Nate Subra's Avatar

Nate Subra

@natesubra.com

Adversary Simulation, Red Team Lead, Security Research @ LFI Posts are my own He/Him #redteam #offsec #malware #cybersecurity https://secdsm.org I use my real name. The trick is figuring out my handles @natesubra@infosec.exchange

220
Followers 765
Following 18
Posts 27.12.2023
Joined
Posts Following

Latest posts by Nate Subra @natesubra.com

"emerald-template is a CMake-based project template designed for developing and debugging Reflective DLL Loaders using the Crystal Palace linker."

"This allows for source-code level debugging of your loader logic from Windows (and theoretically Linux) systems"

github.com/0xTriboulet/...

10.12.2025 12:12 πŸ‘ 5 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
GitHub - MorDavid/DonPwner: Advanced Domain Controller attack and credential analysis tool leveraging DonPAPI database Advanced Domain Controller attack and credential analysis tool leveraging DonPAPI database - MorDavid/DonPwner
08.11.2025 16:39 πŸ‘ 2 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Preview
GitHub - pard0p/PICO-Implant: PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible... PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage...

PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage and modular C2 implant made of PICOs.

github.com/pard0p/PICO-...

07.11.2025 16:10 πŸ‘ 5 πŸ” 3 πŸ’¬ 0 πŸ“Œ 1
Preview
GitHub - pard0p/LibIPC: LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes. LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes. - pard0p/LibIPC

LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes.

github.com/pard0p/LibIPC

02.11.2025 11:29 πŸ‘ 5 πŸ” 4 πŸ’¬ 1 πŸ“Œ 0
Preview
Exploiting Ghost SPNs and Kerberos Reflection for SMB Privilege Elevation Understanding how attackers use Ghost Service Principal Names to initiate authentication reflection can help you avoid similar vulnerabilities.

Blog post about my recent CVE-2025-58726, aka β€œThe Ghost Reflection” is out, read it here:
semperis.com/blog/exploit...
πŸ™ƒ

29.10.2025 17:19 πŸ‘ 5 πŸ” 3 πŸ’¬ 0 πŸ“Œ 0
Preview
GitHub - rasta-mouse/LibGate: A Crystal Palace shared library to resolve & perform syscalls A Crystal Palace shared library to resolve & perform syscalls - rasta-mouse/LibGate

LibGate - a Crystal Palace shared library for resolving and performing syscalls github.com/rasta-mouse/...

29.10.2025 17:15 πŸ‘ 12 πŸ” 2 πŸ’¬ 1 πŸ“Œ 0
def con 34 and 35 save the date calendar image

def con 34 and 35 save the date calendar image

Good News, Everyone! We have the official dates for #DEFCON34! And to make up for the delay, we also have the dates for #DEFCON35!

Please join us at the Las Vegas Convention Center August 6-9 in 2026 and August 5-8 in 2027.

Save the dates, friends. It'll be here before you know it.

#defcon

29.10.2025 18:49 πŸ‘ 36 πŸ” 17 πŸ’¬ 2 πŸ“Œ 3
Post image

NTLM relay research is evolving!

Join Nick Powers & @tw1sm.bsky.social TOMORROW as they share new methods to enumerate EPA enforcement across MSSQL, HTTP, & moreβ€”and intro RelayInformer, expanding attacker-perspective coverage for key protocols.

Grab your spot β†’ ghst.ly/oct-web-bsky

29.10.2025 22:25 πŸ‘ 8 πŸ” 4 πŸ’¬ 0 πŸ“Œ 0

And it's released! πŸŽ‰

github.com/ofasgard/exe...

I've tested it with Rubeus and Seatbelt and a variety of different arguments, and it seems to be pretty stable as far as I can tell. If anyone uses this PICO and encounters bugs or instability, please let me know!

16.10.2025 16:13 πŸ‘ 5 πŸ” 3 πŸ’¬ 0 πŸ“Œ 0

1 little known secret of help.exe

www.hexacorn.com/blog/2025/10...

19.10.2025 01:13 πŸ‘ 5 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0

Pop a vendor website, replace their /.well-known/security.txt with your own rogue contact info, and wait for the bugs to roll in.

20.10.2025 19:41 πŸ‘ 7 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Preview
Post-ex Weaponization: An Oral History This is "Post-ex Weaponization: An Oral History" by AFF-WG on Vimeo, the home for high quality videos and the people who love them.

Why plant a Tradecraft Garden?

April 2025, I talked to my camera about how tradecraft may go the route we saw vuln research go years ago, red teaming's retreat to self-protective secrecy, and the opportunity I see for a public tradecraft ecosystem. This starts @ 1:16:00

vimeo.com/1074106659#t...

14.10.2025 16:57 πŸ‘ 10 πŸ” 5 πŸ’¬ 0 πŸ“Œ 0
Post image

MacroPack v2.8.7 is out!
New GUI & updated EDR evasion! New features include Advanced LNK spoofing, expanded .NET obfuscation, and ML-evasion.
For authorized red-team use!

