Burnout

Another day, another async BOF. With KeeLog, you can monitor KeePass instances and capture the master password as soon as its entered. github.com/jakobfriedl/ke…

Been very interested in Async BOFs lately and implemented a few for use with Conquest. The first implements Rubeus monitor as a BOF and notifies when TGTs are collected. The second monitors for clipboard changes and returns them. github.com/jakobfriedl/tg… github.com/jakobfriedl/cl…

Me trying to figure out Agent Identities in Entra ID. I really wonder who decided apps and service principals weren't already difficult enough to understand and went with a design that is even wayyy more complicated 😅.

Interviewer : where do you see yourself in 5 years ? Me :

NTLMv1 is still out there. And now it’s easier than ever to break. @skylerknecht walks through how Google’s rainbow tables make NT hash recovery practical, no third-party service required. Check it out! ⤵️ ghst.ly/4vqx9Id

Releasing one of my research tools: EVENmonitor🖥️ Inspired by LDAPmonitor, I implemented a monitoring tool for the Windows Event log in pure python. You can just attach it via the network and then filter for specific event IDs or keywords. Available at: github.com/NeffIsBack/EVE…

@Dinosn With Microsoft disabling RC4 for Kerberos come summer, will that affect Ntlmv2 or will it stick around for a few more iterations?

PSA: That 'Disable NTLMv1' GPO you set years ago? It’s lying to you. LmCompatibilityLevel set to 5 is not enough. silverfort.com/blog/ntlmv1-by…

KrbRoastParser - a tool for parsing Kerberos packets from pcap files to extract AS-REQ, AS-REP and TGS-REP hashes github.com/jalvarezz13/Kr…

Example on what real-world #LLM usage in offsec looks like: Built a full-stack #C2 100% usable: .HTTP + DNS fallback .jittered traffic, real UAs .WS SOCKS5 pivot .on-demand modules, no persistence LLMs didn’t design it, they accelerate Experience drives tradecraft, #LLMs amplify

Every Sliver C2 Tutorial Was Outdated. So I Wrote My Own @aviraj3868/every-sliver-c2-tutorial-was-outdated-so-i-wrote-my-own-cd47c50add3f" target="_blank" rel="nofollow noopener">medium.com/@aviraj3868/ev…

LDAPNomNom Can quietly and anonymously bruteforce Active Directory usernames at insane speeds from Domain Controllers by abusing LDAP Ping requests (cLDAP). No Windows audit logs generated. High speed ~ up to 50K/sec per server. You can go way beyond that with multiple servers in parallel github.com/lkarlslund/lda…

ProxyBlob. tool designed to create SOCKS proxy tunnels through Azure Storage services, by @quarkslab github.com/quarkslab/prox…

ICMP data exfiltration is underestimated. #tool=ICMP%20Exfiltration%20%2F%20C2%20Tunneling" target="_blank" rel="nofollow noopener">lolexfil.github.io/#tool=ICMP%20E… ICMP traffic is often excluded from firewall log ingestion, and on endpoints most EDRs neither alert on this exfiltration method nor expose the ICMP payload content needed to build custom detections.

KslDump - Extraction of credentials from PPL-protected LSASS using only Microsoft-signed components github.com/andreisss/KslD…

meet VMkatz, github.com/nikaiw/VMkatz

Big thanks to @_RastaMouse @Octoberfest73 @KlezVirus @codex_tf2 — this took a fraction of the time it should have because of you all.

Introducing the new /crawl endpoint - one API call and an entire site crawled. No scripts. No browser management. Just the content in HTML, Markdown, or JSON.

We built Brainworm: malware that lives entirely inside of an AI agent's context window. No binaries. No scripts. Once loaded, it registers with C2 and executes tasks using the agent's own tools. Welcome to the era of semantic malware. 🧠🪱 Blog: originhq.com/blog/brainworm

I published a Sharepoint and Outlook PowerShell GUI that can be used on RedTeam operation when you've found an Azure AppId with interesting privileges. You can now use these tools to browse the SharePoint or Mailboxes through a GUI instead the GraphAPI github.com/OtterHacker/M3…