Dima

Never been happier to have a mouse in the house. 🐭 @_RastaMouse of @_ZeroPointSec has officially joined @Fortra! The mind behind Red Team Ops, one of the most respected training courses in offensive security, is now building what's next with us. Details: ow.ly/6RhV50YCkyr

Never been happier to have a mouse in the house. 🐭 @_RastaMouse of @_ZeroPointSec has officially joined @Fortra! The mind behind Red Team Ops, one of the most respected training courses in offensive security, is now building what's next with us. fortra.com/resources/pres…

Cobbled together a supply chain monitoring system last week: Cursor+Composer-2-fast harness on live package diffs (pypi+npm). Simple! Received a slack alert within minutes of Axios compromise. Reported to the devs after triple checking, because at first I could not believe it!

Introducing Cobalt Strike Research Labs! This new offering provides cutting edge tradecraft to get new capabilities into your workflows faster. Exclusively available in our Adversary Emulation Suites. Read the announcement: cobaltstrike.com/blog/introduci…

Discovered a Mark-of-the-Web (MOTW) bypass using native Windows extraction tools. CAB - TAR - TAR - XLSM chain causes the final file to lose MOTW, allowing macros in Microsoft Excel to run without the security warning. Reported to MSRC and classified as moderate. Enjoy

[RELEASE] Better late than never! Part 3 is out! Fantastic unwind information and where to find them. We went digging through .pdata, RTF Lookups, and a few ntdll internals that probably weren't meant to be touched. BYOUD dropping alongside. Enjoy 😉 klezvirus.github.io/posts/Byoud/

If you can read the detection rules, evading them becomes a lot easier. New write-up on decrypting Cortex XDR behavioral rules and abusing Global Whitelists by @p0w1_. TL;DR: just put ':\Windows\ccmcache' in your command line. Fixed in Agent 9.1. labs.infoguard.ch/posts/decrypti…

Yet another LNK flaw allows for target spoofing, yet executes any DLL, including remote ones via WebDAV. Even worse, unless you installed the Feb 2026 updates, MotW will be ignored. See how this works on github.com/wietze/lnk-it-…

I'm not sure when this started, but macOS seems to scan JXA scripts at runtime using the Yara rules in: /var/protected/xprotect/XProtect.bundle/Contents/Resources/XPScripts.yr

The macOS Hardened Runtime isn’t a dead end for in-memory execution. In his latest post, @kyleavery looks at the 'allow-jit' entitlement and demonstrates shellcode execution in apps that have it. outflank.nl/blog/2026/02/1…

Every Entra ID assessment ends here: “How do I get a token without triggering Conditional Access controls?” 🤔 @rbnroot built CAPSlock, an offline ROADrecon-based Conditional Access engine that simulates sign-ins & flags gaps without touching the tenant. ghst.ly/4aKIk64

Can LNK files ever be trusted? ⚡ My latest blog post demonstrates several new LNK abuse methods, allowing you to fully spoof the target shown in Explorer. It also introduces tools to create your own LNKs, and detected spoofed ones yourself. 🐬 wietzebeukema.nl/blog/trust-me-…

Access masks are easy to ignore until you hit Access Denied and waste time guessing. I wrote up a short walkthrough on what access masks are, where they live, and how to inspect them in Process Explorer, the security UI, and a debugger. trainsec.net/library/window…

No idea if this is the actual bug ref'd by MS (credit to @chen9918b, Alasdair Gorniak and Cristian Papa for finding the bug), the real surprise is that there is markdown rendering in Notepad! It also works with UNC paths with a file:// URI (but with dialog confirmation)...

Headed to @hackcon? Be sure to catch @c3c's speaking session, where you'll learn to execute code without relying on traditional executable files by leveraging file formats and interpreters less likely to trigger security alarms. Get more details: hackcon.org/sneaky-code-ex…

A small rant: The State of Art in Red Team is whatever you want to believe x-c3ll.github.io/posts/Rant-Red…

I found unauthenticated bugs in MDT that can be abuse to coerce authenticaton from the host server or to leak creds stored in the deployment share's rules file. Instead of fixing the issues, Microsoft retired MDT. specterops.io/blog/2026/01/2…

Process hollowing isn’t always “unmap and replace.” This post looks at a variant where the original image stays mapped, a second executable is mapped, and execution is redirected. Close enough to matter for defenders. trainsec.net/library/window…

Have you found Eden in the (Tradecraft) Garden of Beacon? @Joehowwolf demonstrates how to utilize Crystal Palace, the latest project from Cobalt Strike creator Raphael Mudge, to rapidly combine different capabilities to create novel loaders/PIC tradecraft. cobaltstrike.com/blog/playing-i…

Early last year @rad9800 shared an idea he'd discussed with @jonasLyk about how to stealthily write to the registry without using the traditional registry APIs EDR watches. The time has come to open source the tool. Hope this helps someone hit their goal! praetorian.com/blog/corruptin…