Mänu

China has started filtering and censoring internet traffic taking place over the QUIC protocol.

The filtering started in April last year.

The Great Firewall now decrypts QUIC packets at scale and uses a separate blocklist for QUIC traffic, separate from its main filters

gfw.report/publications...

A screenshot of two windows. The top is a view of the Microsoft SQL management GUI showing that “Extended Protection” is enabled for NTLM authentication. The bottom is a terminal showing an invocation of Impacket’s mssqlclient.py successfully connecting using channel binding.

Reverse engineering Microsoft’s SQLCMD.exe to implement Channel Binding support for MSSQL into Impacket’s mssqlclient.py. Storytime from Aurelien (@Defte_ on the bird site), including instructions for reproducing the test environment yourself.

sensepost.com/blog/2025/a-...

BloodHound v8.0 is here! 🎉

This update introduces BloodHound OpenGraph, revolutionizing Identity Attack Path Management by exposing attack paths throughout your entire tech stack, not just AD/Entra ID.

Read more from Justin Kohler: ghst.ly/bloodhoundv8

🧵: 1/7

Upcoming Conference Talks - PortSwigger Research Find details of upcoming talks from the PortSwigger Research team. We also have research papers and recordings available from previous conferences and events.

Not at Black Hat / DEF CON? You can still join the mission to kill HTTP/1.1:
- Watch the livestream from #DEFCON at 16:30 PT on the 8th
- Read the whitepaper on our website
- Grab the HTTP Request Smuggler update & WebSecAcademy lab

Follow for updates & links. It's nearly time!

Entra Connect Attacker Tradecraft: Part 3 - SpecterOps How Entra Connect and Intune can be abused via userCertificate hijacking to bypass conditional access and compromise hybrid domains

Entra Connect sync accounts can be exploited to hijack device userCertificate properties, enabling device impersonation and conditional access bypass.

@hotnops.bsky.social explores cross-domain compromise tradecraft within the same tenant.

Read more: ghst.ly/3ISMGN9

It's been almost a year since my last blog... So, here is a new one: Extending AD CS attack surface to the cloud with Intune certificates.

Also includes ESC1 over Intune (in some cases).
dirkjanm.io/extending-ad...

Oh, and a new tool for SCEP: github.com/dirkjanm/sce...

We've just released a massive update to Collaborator Everywhere! This is a complete rewrite by @compass-security.com which adds loads of features including in-tool payload customization. Massive thanks to Compass for this epic project takeover. Check out the new features:

Teammate Leonid discovered a leaked credential that allowed anyone unauthorized access to all Microsoft tenants of orgs that use Synology's "Active Backup for Microsoft 365" (ABM), including sensitive data like Teams channel messages. 🤓
#synology #disclosure #modzero
modzero.com/en/blog/when...

Introducing the BloodHound Query Library - SpecterOps The BloodHound Query Library is a community-driven collection of BloodHound Cypher available at https://queries.specterops.io

Introducing the BloodHound Query Library! 📚

@martinsohn.dk & @joeydreijer.bsky.social explore the new collection of Cypher queries designed to help BloodHound users to unlock the full potential of the BloodHound platform by creating an open query ecosystem. ghst.ly/4jTgRQQ

👀 We have also released a paper which really goes into the nitty-gritty for those who are interested 🕵️‍♀️:
www.redteam-pentesting.de/publications...

For those that only need a short overview, here's our advisory 🚨:
www.redteam-pentesting.de/advisories/r...

A Look in the Mirror - The Reflective Kerberos Relay Attack It is a sad truth in IT security that some vulnerabilities never quite want to die and time and time again, vulnerabilities that have long been fixed get revived and come right back at you. While rese...

🚨 Our new blog post about Windows CVE-2025-33073 which we discovered is live:

🪞The Reflective Kerberos Relay Attack - Remote privilege escalation from low-priv user to SYSTEM with RCE by applying a long forgotten NTLM relay technique to Kerberos:
blog.redteam-pentesting.de/2025/reflect...

NTLM reflection is dead, long live NTLM reflection! – An in-depth analysis of CVE-2025-33073

Microsoft just released the patch for #CVE-2025-33073, a critical vulnerability allowing a standard user to remotely compromise any machine with SMB signing not enforced! Checkout the details in the blogpost by @yaumn.bsky.social and @wilfri3d.bsky.social.
www.synacktiv.com/publications...

Many CI/CD tools promise to keep your dependencies up to date - but if misconfigured, they can expose your organization. From token leaks to MR hijacks, Jan's latest blog post shows how bad configuration can turn a security tool into an attack vector. 🛠️💣

blog.compass-security.com/2025/05/reno...

