Michael Schneider
@0x6d69636b.bsky.social
infosec, working at scip AG, #RedTeam, classic car rally driver for teampaddymurphy.ie
Reposted by Michael Schneider
There's some really big caveats to this. A thread.
New: Google says it has discovered at least 5 malware families that use AI to rewrite their code and generate new capabilities on the fly, suggesting AI-powered malware is finally starting to take off. cloud.google.com/blog/topics/...
Report also has interesting stories about state actors' AI use.
Report also has interesting stories about state actors' AI use.
November 5, 2025 at 3:52 PM
There's some really big caveats to this. A thread.
Reposted by Michael Schneider
My colleague @rame has written a Burp extension that analyses HTTP header configurations. He introduces the extension in a blog post: https://www.scip.ch/en/?labs.20250911
How to develop extensions for Burp Suite
Burp Suite can be expanded with Bambdas, BChecks and extensions and adapted to your own needs. Java and Kotlin are currently the most suitable languages for developing extensions for Burp Suite. Python is also possible, but only with the legacy Extender API.
www.scip.ch
September 11, 2025 at 7:02 AM
My colleague @rame has written a Burp extension that analyses HTTP header configurations. He introduces the extension in a blog post: https://www.scip.ch/en/?labs.20250911
Reposted by Michael Schneider
Paddy wins the AvD-Histo-Tour 2025
After two second places and a third place, Paddy won the AvD-Histo-Tour 2025 in the Sanduhr category! He raced at the legendary Nordschleife, the Nürburgring Grand Prix Sprint race track, Circuit de Spa-Francorchamps, and Circuit Zolder. Good things come to […]
After two second places and a third place, Paddy won the AvD-Histo-Tour 2025 in the Sanduhr category! He raced at the legendary Nordschleife, the Nürburgring Grand Prix Sprint race track, Circuit de Spa-Francorchamps, and Circuit Zolder. Good things come to […]
Original post on infosec.exchange
infosec.exchange
August 11, 2025 at 6:19 AM
Paddy wins the AvD-Histo-Tour 2025
After two second places and a third place, Paddy won the AvD-Histo-Tour 2025 in the Sanduhr category! He raced at the legendary Nordschleife, the Nürburgring Grand Prix Sprint race track, Circuit de Spa-Francorchamps, and Circuit Zolder. Good things come to […]
After two second places and a third place, Paddy won the AvD-Histo-Tour 2025 in the Sanduhr category! He raced at the legendary Nordschleife, the Nürburgring Grand Prix Sprint race track, Circuit de Spa-Francorchamps, and Circuit Zolder. Good things come to […]
Reposted by Michael Schneider
It's been almost a year since my last blog... So, here is a new one: Extending AD CS attack surface to the cloud with Intune certificates.
Also includes ESC1 over Intune (in some cases).
dirkjanm.io/extending-ad...
Oh, and a new tool for SCEP: github.com/dirkjanm/sce...
Also includes ESC1 over Intune (in some cases).
dirkjanm.io/extending-ad...
Oh, and a new tool for SCEP: github.com/dirkjanm/sce...
Extending AD CS attack surface to the cloud with Intune certificates
Active Directory Certificate Services (AD CS) attack surface is pretty well explored in Active Directory itself, with *checks notes* already 16 “ESC” attacks being publicly described. Hybrid attack pa...
dirkjanm.io
July 30, 2025 at 3:46 PM
It's been almost a year since my last blog... So, here is a new one: Extending AD CS attack surface to the cloud with Intune certificates.
Also includes ESC1 over Intune (in some cases).
dirkjanm.io/extending-ad...
Oh, and a new tool for SCEP: github.com/dirkjanm/sce...
Also includes ESC1 over Intune (in some cases).
dirkjanm.io/extending-ad...
Oh, and a new tool for SCEP: github.com/dirkjanm/sce...
