impacket in Go (it is in beta please send me bug reports) github.com/mandiant/gopac…

@HackingLZ github.com/n00py/Outpacket Maybe useful

I just dropped some research: DSCourier and would love for your opinion and to check it out!! It’s a novel post-exploitation technique abusing WinGet’s COM API to execute code through Microsoft-signed binaries. GitHub: github.com/DylanDavis1/DS… Blog: dylansec.com/DSCourier/

@LeveragedHonky @LeafsPassion85 @Waffl3x @Gunvetta @netflix This

@LeafsPassion85 @Waffl3x @Gunvetta @netflix Install tailscale on a home PC, enable exit node. Install tailscale on your TV

@0xLupin @pentest_swissky Great work!

Her first week at Lupin & Holmes ? Garance compromised an npm package with 40M weekly downloads 🔥 Depi flagged a dangerous workflow in @ img/colour. She turned Dependabot into the trigger, got the workflow to run, and reached package write access. 40M weekly downloads. Week one. Garance rocks 🤟 landh.tech/blog/20260402-…

someone at ANTHROPIC just showed CLAUDE finding ZERO DAY vulnerabilities in a live conference demo claude has found zero day in Ghost, 50,000 stars on github, never had a critical security vulnerability in its entire, history... it found the blind SQL injection in 90 minutes, stole the admin api key, then did the exact, same thing to the linux kernel

Small updated to DRSAT just pushed that will also allow Group Policy Editor and Certificate Authority / Templates MMC snap-ins work over a TCP only SOCKS connection. github.com/CCob/DRSAT

@Nikaiw @HackingLZ

meet VMkatz, github.com/nikaiw/VMkatz

@614ck1n9 @BetterCallMedhi Les failles sont pas toujours techniques/technologiques

@BetterCallMedhi Du coup, ça réduit le nombre de failles possibles, mais les red teams vont aussi utiliser les LLM. Est-ce qu’ils trouveront toujours des failles ?

Les devs chômeurs qui voient arriver les analystes cyber débarqués chez France travail

@co11ateral @three_cube @_aircorridor @DI0256 Sounds like a lot of work to just get unusable hashes

Timeroasting can be used to extract user hashes and it's stealtier than DCSync or NTDS shadow copies. Defenders should start monitoring this activity. Learn how: hackers-arise.com/powershell-for… @three_cube @_aircorridor @DI0256 #DFIR #BlueTeam #redteam

@TheXC3LL So the grass is not greener on the other side, just different

A small rant: The State of Art in Red Team is whatever you want to believe x-c3ll.github.io/posts/Rant-Red…

@Jean_Maes_1994 Oh no, just going to make it harder for us mere humans

perfection.

Introducing RelayKing. github.com/depthsecurity/… Blog: depthsecurity.com/blog/introduci… Automatically identify relay attack paths. No longer will you be left to manually detect a comprehensive inventory of all the relaying vectors on your engagements. It will detect signing/EPA settings on all protocols you specify, NTLM reflection CVEs, and WebDav WebClient presence. Then, produce a comprehensive report of the relaying vectors on the network in your preferred output format. This ensures that you report ALL vulnerable instances easily, without the need for manual patching together of results from various tools. Ideal usage is with a set of low-privilege AD credentials, but it also supports unauthenticated scanning (with far less coverage). See GitHub and the blog post for more details. Please note that there ARE bugs. The LDAP(S) detection has been annoying but SHOULD be mostly solid. If you get suspicious results from it, please report an issue on GitHub with the config RelayKing reported, versus the actual one. Enjoy!

GitHub - SafeBreach-Labs/CVE-2026-24061: Exploitation of CVE-2026-24061 github.com/SafeBreach-Lab…