AI tooling and MCP servers are entering enterprises fast, often faster than security teams can assess the risks.
During a recent engagement, @xpnsec.com found a new Claude Code vuln (CVE-2025-64755) while exploring MCP abuse paths.
π Read the details: ghst.ly/49ybl4W
Credential Guard was supposed to end credential dumping. It didn't.
Valdemar CarΓΈe just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled.
Read for more: ghst.ly/4qtl2rm
Happy Friday! @tifkin.bsky.social and I are happy to announce that we have cut the release for Nemesis 2.0.0 - check out the CHANGELOG for a (brief) summary of changes, and dive into our new docs for more detail! We're extremely proud and excited for this release github.com/SpecterOps/N...
So, here's a little thread on my new open source project:
The Tradecraft Garden.
tradecraftgarden.org
It's Crystal Palace, an open-source linker and linker script specialized to writing PIC DLL loaders.
And, a corpora of DLL loaders demonstrating design patterns building tradecraft with it.
Post-ex Weaponization: An Oral History
aff-wg.org/2025/04/10/p...
A walk-through of some history on post-ex eco-systems used by CS (PowerShell, Reflective DLLs, .NET, and BOFs).
Ends with a coffee conversation talking about magician's guilds, security research, and ideas about what's next.
I attended last week's Pall Mall Process conference in Paris.
I wanted to dump a few notes, writing from my perspective as a security researcher, hacker, former entrepreneur, and creator of a well-known C2 platform (one that, importantly, I'm no longer involved with).
BIG NEWS: SpecterOps raises $75M Series B to strengthen identity security! Led by Insight Partners with Ansa Capital, M12, Ballistic Ventures, Decibel, and Cisco Investments. ghst.ly/seriesb
#IdentitySecurity #CyberSecurity
(1/6)
Not sexy things, but they make my day-to-day usage much better. I've seen many people bemoan about Ghidra 's interface. My experience with ANY tool is that things don't change unless the problem is reported to the devs. So reach out and lay out your concerns - they'll respond!
Ghidra 11.3 is out! There's some awesome new features, but I want to highlight how responsive the dev team is to questions, issues, and feature suggestions. They've addressed several issues I've opened, notably a bunch of quality of life UI/UX things I've had while using Ghidra.
The results are in! We're proud to announce the Top 10 Web Hacking Techniques of 2024! portswigger.net/research/top...
@tiraniddo.dev Did you by chance check if the MUP redirector supports port specification in UNC paths?
SlackPirate sets sail again! π΄ββ οΈ
In his latest blog post, Dan Mayer intros his new PR to SlackPirate that lets you loot Slack again out of the box, a BOF to get you all the data you need to do it, & how to bee the most active slacker in your group chat. π ghst.ly/4hgwMIt
New blog post on the abuse of the IDispatch COM interface to get unexpected objects loaded into a process. Demoed by using this to get arbitrary code execution in a PPL process. googleprojectzero.blogspot.com/2025/01/wind...
The Misconfiguration Manager DETECT section has been updated with fresh guidance to help defensive operators spot the most prolific attack techniques.
Check out the blog post from @bouj33boy.bsky.social to learn more. ghst.ly/3VJ5y4F
A new fun way to set shadow credentials
posts.specterops.io/attacking-en...
Want to run roadrecon, but a device compliance policy is getting in your way? You can use the Intune Company Portal client ID, which is a hardcoded and undocumented exclusion in CA for device compliance. It has user_impersonation rights on the AAD Graph π
I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...
Defining the Undefined: What is Tier Zero, Part 4 On Demand
If you missed Part 4 in our What is Tier Zero webinar series hosted by Jonas BΓΌlow Knudsen, @martinsohn.dk & @tifkin.bsky.social last week, you can watch the full presentation on demand now!
π: ghst.ly/4eSssxL
Tech companies could break backwards compat, move off legacy tech stacks, or move to secure defaults but choose not at the risk of affecting profits. Instead they move the risk to their downstream software consumers(businesses) who pay for it it breaches.
See addxorrol.blogspot.com/2019/08/rash...
On a similar vein of your original post, a hill I'll die on:
The majority of beaches are due to tech providers lack of prioritizing security, and not due to an average company's IT "not securing" their network.
So long and thanks for the CVEs!
Tomorrow, 10am, BinaryFormatter dies.
π New blog post! "Exploiting KsecDD through Server Silos"
In my latest mini research project, I've been working with my teammate @PMa1n (X) on extending the work of @floesen_ (X) on the KsecDD driver. I'm thrilled to finally share the results.
π blog.scrt.ch/2024/11/11/e...