This is an article by my team colleague @m8r1us.bsky.social
C2 Architecture - Pull the Strings, Run the Show
An article about the key components of Command and Control (C2), highlights potential detection vectors, and outlines high-level strategies for designing resilient and stealthy C2 infrastructure by @m8r1us
https://www.scip.ch/en/?labs.20250612
An article about the key components of Command and Control (C2), highlights potential detection vectors, and outlines high-level strategies for designing resilient and stealthy C2 infrastructure by @m8r1us
https://www.scip.ch/en/?labs.20250612
Key Principles for a Command and Control (C2) Infrastructure
C2 operational safety is essential. Use redirectors to hide C2 or use stealthy traffic channels. Non-C2 traffic should be blocked as early as possible. Use encrypted shellcode when designing a loader.
www.scip.ch
June 12, 2025 at 5:42 AM
This is an article by my team colleague @m8r1us.bsky.social
Reposted by Michael Schneider
HardeningKitty updates:
* Support for Intune is a work in progress. I have implemented the first checks and updated a lot of findings
* Added CIS Benchmark lists for Windows 11 and Windows Server 2025
* The Windows 11 24H4 CIS list is the first to include Intune recommendations (though not yet […]
* Support for Intune is a work in progress. I have implemented the first checks and updated a lot of findings
* Added CIS Benchmark lists for Windows 11 and Windows Server 2025
* The Windows 11 24H4 CIS list is the first to include Intune recommendations (though not yet […]
Original post on infosec.exchange
infosec.exchange
June 1, 2025 at 6:59 AM
HardeningKitty updates:
* Support for Intune is a work in progress. I have implemented the first checks and updated a lot of findings
* Added CIS Benchmark lists for Windows 11 and Windows Server 2025
* The Windows 11 24H4 CIS list is the first to include Intune recommendations (though not yet […]
* Support for Intune is a work in progress. I have implemented the first checks and updated a lot of findings
* Added CIS Benchmark lists for Windows 11 and Windows Server 2025
* The Windows 11 24H4 CIS list is the first to include Intune recommendations (though not yet […]
Reposted by Michael Schneider
Only 2.4% of all CVEs have a CVSSv4 score and half of those is from one company
Another failed standard?
www.linkedin.com/feed/update/...
Another failed standard?
www.linkedin.com/feed/update/...
May 22, 2025 at 11:22 AM
Only 2.4% of all CVEs have a CVSSv4 score and half of those is from one company
Another failed standard?
www.linkedin.com/feed/update/...
Another failed standard?
www.linkedin.com/feed/update/...
Reposted by Michael Schneider
MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectsid ENDS WITH '-516' WITH COLLECT(c1[.]name) AS dcs MATCH (c2:Computer) WHERE c2.enabled = true AND (c2.operatingsystem contains '2025') AND (c2[.]name IN dcs) RETURN c2[.]name
If this query hits, you're DA: www.akamai.com/blog/securit...
If this query hits, you're DA: www.akamai.com/blog/securit...
www.akamai.com
May 21, 2025 at 6:14 PM
MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectsid ENDS WITH '-516' WITH COLLECT(c1[.]name) AS dcs MATCH (c2:Computer) WHERE c2.enabled = true AND (c2.operatingsystem contains '2025') AND (c2[.]name IN dcs) RETURN c2[.]name
If this query hits, you're DA: www.akamai.com/blog/securit...
If this query hits, you're DA: www.akamai.com/blog/securit...
Reposted by Michael Schneider
In his latest blog post, Marc Tanner @brain-dump.org shows how to bypass BitLocker using BitPixie (CVE-2023-21563) and signed Microsoft components only. Check out the blog post for a PoC and a demo. #BitLocker #RedTeam
blog.compass-security.com/2025/05/bypa...
blog.compass-security.com/2025/05/bypa...
May 13, 2025 at 12:38 PM
In his latest blog post, Marc Tanner @brain-dump.org shows how to bypass BitLocker using BitPixie (CVE-2023-21563) and signed Microsoft components only. Check out the blog post for a PoC and a demo. #BitLocker #RedTeam
blog.compass-security.com/2025/05/bypa...
blog.compass-security.com/2025/05/bypa...
Reposted by Michael Schneider
Last weekend, Paddy was at the ACS Auto-Renntage 2025 in Frauenfeld: https://teampaddymurphy.ie/index.php?id=2025050101 #volvo1800e #RaceDay #racing
Team Paddy Murphy
teampaddymurphy.ie
May 1, 2025 at 9:49 AM
Last weekend, Paddy was at the ACS Auto-Renntage 2025 in Frauenfeld: https://teampaddymurphy.ie/index.php?id=2025050101 #volvo1800e #RaceDay #racing
Link to the article: teampaddymurphy.ie/index.php?id...
