Advertisement · 728 × 90

Posts by Nate Subra

Preview
Small PIC Energy I have a challenge for you: How much beaconing agent functionality can you fit into 4KB PIC? How do you do it? This isn’t a shellcode golf challenge. It’s about elegant ways to build common agent s…

Small PIC Energy

aff-wg.org/2026/04/13/s...

11th release. JSON-over-HTTP API.

3 days ago 7 4 0 2

You don't need five nines. You don't even need three nines. Go outside.

1 week ago 8 3 0 0

"emerald-template is a CMake-based project template designed for developing and debugging Reflective DLL Loaders using the Crystal Palace linker."

"This allows for source-code level debugging of your loader logic from Windows (and theoretically Linux) systems"

github.com/0xTriboulet/...

4 months ago 5 1 0 0
GitHub - MorDavid/DonPwner: Advanced Domain Controller attack and credential analysis tool leveraging DonPAPI database Advanced Domain Controller attack and credential analysis tool leveraging DonPAPI database - MorDavid/DonPwner
5 months ago 2 1 0 0
Preview
GitHub - pard0p/PICO-Implant: PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible... PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage...

PICO-Implant is a Proof of Concept C2 implant built using Position-independent Code Objects (PICO) for modular functionality. This project demonstrates that It's possible to build a multi-stage and modular C2 implant made of PICOs.

github.com/pard0p/PICO-...

5 months ago 5 3 0 1
Preview
GitHub - pard0p/LibIPC: LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes. LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes. - pard0p/LibIPC

LibIPC is a simple Crystal Palace shared library for inter-process communication, based on Named Pipes.

github.com/pard0p/LibIPC

5 months ago 5 4 1 0
Preview
Exploiting Ghost SPNs and Kerberos Reflection for SMB Privilege Elevation Understanding how attackers use Ghost Service Principal Names to initiate authentication reflection can help you avoid similar vulnerabilities.

Blog post about my recent CVE-2025-58726, aka “The Ghost Reflection” is out, read it here:
semperis.com/blog/exploit...
🙃

5 months ago 5 3 0 0
Preview
GitHub - rasta-mouse/LibGate: A Crystal Palace shared library to resolve & perform syscalls A Crystal Palace shared library to resolve & perform syscalls - rasta-mouse/LibGate

LibGate - a Crystal Palace shared library for resolving and performing syscalls github.com/rasta-mouse/...

5 months ago 12 2 1 0
def con 34 and 35 save the date calendar image

def con 34 and 35 save the date calendar image

Good News, Everyone! We have the official dates for #DEFCON34! And to make up for the delay, we also have the dates for #DEFCON35!

Please join us at the Las Vegas Convention Center August 6-9 in 2026 and August 5-8 in 2027.

Save the dates, friends. It'll be here before you know it.

#defcon

5 months ago 36 17 2 3
Post image

NTLM relay research is evolving!

Join Nick Powers & @tw1sm.bsky.social TOMORROW as they share new methods to enumerate EPA enforcement across MSSQL, HTTP, & more—and intro RelayInformer, expanding attacker-perspective coverage for key protocols.

Grab your spot → ghst.ly/oct-web-bsky

5 months ago 8 4 0 0
Advertisement

And it's released! 🎉

github.com/ofasgard/exe...

I've tested it with Rubeus and Seatbelt and a variety of different arguments, and it seems to be pretty stable as far as I can tell. If anyone uses this PICO and encounters bugs or instability, please let me know!

6 months ago 5 3 0 0

1 little known secret of help.exe

www.hexacorn.com/blog/2025/10...

5 months ago 5 2 0 0

Pop a vendor website, replace their /.well-known/security.txt with your own rogue contact info, and wait for the bugs to roll in.

5 months ago 7 1 0 0
Preview
Post-ex Weaponization: An Oral History This is "Post-ex Weaponization: An Oral History" by AFF-WG on Vimeo, the home for high quality videos and the people who love them.

Why plant a Tradecraft Garden?

