USB retweetledi
👁️ LOLC2
Collection of C2 frameworks abusing legitimate services to evade detection
Major update: new projects tested, enriched data, and deeper insights.
site: lolc2.github.io
github: github.com/lolc2/lolc2.gi…
English
USB
97 posts
USB retweetledi
Collecting ADCS data with NetExec🔥
Thanks to the addition of CertiHound, developed and implemented by 0x0Trace, we can now collect ADCS data using the --bloodhound collector of NetExec.
As before, the data is exported as JSON files that can be imported directly into BloodHound.
English
USB retweetledi
MOTW is supposed to warn you when a downloaded file is dangerous.
What if the archive chain kills it before Windows ever gets the chance? 🚨
CAB → TAR → TAR → 7-Zip = no Zone.Identifier, no SmartScreen, no warning. Just execution.
Full attack + detection breakdown in the latest Weekly Purple Team 👇
youtu.be/pQxiPwGTBL8
Shoutout to @merterpreter for finding this one 🙏
#purpleteam #MOTW #detectionengineering #cybersecurity
YouTube
English
USB retweetledi
🚨‼️ CRITICAL: Ubiquiti UniFi Network Application vulnerabilities were just disclosed
CVE-2026-22557 CVSS 10.0
Remote path traversal vulnerability allowing an attacker to access and manipulate files, leading to account takeover. No authentication required.
CVE-2026-22558 — CVSS 7.7
Authenticated NoSQL Injection allowing privilege escalation.
English
USB retweetledi
An analysis of CVE-2026-21236 - A heap based buffer overflow in the Microsoft Windows Kernel afd.sys - was just published by @ASN_Sinanju_06S a recent secondment with my team EDG!
Nice work for her first triage of a kernel memory corruption bug!
nccgroup.com/research/vulne…
English
USB retweetledi
CVE-2026-25769: Wazuh Post-Auth RCE
Our team discovered an insecure deserialization vulnerability in the Wazuh Cluster that enables remote command execution via a worker node, potentially leading to full cluster compromise.
CVSS: 9.1 (authentication required)
Wazuh - Security Advisories: github.com/wazuh/wazuh/se…
PoC: github.com/hakaioffsec/CV…
Blog: hakaisecurity.io/cve-2026-25769…
Hakai Offsec@HakaiOffsec
In this research, Hakai Security Research Team has identified a critical Remote Code Execution (RCE) vulnerability in Wazuh versions up to 4.14.1 that allows arbitrary command execution on the master node through insecure deserialization in the cluster communication protocol. Written by Texugo hakaisecurity.io/cve-2026-25769…
English
USB retweetledi
USB retweetledi
AD CS LOLBAS Toolkit, by @ZephrFish
github.com/ZephrFish/LOLA…
English
USB retweetledi
ACTIVE DIRECTORY: _msdcs STUB ZONE! _msdcs STUB ZONE! _msdcs STUB ZONE!
Always make sure those NS records _are up to date_ before making _ANY_ changes in Active Directory such as introducing a new DC!!!
It's a manual thing unfortunately. :-(
Keep an eye on that _msdcs_ stub zone under Domain.Local!
English
USB retweetledi
Forgot to post it, but the recording of my Black Hat talk was released last week. If you're interested in all the hybrid AD attack surface you never knew about, give it a watch: youtu.be/rzfAutv6sB8?si…
YouTube
English
USB retweetledi
USB retweetledi
Do you want quick and easy PowerShell Remoting over SSH that you can *automate* with password authentication? Public key authentication is obviously better, but the initial configuration is often done using password-based authentication.
Install-Module AwakeCoding.PSRemoting
Enjoy!
English
USB retweetledi
Different ways of dumping lsass, by @yo_yo_yo_jbo
github.com/yo-yo-yo-jbo/d…
English
USB retweetledi
When a red team doesn’t get initial access, that’s not failure, it’s validation. Assumed breach is just the next phase of the test making sure to add value by testing detection, response, triage and a host of other functions. The real question shouldn't be “can someone get in?” It’s “what happens when they do?”
Dominic Chell 👻@domchell
My thoughts are yes, red teaming has got significantly harder over the last few years. The knock on effect is: 1) engagements need more time, 2) teams who don't invest heavily in R&D (either in-house or outsourced) will be left behind, 3) there's less things shared publicly as a consequence, 4) lots of teams have tried to compensate by assuming breach, which as a result has led to less innovation in the IA space However, I disagree that IA is anywhere near dead even targeting the top 1%. The vast majority of our engagements have a large IA component and we're still successful in >75% of cases. Yes the points mentioned are a pita - AWL is a great control, but there's equally a plethora of file formats that support scripting; get creative - Yes MOTW restricts some things - but there's a variety of ways around it if you're creative (and I'm not talking about ISOs 🙄)
English
USB retweetledi
Anyone know if Microsoft silently patch the Shadow Creds attack recently ? Looks like a computer object cannot write its own attribute anymore :D
English
USB retweetledi
Having trouble with your beacons surviving reboots on red teams? Our new open-source tool, Swarmer, lets you take advantage of ancient Windows registry trickery to write new startup keys without EDR ever detecting the write operations. Check out the blog post about it here: hubs.ly/Q040pxyB0
English
@Janrdzz @sekurlsa_pw In addition to that, setting LDAPS channel binding to "When supported" could give you a lot more flexibility in your environment. The Windows SMB client always adds the CBT, meaning that your custom infra would still be able to connect to LDAPS without binding AND prevent relays
English
@sekurlsa_pw @_logangoins My apologies for my ignorance. If you have more than a Domain Controller, can you prevent LDAP Relaying against all DCs with just one DC with LDAP Signing and Channel Binding enabled and enforced?
English
@_logangoins 😅, yeah you are right. Let me RT it with the right recommendations.
English
USB retweetledi
USB retweetledi
And, we're back - analyzing CVE-2025-52691, a pre-auth RCE in SmarterTools SmarterMail mail server solution.
Speak soon (:^)) and enjoy..
labs.watchtowr.com/do-smart-peopl…
English