#RedTeam #offensivesecurity

14.10.2025 16:10 πŸ‘ 3 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0
Post image

Working on a fun Crystal Palace loader that hooks APIs and pushes them through a call stack spoofing PICO.

04.10.2025 19:59 πŸ‘ 8 πŸ” 2 πŸ’¬ 1 πŸ“Œ 0

RunDll Exporters

www.hexacorn.com/blog/2025/09...

19.09.2025 23:14 πŸ‘ 8 πŸ” 2 πŸ’¬ 1 πŸ“Œ 0
Preview
More Fun With WMI - SpecterOps TL;DR Win32_Process has been the go to WMI class for remote command execution for years. In this post we will cover a new WMI class that functions like Win32_Process and offers further capability From...

Win32_Process has been the go to WMI class for remote command execution for years.

Steven Flores explores a new WMI class that functions like Win32_Process and offers further capability. Read more: ghst.ly/4gyPbkr

18.09.2025 16:36 πŸ‘ 6 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0

This report from @interseclab.bsky.social on how a Chinese company is exporting some of the capabilities of "The Great Wall of China" to other autocratic countries is INSANELY INTERESTING:

interseclab.org/wp-content/u...

*EVERY Page is worth reading*

Some interesting tidbits in the thread

14.09.2025 18:15 πŸ‘ 3 πŸ” 1 πŸ’¬ 1 πŸ“Œ 0

DLL ForwardSideloading

www.hexacorn.com/blog/2025/08...

using forwarded DLL functions for sideloading purposes

19.08.2025 22:32 πŸ‘ 11 πŸ” 5 πŸ’¬ 1 πŸ“Œ 0

DLL ForwardSideloading, Part 2

www.hexacorn.com/blog/2025/09...

03.09.2025 23:36 πŸ‘ 9 πŸ” 2 πŸ’¬ 1 πŸ“Œ 0
Preview
Juicing ntds.dit Files to the Last Drop - SpecterOps Discover the latest enhancements to the DSInternals PowerShell module, including the Golden dMSA Attack and support for LAPS, trust passwords, or BitLocker recovery keys.

The DSInternals PowerShell module just got an upgrade! πŸ”₯

Updates include:
βœ… Golden dMSA Attack
βœ… Full LAPS support
βœ… Trust password & BitLocker recovery key extraction
βœ… Read-only domain controller database compatibility

Read more from Michael Grafnetter: ghst.ly/412rZ7F

14.08.2025 17:21 πŸ‘ 5 πŸ” 4 πŸ’¬ 0 πŸ“Œ 0
Preview
Certify 2.0 - SpecterOps Certify 2.0 features a suite of new capabilities and usability enhancements. This blogpost introduces changes and features additions.

The AD CS security landscape keeps evolving, and so does our tooling. πŸ› οΈ

Valdemar CarΓΈe drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements. ghst.ly/45IrBxI

11.08.2025 20:38 πŸ‘ 11 πŸ” 8 πŸ’¬ 0 πŸ“Œ 0
Post image
08.08.2025 02:15 πŸ‘ 1 πŸ” 0 πŸ’¬ 0 πŸ“Œ 0

BloodHound 8.0 is here.

A big leap forward in identity security prevention.

Now we’re able to model attack paths across the entire modern enterprise stack.

Our folks will be at #BlackHat next week to show off a few examples. Check it out:

29.07.2025 17:23 πŸ‘ 9 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0
Post image

We’re trying something new.

www.preludesecurity.com/runtime-memo...

31.07.2025 10:59 πŸ‘ 4 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0

[BLOG]
Integrating Tradecraft Garden PIC loaders into Cobalt Strike
rastamouse.me/harvesting-t...

08.06.2025 01:43 πŸ‘ 9 πŸ” 5 πŸ’¬ 0 πŸ“Œ 1
Preview
Stealth Syscall Execution: Bypassing ETW, Sysmon, and EDR Detection "Stealth syscalls: Because life's too short to argue with an angry EDR!" Discover how Stealth Syscall Execution bypasses ETW, Sysmon, and EDR detection. Learn advanced stealth techniques for red teami...
31.05.2025 10:52 πŸ‘ 6 πŸ” 2 πŸ’¬ 0 πŸ“Œ 0
Boflink: A Linker For Beacon Object Files Intro This is a blog post written for a project I recently released. The source code for it can be found here on Github. Background The design of Cobalt Strike’s Beacon Object Files is rather unique w...
31.05.2025 16:48 πŸ‘ 1 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0

Voice clones are easy.
Be suspicious even if a call appears to be from someone you know.
Also…Don’t set up voice authentication for banking.

30.05.2025 15:52 πŸ‘ 34 πŸ” 13 πŸ’¬ 0 πŸ“Œ 0
Preview
Update on May 29 Outage Read SentinelOne's update on the May 29, 2025 outage here.

SentinelOne experienced hours-long outages today.

"Customer endpoints are still protected at this time, but managed response services will not have visibility," per blog post.

"Our initial RCA suggests this is not a security incident."

www.sentinelone.com/blog/update-...

29.05.2025 18:49 πŸ‘ 3 πŸ” 1 πŸ’¬ 0 πŸ“Œ 0