brmk

During some free time I ended up doing some research on something I never really thought about before: using Windows toast notifications for user manipulation. I ended up writing a BOF and a blog post about it, hope it's useful! brmk.me/2026/03/18/toa…

@HackingLZ so true

Bump

We fine-tuned an 8B model to pop a GOAD domain…using only synthetic training data. No real networks. No frontier model distillation. Just a world model that simulates AD environments and generates realistic pentesting trajectories. See how @shncldwll and @0xdab0 did it: dreadnode.io/blog/worlds-a-…

@__invictus_ not bad

Currently working on what could be the most impactful code I've ever written. It's not an 0day, a new IA technique, or some fancy malware. Nope. It's an automated note taking app integrating the new Nighthawk API with outline. Complete fucking game changer.

MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectsid ENDS WITH '-516' WITH COLLECT(c1[.]name) AS dcs MATCH (c2:Computer) WHERE c2.enabled = true AND (c2.operatingsystem contains '2025') AND (c2[.]name IN dcs) RETURN c2[.]name If this query hits, you're in.

Gli sperperi di denaro pubblico post terremoto dell’Irpinia sono ormai entrati nella storia di questo Paese. Una brutta storia, riassunta in dieci volumi presentati al Parlamento il 5 febbraio 1991 e inviati a varie procure da una commissione d’inchiesta presieduta da Scalfaro.

OK, I promise to stop spamming about relays with NTLM/Kerberos 😅. But if you're a member of the Distributed COM or Performance Log group, these juicy CLSIDs let you trigger remotely machine authentication of any computer, including DCs, and relay DCOM -> HTTP, SMB… 👇

How I discovered and exploited an unauthenticated SSRF in the Havoc C2 teamserver, allowing attackers to leak origin IPs of teamservers behind redirectors and much more! blog.chebuya.com/posts/server-s… github.com/chebuya/Havoc-…

New blog post "Google: Stop Burning Counterterrorism Operations" My reflection on an incident where Project Zero and TAG knowingly shut down an active Western counterterrorism cyber operation, and the real-world harm that could have resulted from it. poppopret.org/2024/06/24/goo…

Watching people tweet they bypassed a certain EDR is just cringe at this point. When you ask them what did they bypass, they dont know what. So let me take you back to school... Executing OpenSource tool is not a bypass. An EDR employs several mechanisms for detection. Getting a new implant for a twitter image is not evasion. To have a proper bypass, several conditions must be met. Lets see... 1. When you say you bypassed an EDR, what did you pass? Initial connection? Post-ex? Userland unhooking of DLLs? DLL callbacks? Exception handlers? Kernel hooks? Userland ETW or Kernel ETW? Yaras? If you didnt test any of this, how do you know that you bypassed it. 2. I know EDRs which simply allow connection and monitor it to gather more intel on threats, but will kill the implant upon interaction with local env. 3. The implant must be executed in the form of an initial access like an actual RT/TA would do. 4. All EDR functionalities must be enabled including internet for ML anomalies 5. Did you interact with the implant after getting a shell? Most EDRs will kill you on the moment of interaction with local files or processes due to call-stack scanning. 6. Does your implant leave "shouting traces" of "I exist" in memory which can be traced with a simple process monitor with a memory dump? Most importantly, have you ever reversed the EDR or its modules to understand what exactly is happening in the back end? Do you even know "WHAT" is actually being detected by the EDR? On the other hand, I just woke up and I guess I chose voilence today. So time to go back to sleep 😂.

Intern, Junior, Senior, Principal, Sr Principal, Staff, Master, Artisan. These are the levels I believe best suites most of the fields of study in Cyber Security. I worked with @carnal0wnage to put some of this together one day and wanted to share my thoughts on it:

Wondering what telemetry an EDR collects? Wonder no more! @Kostastsale and @ateixei run an EDR Telemetry Project, covering all major EDRs: "The main goal of the EDR Telemetry project is to encourage EDR vendors to be more transparent about the telemetry they provide". Blog: detect.fyi/edr-telemetry-… Table: docs.google.com/spreadsheets/d… Github: github.com/tsale/EDR-Tele… #redteam #blueteam #telemetry

Kerberos tickets dumping in pure PowerShell 😍 I simply love such approach. So much more beautiful than loading pre-compiled binary blob. And so much harder to detect... linkedin.com/posts/mzhmo_hi…

@tryhackme What did the ransomware attacker ask for on Christmas? A byte of good will! #ChatGPT

Another day, another giveaway - sleigh, what?! With #AdventOfCyber well and truly under way, we’re giving away extra tickets to the big pool of prizes! You just need to reply with your favourite Christmas joke 🎄 Entries close on Sunday 18th December. Good luck! 🤞

@NathanMcNulty @tresselapp save

Renaming local admin is pretty useless My usual guidance is to randomize the built-in admin account password using New-Guid, disable it, and create a new local admin with the password managed by LAPS :) LAPS group policy allows us to define a non-default admin to manage ;)

@mhauken @tresselapp save thread

Shortcuts is the most powerful app on your iPhone. But 99% don’t know how to use it. Here are 7 shortcuts to make your life easier:

@hunter0x7 @tresselapp save

IDOR Checklist

@denicmarko @tresselapp save thread

If you're looking for a remote job, open this:

@Alh4zr3d @tresselapp save

Good Morning Everyone!! We are pleased to announce that CFP and Sponsorship is open for #BsidesRoma check it out. roma.securitybsides.it #Cyber #Italy #Roma #BSides #January23 #hybrid and we have a lot cool initiative, and some great speakers to announce :)