Analysis of a Ransomware Breach

aff-wg.org/2025/09/26/a...

Breach analysis? Breach intelligence? Industry critique? Fee-only ransomware negotiator? 100% efficacy? The story of how Microsoft worked an old problem, fucked it up, we malign the guy who told us, they fixed it, and it wasn't fixed? PtH?

Playing with @raphaelmudge.bsky.social's latest CP update (it's very cool). I have mixed feelings about merging COFFs though. It simplifies overall development and gives the loader fewer jobs to do, but on the other hand you lose some flexibility about where each "part" goes in memory.

COFFing out the Night Soil I’m back with another update to the Tradecraft Garden project. Again, this release is focused on the Crystal Palace linker. My priority in this young project is to build the foundation first, then …

COFFing out the Night Soil

aff-wg.org/2025/09/10/c...

A COFF-focused Crystal Palace update:

* internal COFF normalization & section group merging
* Crystal Palace can now export COFF
* I added COFF merging to the spec language too

Linker stuff.

Operating Outside the Box: NTLM Relaying Low-Privilege HTTP Auth to LDAP - SpecterOps TL;DR When operating out of a ceded access or phishing payload with no credential material, you can use low-privilege HTTP authentication from the current user context to perform a proxied relay to LD...

Trying to fly under EDR's radar?

@logangoins.bsky.social explains how to use HTTP-to-LDAP relay attacks to execute tooling completely off-host through the C2 payload context. Perfect for when you need LDAP access but want to avoid being caught stealing creds. ghst.ly/41mjMv7

What all do you need to know about BloodHound CE 8.0 & OpenGraph? @scoubi.bsky.social is joining @redsiege.com's Wednesday Offensive tomorrow to dive into the JSON schema for OpenGraph, how to ingest nodes & edges, best practices, & how to create custom icons.

Join 👉 ghst.ly/46MNltn

HKLM\SYSTEM\Setup\sMarTdEpLoY -  The (Static) Keys to Abusing PDQ SmartDeploy - SpecterOps TL;DR: Prior to version 3.0.2046, PDQ SmartDeploy used static, hardcoded, and universal encryption keys for secure credential storage. Low-privileged users may recover and decrypt privileged credentials, such as Local Administrator or Active Directory domain-joined accounts, from the registry of managed devices or from operating system (OS) deployment files stored on deployment servers. Introduction PDQ SmartDeploy […]

PDQ SmartDeploy versions prior to 3.0.2046 used static, hardcoded encryption keys for cred storage. Low-privileged users could potentially access admin creds from registry or deployment files.

@unsignedsh0rt.bsky.social unpacks his testing in his latest blog post. ghst.ly/4mjyuvw

Certify 2.0 - SpecterOps Certify 2.0 features a suite of new capabilities and usability enhancements. This blogpost introduces changes and features additions.

The AD CS security landscape keeps evolving, and so does our tooling. 🛠️

Valdemar Carøe drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements. ghst.ly/45IrBxI

GitHub - olafhartong/BamboozlEDR: A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes. A comprehensive ETW (Event Tracing for Windows) event generation tool designed for testing and research purposes. - olafhartong/BamboozlEDR

During my #BHUSA talk I've released many ETW research tools, of which the most notable is BamboozlEDR. This tool allows you to inject events into ETW, allowing you to generate fake alerts and blind EDRs.

github.com/olafhartong/...

Slides available here:
github.com/olafhartong/...

The ADSyncCertDump tool is now part of the adconnectdump tools and can be used to extract SP credentials from Entra ID connect hosts. I will cover that during my BH/DC talks today and Friday! Tool is heavily based on Shwmae by @ethicalchaos.bsky.social
Link: github.com/dirkjanm/adc...

Last Week in Security (LWiS) - 2025-08-04 AEM RCE (@infosec_au), Intune cert abuse (@_dirkjan), Entra tradecraft (@hotnops), LLMs for R&D (@kyleavery_), File System API research (@Print3M_), and more!