April 2025, I talked to my camera about how tradecraft may go the route we saw vuln research go years ago, red teaming's retreat to self-protective secrecy, and the opportunity I see for a public tradecraft ecosystem. This starts @ 1:16:00

vimeo.com/1074106659#t...

6 months ago 10 5 0 0
Post image

MacroPack v2.8.7 is out!
New GUI & updated EDR evasion! New features include Advanced LNK spoofing, expanded .NET obfuscation, and ML-evasion.
For authorized red-team use!

#RedTeam #offensivesecurity

6 months ago 3 2 0 0
Post image

Working on a fun Crystal Palace loader that hooks APIs and pushes them through a call stack spoofing PICO.

6 months ago 8 2 1 0

RunDll Exporters

www.hexacorn.com/blog/2025/09...

6 months ago 8 2 1 0
Advertisement
Preview
More Fun With WMI - SpecterOps TL;DR Win32_Process has been the go to WMI class for remote command execution for years. In this post we will cover a new WMI class that functions like Win32_Process and offers further capability From...

Win32_Process has been the go to WMI class for remote command execution for years.

Steven Flores explores a new WMI class that functions like Win32_Process and offers further capability. Read more: ghst.ly/4gyPbkr

6 months ago 6 2 0 0

This report from @interseclab.bsky.social on how a Chinese company is exporting some of the capabilities of "The Great Wall of China" to other autocratic countries is INSANELY INTERESTING:

interseclab.org/wp-content/u...

*EVERY Page is worth reading*

Some interesting tidbits in the thread

7 months ago 3 1 1 0

DLL ForwardSideloading

www.hexacorn.com/blog/2025/08...

using forwarded DLL functions for sideloading purposes

7 months ago 11 5 1 0

DLL ForwardSideloading, Part 2

www.hexacorn.com/blog/2025/09...

7 months ago 9 2 1 0
Preview
Juicing ntds.dit Files to the Last Drop - SpecterOps Discover the latest enhancements to the DSInternals PowerShell module, including the Golden dMSA Attack and support for LAPS, trust passwords, or BitLocker recovery keys.

The DSInternals PowerShell module just got an upgrade! 🔥

Updates include:
✅ Golden dMSA Attack
✅ Full LAPS support
✅ Trust password & BitLocker recovery key extraction
✅ Read-only domain controller database compatibility

Read more from Michael Grafnetter: ghst.ly/412rZ7F

8 months ago 5 4 0 0
Preview
Certify 2.0 - SpecterOps Certify 2.0 features a suite of new capabilities and usability enhancements. This blogpost introduces changes and features additions.

The AD CS security landscape keeps evolving, and so does our tooling. 🛠️

Valdemar Carøe drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements. ghst.ly/45IrBxI

8 months ago 11 8 0 0
Post image
8 months ago 1 0 0 0
Advertisement

BloodHound 8.0 is here.

A big leap forward in identity security prevention.

Now we’re able to model attack paths across the entire modern enterprise stack.

Our folks will be at #BlackHat next week to show off a few examples. Check it out:

8 months ago 9 1 0 0
Post image

We’re trying something new.

www.preludesecurity.com/runtime-memo...

8 months ago 4 1 0 0

[BLOG]
Integrating Tradecraft Garden PIC loaders into Cobalt Strike
rastamouse.me/harvesting-t...

10 months ago 9 5 0 1
Preview
Stealth Syscall Execution: Bypassing ETW, Sysmon, and EDR Detection "Stealth syscalls: Because life's too short to argue with an angry EDR!" Discover how Stealth Syscall Execution bypasses ETW, Sysmon, and EDR detection. Learn advanced stealth techniques for red teami...
10 months ago 6 2 0 0
Boflink: A Linker For Beacon Object Files Intro This is a blog post written for a project I recently released. The source code for it can be found here on Github. Background The design of Cobalt Strike’s Beacon Object Files is rather unique w...
10 months ago 1 1 0 0