Cedric Van Bockhaven retweetledi
Pushed a major redesign and improvement of amsi.fail for the old-school PowerShell warriors out there. Includes five more recent patch methods and tons of fixes, thanks to my best friend Claude 🤠
English
Cedric Van Bockhaven
948 posts
Cedric Van Bockhaven retweetledi
1. There's little to no value giving away someone's hard work to public only to feed threat Intel feeds, signature databases and APTs in return for a few likes and kudos 🙃
2. Private Discord servers offer Signal/Noise ~ 1.0 + friendly atmosphere🫢
Initial Access Guild FTW! 🍻
Jason Lang@curi0usJack
Feels like the infosec scene on social media is drying up for some reason. My infosec list is mostly cat pics and a few blog posts now. Makes me wonder if people are just sucked in to AI at the moment. And before anyone cries bluesky at me, I checked and for the most part it's a bunch of dead accounts and political takes over there also.
English
Cedric Van Bockhaven retweetledi
Added a feature to ADExplorerSnapshot script today to gather useful information about the environment via the classes, now it will tell you if SCCM, ADCS etc are active in the environment github.com/c3c/ADExplorer… . Thank you @c3c for the awesome tool and the quick PR approval
English
Cedric Van Bockhaven retweetledi
📢 Big News! @mariuszbit is joining Outflank! He ticks all the boxes:
Experienced #offsec researcher ✓
Respected name in red teaming ✓
Built RMF tooling for initial access ✓
His work is coming to OST✓
The red hoodie fits perfectly ✓
Welcome Mariusz!
outflank.nl/blog/2026/01/2…
English
Cedric Van Bockhaven retweetledi
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: dirkjanm.io/obtaining-glob…
English
@ze_ts_ @SEKTOR7net The bigger risk with enclave vulns is that sensitive data/key material may be compromised, which is what they were designed to protect.
English
@c3c @SEKTOR7net Ah gatchu, reverse engineering sounds like a complex starting point. So does the limitation to memory ops within the same process mean custom gadget chains are the main focus, or there’s ways to extend this approach beyond VTL1 while avoiding VTL0 detection?
English
Secure enclaves in post-exploitation world.
A strategy to exploit vulnerable enclave DLLs and transform ROP-based execution to hide implant memory during sleep.
Fantastic post by Cedric Van Bockhaven (@c3c) of Outflank Team (@OutflankNL)!
Source: outflank.nl/blog/2025/06/1…
#redteam #blueteam #maldev #malwaredevelopment
English
@ze_ts_ @SEKTOR7net Abusing an enclave for running malicious code is tough (custom gadget chains needed) and most interesting functions (file IO, network IO) will go via VTL0/be subject to analysis in VTL0 anyway.
For post exploitation their use is limited - at least for now
English
@ze_ts_ @SEKTOR7net Identifying what is exported in existing DLLs requires some reverse engineering to figure out the playing field for that enclave.
The offensive use is limited to memory ops within the same process - anything more interesting will go via VTL0 and is subject to ETW/EDR analysis
English
@SEKTOR7net @c3c Amazing! Just wondering if he could share more about the process of identifying and leveraging these exported functions in a real world scenario, like when dealing with signed enclave DLLs from trusted vendors like MS SQL Server? I’m looking at it from a trusted vendor pov.
English
@ze_ts_ @SEKTOR7net Thanks for the mention 😊
@ze_ts_ are you looking for defensive guidance? For developing enclaves it’s indeed important to limit the exported functions and follow the recommendations by microsoft :
techcommunity.microsoft.com/blog/microsoft…
English
Cedric Van Bockhaven retweetledi
Awesome work by Lance, clear write-up on the issue, the solution, a PR to ROADtools and more tradecraft!
SpecterOps@SpecterOps
New blog post alert! 🚨 Lance Cain shares insights from a recent security assessment about the attack surface of Single-Page Applications integrated w/ Azure and how to aid technology professionals in securing their Azure environment. ghst.ly/4gq8E5y
English
Cedric Van Bockhaven retweetledi
My first blog with @falconforceteam! Check it out if you want to learn a few things about Azure DevOps.
FalconForce Official@falconforceteam
Scrum teams assemble! Many companies have incorporated an agile #SDLC into their operations. With using DevOps also come new risks. In this new series of blogs, we have a look into #Azure #DevOps #security from an attacker’s and defender’s perspective. falconforce.nl/azure-devoops-…
English
Cedric Van Bockhaven retweetledi
🚀 We're hiring a DevOps/Cloud Engineer at Outflank!
Join us to build and manage complex Azure environments that deliver our OST toolkit.
Skills: Kubernetes (AKS), GitOps, IaC, Tekton, Python💻 It's NOT an offensive role!
Based in NL or a time zone-friendly region? Let's chat!
English
Cedric Van Bockhaven retweetledi
New Blog Alert! 🚨
Introducing Early Cascade Injection, a stealthy process injection technique that targets Windows process creation, avoids cross-process APCs, and evades top-tier EDRs.
Learn how it combines Early Bird APC Injection & EDR-Preloading: outflank.nl/blog/2024/10/1…
English
Cedric Van Bockhaven retweetledi
Cedric Van Bockhaven retweetledi
Cedric Van Bockhaven retweetledi
Who’s the real #GrimResource? Spoiler: It’s us! 😏
Here's our latest blog on using MSC files for initial access: outflank.nl/blog/2024/08/1…
Fun fact: @elastic’s post on this technique came from a sample caught by a blue team, originally used by a red team through our OST offering.
English
Cedric Van Bockhaven retweetledi
English
Cedric Van Bockhaven retweetledi
It's not *always* about Windows--macOS and Linux #EDRs need attention, too! In our latest blog, @kyleavery explains more about the telemetry sources for these under-discussed #endpoint products>
outflank.nl/blog/2024/06/0…
English
Cedric Van Bockhaven retweetledi
We are thrilled to publish SOAPHound: a custom-developed data collector tool to enumerate Active Directory environments via the ADWS-protocol. Enjoy!
falconforce.nl/soaphound-tool…
English
@domchell @cube0x0 @simplylurking2 @Jean_Maes_1994 @Geiseric4 @splinter_code Yes you can enum HKEY_USERS as a regular domain user to enumerate SIDs. This is exactly what PsLoggedOn does under the hood to determine logged-in users (and BloodHound indeed)
English
@domchell @cube0x0 @simplylurking2 @Jean_Maes_1994 @Geiseric4 @splinter_code No LA needed to talk to the winreg pipe (which is registered as a trigger in the RemoteRegistry service). Note that the service is only enabled on servers by default.
English
Following @splinter_code idea, you can also start RemoteRegistry remotely. This way you can check on which server DAs are connected, in case you want dump their creds. This script could help: gist.github.com/GeisericII/684…
It works from low privileged user 😉
English