Julien Bedel

After January's patch of KeePass trigger abuse technique, I decided to take a deep dive into the software features, ending up with new ways to extract passwords through the the configuration file! Details and mitigations below, enjoy the read ✌️ d3lb3.github.io/keepass_trigge…

Some of my favorite security capabilities that are not EDR: 1. User behavior monitoring Example: Suzie in accounting all of a sudden makes a bunch of SMB connections. Or when bob’s Tier 0 account is now logged into a workstation somehow. UEBA (user entity behavior analytics) used to be a thing several years ago. Then it got (absorbed?) by identity products. But most have fallen flat in my opinion. I’d recommend taking a look at data security/auditing products for these capabilities. DM me if you want and I’ll share more details here. 2. Network detection & response I’ll be honest these can get super expensive. But when tuned well these can be some of the best at detecting suspicious network activity. Example: Large number of ldap queries from a workstation. Or when all of a sudden gMSA are being queried for their password attribute. Believe it or not, I’ve done entire internal pentests and triggered next to no EDR alerts, but the clients user activity monitoring and NDR were lighting up like a Christmas tree 🎄 This is an underinvested area of security for many orgs.

I'm struggling to find reasons to keep CobaltStrike licensed these days. We rarely, if ever, use it. We had been keeping it around for teaching private classes, as some of our clients internal teams use it. The other use case was for threat emulation since it was the hotness with ransomware groups. Now that they have locked down their licensing model and it's less prevalent in the wild, I'm only tied to the first use case.

See you in @Blackhatmea next week to discuss web-based password manager extraction ✌️

DCOM is everywhere, but its inner workings feel like black magic. 🪄 Unveil the mystery with @k3vinTell's new article on DCOM basics. Trust us, it's way cooler than it sounds! synacktiv.com/en/publication…

Mythic's browser scripting lets operators customize data analysis beyond raw output. Alexander DeMine shows how smart agent design + structured responses transform the operator experience. ⬇️ ghst.ly/4oTkdY4

I automated the POC for stealing policies from MP relays from this blog into a modified version of mssqlclient specterops.io/blog/2025/07/1… would work too with any other piv account to the DB github.com/garrettfoster1… (no PR because impacket doesnt merge, sorry)

Trying to fly under EDR's radar? @_logangoins explains how to use HTTP-to-LDAP relay attacks to execute tooling completely off-host through the C2 payload context. Perfect for when you need LDAP access but want to avoid being caught stealing creds. ghst.ly/41mjMv7

The GroupPolicyBackdoor tool, presented at #DEFCON 2025, is now available on Synacktiv's GitHub: github.com/synacktiv/Grou… This python utility offers a stable, modular and stealthy exploitation framework targeting Group Policy Objects in Active Directory!

@ScoubiMtl For sure! I have it posted here: github.com/G0ldenGunSec/S…

Axel Springer says ad blockers threaten their revenue generation model and that using an ad-blocker illegally manipulates the HTML / CSS (and other web components) thus it is infringement of their intellectual property INSPECT ELEMENT IS ILLEGAL AND FOR NERDS

Hosts running the WebClient service are prime targets for NTLM relay attacks, and it may be possible to start the service remotely as a low-privileged user. @0xthirteen breaks down the service startup mechanics, plus the protocols and technologies. ghst.ly/41QT7GW

Turns out my #PHRACK article is live! 🔥 > The Art of PHP — My CTF Journey and Untold Stories! Kinda a love letter to those CTF players & PHP nerds! Hope all the credit goes to the right ppl. Also huge thanks to @0xdea for not forgetting me, @guitmz for the edits, and the @Phrack crew for keeping it real! 🎉 #article" target="_blank" rel="nofollow noopener">phrack.org/issues/72/5_md…

👀Turns out MS-EVEN can do a lot more than NULL auth: In addition to leaking environment variables, it is possible to coerce authentication from arbitrary logged on users* 🤯 *If you are willing to trigger Windows Defender.

Got my hands on a stream rip of my DEFCON talk. If you want to see a live demo of #chromealone - check out the talk - youtube.com/watch?v=_qS01o…. It covers how to turn Chrome into a Cobalt Strike style C2 along with tips for obfuscation. #malware #redteam #webassembly #chromium

Xbow raised $117M to build AI hacker agents, in @AliasRobotics open-sourced it and made it completely free. Github: github.com/aliasrobotics/… Paper: arxiv.org/abs/2504.06017

gpoParser, which I presented at #leHACK2025 and #DEFCON, is available here: github.com/synacktiv/gpoP… It is a specialized utility designed to enumerate Group Policy Objects (GPOs) and identify potential security misconfigurations.

An infostealer that runs in the browser? Kinda. In our latest research, we explore how Chromium File System APIs can be abused to exfiltrate mapped network drives with a single drag-and-drop. Blog: blog.delivr.to/filejacking-ex…

So you want to rapidly run a BOF? Let's look at this 'cli4bofs' thing then blog.z-labs.eu/2025/06/04/all…

A tool to transform Chromium browsers into a C2 Implant github.com/praetorian-inc…