Last LWIS before DEF CON. Come see us in the Embedded Systems Village where we have a mini-workshop hosting an emulated camera on Ludus for you to hack!

blog.badsectorlabs.com/last-week-in...

Nemesis 2.0 - SpecterOps Nemesis 2.0 is a complete rewrite of the Nemesis file enrichment pipeline with a simplified and extensible architecture, new interface, and a focus on file triage and operator workflows.

👋 Say hello to Nemesis 2.0, a streamlined, Docker Compose-based platform that is laser-focused on file triage. After introducing v1 two years ago, the team has reworked the platform to better serve what people need from it.

Read more from @harmj0y.bsky.social: ghst.ly/4mxQzFU

A screenshot of two windows. The top is a view of the Microsoft SQL management GUI showing that “Extended Protection” is enabled for NTLM authentication. The bottom is a terminal showing an invocation of Impacket’s mssqlclient.py successfully connecting using channel binding.

Reverse engineering Microsoft’s SQLCMD.exe to implement Channel Binding support for MSSQL into Impacket’s mssqlclient.py. Storytime from Aurelien (@Defte_ on the bird site), including instructions for reproducing the test environment yourself.

sensepost.com/blog/2025/a-...

Entra Connect Attacker Tradecraft: Part 3 - SpecterOps How Entra Connect and Intune can be abused via userCertificate hijacking to bypass conditional access and compromise hybrid domains

Entra Connect sync accounts can be exploited to hijack device userCertificate properties, enabling device impersonation and conditional access bypass.

@hotnops.bsky.social explores cross-domain compromise tradecraft within the same tenant.

Read more: ghst.ly/3ISMGN9

It's been almost a year since my last blog... So, here is a new one: Extending AD CS attack surface to the cloud with Intune certificates.

Also includes ESC1 over Intune (in some cases).
dirkjanm.io/extending-ad...

Oh, and a new tool for SCEP: github.com/dirkjanm/sce...

BloodHound v8.0 is here! 🎉

This update introduces BloodHound OpenGraph, revolutionizing Identity Attack Path Management by exposing attack paths throughout your entire tech stack, not just AD/Entra ID.

Read more from Justin Kohler: ghst.ly/bloodhoundv8

🧵: 1/7

Last Week in Security (LWiS) - 2025-07-28 VMware Tools LPE (@justbronzebee), Adaptix C2 0.7 (@hacker_ralf), Ludus MCP (@__Mastadon), SOAP(y) (@_logangoins), and more!

VMware Tools LPE (@justbronzebee), Adaptix C2 0.7 (@hacker_ralf), Ludus MCP (@__Mastadon), SOAP(y) (@_logangoins), and more!

blog.badsectorlabs.com/last-week-in...

DPAPI Backup Key Compromise Pt. 1: Some Forests Must Burn - SpecterOps Industry guidance for DPAPI backup key compromise remediation is drastic. Let's explore why.

The industry recommendation for DPAPI backup key compromise remediation is to destroy and rebuild the environment.

Alexander Sou explores why this is the current industry guidance. ghst.ly/40DTLHk

GitHub - rasta-mouse/Crystal-Loaders: A small collection of Crystal Palace PIC loaders designed for use with Cobalt Strike A small collection of Crystal Palace PIC loaders designed for use with Cobalt Strike - rasta-mouse/Crystal-Loaders

Published a small collection of PIC loaders for Cobalt Strike, based on my experiments with Crystal Palace.
github.com/rasta-mouse/...

[BLOG]
Here's the post - I demonstrate my QoL improvements for working with the TCG codebase. This includes vscode with intellisense support, and producing debug builds for use in WinDbg.
rastamouse.me/debugging-th...

Escaping the Confines of Port 445 - SpecterOps NTLM relay attacks targeting SMB restrict lateral movement options to those that solely require port 445/TCP. Learn at least one method of overcoming this restriction to enable additional lateral move...

