A post exploitation framework designed to operate covertly on heavily monitored environments - bats3c/shad0w

It turns out that there is a method of disabling ETW in .NET, strangely exposed by setting an environment variable of COMPlus_ETWEnabled=0. This post explores how this works.

PoC exploiting Aligned Chunk Confusion on Windows kernel Segment Heap - synacktiv/Windows-kernel-SegmentHeap-Aligned-Chunk-Confusion

Leveraging Terraform and Ansible to automate the deployment of Active Directory labs in Azure.

During many Red Team Assessment, we use multiple agents to connect to our target network infrastructure. These agents connect to different…

Abusing Windows Telemetry for Persistence by Christopher Paschen: Learn how to exploit Windows telemetry for persistence, requiring local admin rights,…

Learn how ntlm_theft works and how to use it

This post is the final part in a series about my experiences attacking FreeIPA. In Part I of this series, we reviewed some of the…

It’s been a few weeks since my last discussion1 of Excel 4.0 macro shenanigans and the space continues to change. LastLine published a great report2 which summarized the progression of weapon…

Here is my writeup about CVE-2020-1170, an elevation of privilege bug in Windows Defender. Finding a vulnerability in a security-oriented product is quite satisfying. Though, there was nothing groundbreaking. It’s quite the opposite actually and I’m surprised…

A vulnerability in Bitdefender Antivirus allowed any website to run arbitrary code with user's privileges. This was caused by issues very similar to ones found in other antivirus products before.

Analysis of a Cobalt Strike Server leveraged in “PowerTrick” breaches, by Joshua Platt and Jason Reaves

During the Trimarc Webcast on June 17, 2020, Sean Metcalf covered a number of Active Directory (AD) components and areas that should be reviewed for potential security issues. The presentation included PowerShell code in the presentation and that code is…