Last year, we gave you a glimpse of the RemotePE malware used by a Lazarus subgroup. Now, we dive deeper into this toolset and discuss DPAPILoader, RemotePELoader and RemotePE in detail. 🔍💻
Check out our blogpost: https://t.co/6gCPJtdMId
It appears the end is near(er) for the Azure AD Graph API with usage of the API now being blocked in one of my tenants with the AAD PowerShell module client ID. Found this out when trying to demo roadrecon 😬. Time to prioritize merging the MS Graph PR from @Thomasbyrne__
Small update on "printerbugnew:" added a description of how to exploit CVE-2025-54918: DCs running 2025 allow reflection RPC->LDAPS - from a standard user to DA before patch😃 https://t.co/MWXfrkZBev
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog: https://t.co/jD6EaGtsn3
I just started a new blog, and this is my first post. I took a bit of PTO, so this is a little record of some fun I had playing around with Intune during that time. It's about enrollment restriction bypass😄
https://t.co/o9CcXHN4b8
The ADSyncCertDump tool is now part of the adconnectdump tools and can be used to extract SP credentials from Entra ID connect hosts. I will cover that during my BH/DC talks today and Friday! Tool is heavily based on Shwmae by @_EthicalChaos_
It's been almost a year since my last blog... So, here is a new one: Extending AD CS attack surface to the cloud with Intune certificates.
Also includes ESC1 over Intune (in some cases).
https://t.co/Dm1x9ORW7Q
Oh, and a new tool for SCEP: https://t.co/mm9ASrBUKp
Shared the PoC with @mkolsek few days ago, the same one I gave to microsoft. Unlike microsoft however, they not only verified the issue within days but refined it demonstrating that ANY domain user can crash a fully patched windows 2025 server as of now.
This is big. In #XDR there is now a new table in preview:
GraphApiAuditEvents
It's the "free" version of the MicrosoftGraphActivityLogs and will enable more companies to detect threats without having to pay a lot of money.
https://t.co/vDT92ZQrJT
After today’s talk at #TROOPERS25 I’m releasing BitlockMove, a PoC to execute code on remote systems in the context of a loggedon user session 🔥
https://t.co/zXbngHQZDD
No need to steal credentials, no impersonation, no injection needed 👌
Releasing a side project of mine: wsuks - automating the WSUS mitm attack🔥
https://t.co/92D4idVy7V
TL;DR:
If the Windows Server Update Service (WSUS) is configured to use HTTP instead of HTTPS, it's possible to take control of any Windows machine on your local network.
1/4🧵
Harbinger - a new tool from Matthijs Gielen and @N7WEra presented at #x33fcon. Red Teaming Platform for Streamlined Operations and Enhanced Decision-Making. https://t.co/0UXR4fYJ4i #demo#newtool#toolrelease#AI#red#purple
🚀 We just released my research on BadSuccessor - a new unpatched Active Directory privilege escalation vulnerability
It allows compromising any user in AD, it works with the default config, and.. Microsoft currently won't fix it 🤷♂️
Read Here - https://t.co/c969sNjQH0
Goexec is a new take on some of the methods used to gain remote execution on Windows devices. Goexec implements a number of largely unrealized execution methods and provides significant OPSEC improvements overall
https://t.co/djN3yL4FfY
Github repo:
https://t.co/me3WItpsIm
ROADtools update: I just released roadlib v1.0! This version drops the adal dependency, all auth flows are now implemented natively 🎉 This was mostly a personal goal, but it helps with adding new features, such as forcing MFA during device code auth independent of CA policies 😀
So you want to exploit ADCS ESC8 with only netexec and ntlmrelayx ? Fear not my friend, I will show you how to do it 👇
NetExec now supports "Pass-the-Cert" as an authentication method, thanks to @_dirkjan original work on PKINITtools ⛱️