DirectoryRanger

24/7 Active Directory Incident Response Contact: Tel. +49 (0) 6221 7569637 E-mail: incident-response@ernw.de

SmokedMeat github.com/boostsecurityi…

Active Directory Pentesting Part 01 Prerequisites: niklas-heringer.com/penetration-te… Part 02 Start Having Fun: niklas-heringer.com/penetration-te…

@4ndr3w6S @DerbyCon @PyroTek3 @WEareTROOPERS Congrats. So much fomo

It will be huge! – (mostly) full @WEareTROOPERS #TROOPERS26 agenda published: #agenda-day--2026-06-24" target="_blank" rel="nofollow noopener">troopers.de/troopers26/age… #agenda-day--2026-06-25" target="_blank" rel="nofollow noopener">troopers.de/troopers26/age…

And now you don't 🙃

Good overview of "Credential Access & Dumping" methods ired.team/offensive-secu…

Windows Registry Forensics Cheat Sheet 2026 #DFIR cybertriage.com/blog/windows-r…

Activities that are audited in Microsoft 365 #DFIR learn.microsoft.com/en-us/purview/…

When Your Edge Browser Syncs Private Data to Your Employer, by @insinuator insinuator.net/2025/02/when-y…

Recursively fuzzing MS-RPC structures and monitoring using ETW, by @incendiumrockz incendium.rocks/posts/Fuzzing-…

Dissecting Impacket for Good and Bad abdulmhsblog.com/posts/impacket…

Anatomy of a .NET Loader – Reflection & Assembly Loading youtube.com/watch?v=m8cjyN…

Big news for Blue Team nerds That nerd who released those Microsoft 0days has created two new repos on GitHub with spooky sounding names indicating they will be releasing two new Windows 0days. Very cool github.com/Nightmare-Ecli…

AddUser-SAMR. Create local administrators using the SAMR API, operating at a lower level than net.exe, PowerShell's New-LocalUser or NetUserAdd API github.com/ricardojoserf/…

SMB alternative ports techcommunity.microsoft.com/blog/filecab/s…

Accelerating Malicious Script Analysis with AMSI, by @P4nd3m1cb0y theshadowslights.com/posts/malware-…

ADWSDomainDump. Active Directory information dumper via ADWS (Active Directory Web Services) github.com/mverschu/adwsd…

When paradigms are shifting: InfoSec in the age of AI, via @insinuator h/t @Earl553 insinuator.net/2026/04/when-p…

shipping: WinSSHound maps SSH access in AD as BloodHound paths. because Windows OpenSSH cheerfully ignores your "Deny Logon" GPOs (pre-2025) and on a default sshd_config every Authenticated User in the domain can walk right in. Why? Because Microsoft. github.com/1r0BIT/WinSSHo…

"BitUnlocker" downgrade attack POC: github.com/garatc/BitUnlo… The Secure Boot database of the device still has to trust the Microsoft Windows PCA 2011 certificate. If it works "a command prompt should appear with the OS volume decrypted and mounted". From the research of techcommunity.microsoft.com/blog/microsoft… Mitigation: KB5025885 or pre-boot PIN.