MATCH p = (d:Computer)<-[:WriteDacl|Owns|GenericAll|GenericWrite|WriteOwner]-(n:Base)
WHERE d.`msds-delegatedmsastate` IS NOT NULL
AND (NOT "admin_tier_0" IN split(n.system_tags, " ") OR n.system_tags is NULL)
RETURN p
LIMIT 1000

2/2

You can also use the following BloodHound query to search dMSA accounts which are controllable by non-tier 0 accounts. These could also escalate their privileges. This requires SharpHound's `--collectallproperties`. We added this to our BloodHound query collection: github.com/CompassSecur... 1/2

Understanding & Mitigating BadSuccessor - SpecterOps Understanding the impact of the BadSuccessor AD attack primitive and mitigating the abuse via targeted Deny ACEs on Organizational Units.

BadSuccessor is a new AD attack primitive that abuses dMSAs, allowing an attacker who can modify or create a dMSA to escalate privileges and take over the forest.

Check out @jimsycurity.adminsdholder.com's latest blog post to understand how you can mitigate risk. ghst.ly/4kXTLd9

⚠️ Note: BloodHound doesn't currently have all elements required for a full BadSuccessor audit, namely 'Create msDS-DelegatedManagedServiceAccount', 'Create all child objects', & dMSA nodes. For that, you should run Get-BadSuccessorOUPermissions.ps1 shared in Yuval's blog.

(8/9)

BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory

In his latest blog post, Marc Tanner @brain-dump.org shows how to bypass BitLocker using BitPixie (CVE-2023-21563) and signed Microsoft components only. Check out the blog post for a PoC and a demo. #BitLocker #RedTeam

blog.compass-security.com/2025/05/bypa...

A Top-level Domain for Private Use This document describes the "internal" top-level domain for use in private applications.

There is an Internet-Draft that defines `.internal` as a TLD for private / internal use: datatracker.ietf.org/doc/html/dra... #network #rfc

r-tec Blog | Windows is and always will be a Potatoland This blog post will dive into the world of some of the recently published potato techniques that can lead to more serious risks than "just" local Privilege Escalation.

Nice summary about DCOM coercion / cross-session activation techniques that can be used for NTLM and even Kerberos relaying: www.r-tec.net/r-tec-blog-w... #security #pentest #activedirectory

mario meme with our guide on phone searches at the US border

travelling to the US soon?

link: www.wired.com/story/how-to...

GitHub - KoKuToru/de-pixelate_gaV-O6NPWrI: de-pixelate youtube video gaV-O6NPWrI de-pixelate youtube video gaV-O6NPWrI. Contribute to KoKuToru/de-pixelate_gaV-O6NPWrI development by creating an account on GitHub.

"How to de-pixelate a video", including working code!

github.com/KoKuToru/de-...

Tired of sifting through Entra ID manually? EntraFalcon is a PowerShell tool that flags risky objects configs & privileged role assignments with ⚡ Scoring model 📊 HTML reports 🔒 No Graph API consent hassle. Get it now: blog.compass-security.com/2025/04/intr...
#EntraID #IAM

3 milliseconds to admin — Our analyst John Ostrowski turned a DLL hijacking into a reliable local privilege escalation on Windows 11. He chained opportunistic locks, and API hooking to win the race to CVE-2025-24076 & CVE-2025-24994. Read his blog post: blog.compass-security.com/2025/04/3-mi...

Another example of a Windows 0-day found with PrivescCheck. Congrats to Compass Security for investigating the issue and exploiting it. 👏

blog.compass-security.com/2025/04/3-mi...

YouTube video by Sense Post WinRMS Relaying

The S is for Security. How to use WinRMS as a solid NTLM relay target, and why it’s less secure than WinRM over HTTP.

writeup: sensepost.com/blog/2025/is...

PR to impacket:
github.com/fortra/impac...

Demo: youtu.be/3mG2Ouu3Umk

Think NTLM relay is a solved problem? Think again.

Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31

YouTube video by Hack In The Box Security Conference #HITB2024BKK #COMMSEC D1: My First and Last Shellcode Loader

My First and Last Shellcode Loader by Dobin Rutishauser

Talk: www.youtube.com/watch?v=SYM4...

Slides: conference.hitb.org/hitbsecconf2...

Code: github.com/dobin/SuperM...

Europa muss raus aus den amerikanischen #Clouds. Dieses Interview mit @berthubert.bsky.social soll aufrütteln. Elon & die US-Regierung möchten alle Daten für ihre #KI-Modelle und die Politiker- Emails aus Europa auf Microsofts Servern wären der logische nächste Schritt...
republik.ch/2025/03/31/d...