Dwight Hohnstein

Apollo 2.0 is now out! 7 months and ~450,000 lines of code led to: - Dynamic Command Loading - P2P over SMB/TCP - SOCKS5 Proxying (tested w/RDP/impacket/FireFox) - "Safe" In-process Assembly Execution - User-compiled PE execution - Reduced size (~450kb) github.com/MythicAgents/A…

Ever been on an SCCM site server and *this* close to a DA pw that you couldn't decrypt for some reason? Check out my new blog looking at encryption in use within SCCM sites configured for High Availability and accompanying tooling to recover passwords: ibm.com/think/x-force/…

@chompie1337 that's our boy that's wassup

kernel hackers go serverless ring0 → cloud 9 ☁️ ?? brb pwning yr gpu nodes ✨

I'm releasing a backend for multi-agent AI systems that need to model complex non-linear problems. Kafka handles async agent communication, with ingestion plugins that route data to Neo4j, Qdrant, and MinIO. Check it out on the IBM X-Force GitHub! github.com/xforcered/Agen…

To trigger local SYSTEM authentication for relaying to ADCS or LDAP for LPE you would usually need the printer service or EFS service to be enabled (printerbug/petitpotam). Here is an alternative without this requirement 🤠 github.com/rtecCyberSec/R…

Azure Arc is Microsoft's solution for managing on-premises systems in hybrid environments. My new blog covers how it can it be identified in an enterprise and misconfigurations that could allow it to be used for out-of-band execution and persistence. ibm.com/think/x-force/…

Today we unveil BadSuccessor - a new no-fix Active Directory privilege escalation technique. We will explore the recently introduced dMSA feature, and show how it enables turning a very common, seemingly benign permission, into a full domain take over. akamai.com/blog/security-…

Me and the homies are dropping browser exploits on the red team engagement 😎. Find out how to bypass WDAC + execute native shellcode using this one weird trick -- exploiting the V8 engine of a vulnerable trusted application. ibm.com/think/x-force/…

RemoteMonologue is now live on the X-Force Red GitHub! 🔥 github.com/xforcered/Remo…

RemoteMonologue - A Windows credential harvesting attack that leverages the Interactive User RunAs key and coerces NTLM authentications via DCOM. Remotely compromise users without moving laterally or touching LSASS. Hope you enjoy the blog & tool drop 🤟 #1" target="_blank" rel="nofollow noopener">ibm.com/think/x-force/…

As promised... this is Loki Command & Control! 🧙‍♂️🔮🪄 Thanks to @d_tranman for his work done on the project and everyone else on the team for making this release happen! github.com/boku7/Loki

So I wanted to collate a bunch of different attacks you can perform via ServiceNow that we've used pretty regularly, but for which there doesn't seem to be much out there publicly.

RT @retBandit: I am excited to announce the first conference dedicated to the offensive use of AI in security! Request an invite at https:/…

New blog from me on using CLR customizations to improve the OPSEC of your .NET execution harness. This includes a novel AMSI bypass that I identified in 2023. By taking control of CLR assembly loads, we can load assemblies from memory with no AMSI scan. securityintelligence.com/x-force/being-…

A BloodHound collector for Microsoft Configuration Manager github.com/CrowdStrike/sc… #redteam

But you know what's even better? KrbRelay also works from a low privileged users perspective! 🔥🔥🔥

If you haven't done this yet, please do! It only takes a few minutes and makes it easier for me to help you make your lives easier :)

Dopped a spicy 25-min read exploring adversarial ML 🤠 It's a mix of in-depth & light peppering of the broader field. So much I couldn’t fit (extraction, inversion, poisoning), but I hope it sparks curiosity. Made for learners no fancy background ❤️ boschko.ca/adversarial-ml/

NachoVPN - a Proof of Concept that demonstrates exploitation of SSL-VPN clients, using a rogue VPN server github.com/AmberWolfCyber…

Introducing NachoVPN: One VPN Server to Pwn Them All (blog): blog.amberwolf.com/blog/2024/nove…