Classic NTLM relay problem: Stuck on port 445/TCP, can't use WMI (needs 135/TCP), and dumping hashes triggers EDR alerts.

So what's a stealthy attacker to do? 🤔

Our latest blog post explores evasive alternatives beyond the old techniques. ghst.ly/3ILR1l0

Ghostwriter v6 is Live! - SpecterOps TL;DR: Ghostwriter now supports real-time collaborative editing for observations, findings, and report fields using the YJS framework, Tiptap editor, and Hocuspocus server, enabling multiple users to ...

Real-time collaboration has landed in Ghostwriter v6.0! 👻

Multiple users can now edit observations, findings, & report fields simultaneously w/o the chaos of overwriting each other's work.

@printingprops.com dives into the details in his latest blog update. ghst.ly/3TTSrwc

Last Week in Security (LWiS) - 2025-07-21 PIC agents (@_RastaMouse), ToolShell, Async BOFs (@Cneelis), SCCM MP relays (@unsigned_sh0rt), RAITrigger (@ShitSecure), and more!

PIC agents (@_RastaMouse), ToolShell, Async BOFs (@Cneelis), SCCM MP relays (@unsigned_sh0rt), RAITrigger (@ShitSecure), and more!

blog.badsectorlabs.com/last-week-in...

Modular PIC C2 Agents All post-exploitation C2 agents that I'm aware of are implemented as a single rDLL or PIC blob. This means that all of their core logic such as check-in's, processing tasks, sending output, etc, are a...

[BLOG]
My thoughts (and code examples) for writing modular PIC C2 agents.
rastamouse.me/modular-pic-...

Now live on tools.honoki.net/smuggler.html

Let me know what you think! ✨

Taking them to the SHITTER: an analysis of vendor abuse of security research in-the-wild

aff-wg.org/2025/07/13/t...

(There is no benefit modulating my voice for anyone's comfort. This is my fair take, but unapologetic truth. This phenomena has gone unchecked for too long)

LudusHound: Raising BloodHound Attack Paths to Life - SpecterOps LudusHound is a tool for red and blue teams that transforms BloodHound data into a fully functional, Active Directory replica environment via the Ludus framework for controlled testing.

Ludushound shows the power of community driven innovation in cybersecurity. @bagelByt3s created an awesome tool to convert bloodhound data into a working lab in 🏟️ Ludus. Replicate complex live environments with automation - and get back to the fun stuff!

specterops.io/blog/2025/07...

Tickets for #DEATHcon in Montreal are on sale now!

Book now to secure your place. FYI, Virtual Tickets for round 1 are already Sold Out!

eventbrite.ca/e/deathcon-m...

Additional info (like workshops) for the con can be found here : deathcon.io

Please like & repost for reach

Teammate Leonid discovered a leaked credential that allowed anyone unauthorized access to all Microsoft tenants of orgs that use Synology's "Active Backup for Microsoft 365" (ABM), including sensitive data like Teams channel messages. 🤓
#synology #disclosure #modzero
modzero.com/en/blog/when...

Beacon Object Files – Five Years On… When I was active in the red teaming space, one of my stated goals was to act on problems with solutions that would have utility 5-10 years from the time of their release. This long-term thinking w…

Beacon Object Files... Five Years On

aff-wg.org/2025/06/26/b...

I released BOFs with Cobalt Strike 4.1 five years ago. This is some history on the feature and what led to it. My thinking at the time. A few thoughts on current discourse.

Misconfiguration Manager: Still Overlooked, Still Overprivileged - SpecterOps It has been one year since Misconfiguration Manager's release and SCCM misconfigurations remain widespread, leading to dangerous attack paths across enterprises. Here we summarize the impact and commu...

In the year since Misconfiguration Manager's release, the security community has been actively researching new tradecraft & identifying new attack paths.

@subat0mik.bsky.social & @unsignedsh0rt.bsky.social dive into the research & its impact on the state of SCCM security. Read more: ghst.ly/460vI9d