April 17, 2025 at 5:40 AM
Link to the article: teampaddymurphy.ie/index.php?id...
Reposted by Michael Schneider
Normally you can't auth to Entra ID connected webapps with bearer tokens. But if Teams can open SharePoint/OneDrive with an access token, I guess so can we. roadtx now supports opening SharePoint with access tokens in the embedded browser 😀
February 18, 2025 at 1:12 PM
Normally you can't auth to Entra ID connected webapps with bearer tokens. But if Teams can open SharePoint/OneDrive with an access token, I guess so can we. roadtx now supports opening SharePoint with access tokens in the embedded browser 😀
Reposted by Michael Schneider
You need to run Rubeus, Seatbelt, or other .NET tool on an EDR protected machine?
Well with the new version, MacroPack Pro is now also a powerful assembly obfuscation/weaponization tool ! 😎
We wrote a tutorial about that here:
blog.balliskit.com/obfuscation-...
Well with the new version, MacroPack Pro is now also a powerful assembly obfuscation/weaponization tool ! 😎
We wrote a tutorial about that here:
blog.balliskit.com/obfuscation-...
Obfuscation and weaponization of .NET assemblies using MacroPack
For a couple of years now, .NET have been the go to language for a lot of famous offensive security tools like Rubeus, SeatBelt…
blog.balliskit.com
February 17, 2025 at 4:32 PM
You need to run Rubeus, Seatbelt, or other .NET tool on an EDR protected machine?
Well with the new version, MacroPack Pro is now also a powerful assembly obfuscation/weaponization tool ! 😎
We wrote a tutorial about that here:
blog.balliskit.com/obfuscation-...
Well with the new version, MacroPack Pro is now also a powerful assembly obfuscation/weaponization tool ! 😎
We wrote a tutorial about that here:
blog.balliskit.com/obfuscation-...
Reposted by Michael Schneider
New HardeningKitty Version 🥳
https://github.com/0x6d69636b/windows_hardening/releases/tag/v.0.9.3
https://github.com/0x6d69636b/windows_hardening/releases/tag/v.0.9.3
Release v.0.9.3 · 0x6d69636b/windows_hardening
Update HardeningKitty
[*] Bug fixes
[*] Add new finding lists and update existing
[*] Improve documentation
Many thanks to @Maggsi and @rafalfitt
github.com
December 23, 2024 at 11:22 AM
New HardeningKitty Version 🥳
https://github.com/0x6d69636b/windows_hardening/releases/tag/v.0.9.3
https://github.com/0x6d69636b/windows_hardening/releases/tag/v.0.9.3
From the fediverse...
My team college @rame found the CVE-2024-8001 vulnerability in VIWIS LMS 9.11. Congrats! 🥳 https://vuldb.com/?id.284352
December 3, 2024 at 1:09 PM
From the fediverse...
Reposted by Michael Schneider
Swiss news talked all day long about a vulnerability in Kanton Aargau‘s tax software Easytax today: „No malicious activity was detected in an immediate post-mortem analysis“ or „no data was accessed by an attacker at any point in time“. One could conclude, that sounds quite alarming, right? (1/2)
November 29, 2024 at 7:52 PM
Swiss news talked all day long about a vulnerability in Kanton Aargau‘s tax software Easytax today: „No malicious activity was detected in an immediate post-mortem analysis“ or „no data was accessed by an attacker at any point in time“. One could conclude, that sounds quite alarming, right? (1/2)
Reposted by Michael Schneider
New platform, who dis? It me, and @johnnyspandex.bsky.social dropping some VPN client exploit freshness! 🌮🔒
Today, we're releasing NachoVPN, our VPN client exploitation tool, as presented at SANS HackFest Hollywood. Get it on the @amberwolfsec.bsky.social blog:
blog.amberwolf.com/blog/2024/no...
Today, we're releasing NachoVPN, our VPN client exploitation tool, as presented at SANS HackFest Hollywood. Get it on the @amberwolfsec.bsky.social blog:
blog.amberwolf.com/blog/2024/no...
Introducing NachoVPN: One VPN Server to Pwn Them All
AmberWolf Security Research Blog
blog.amberwolf.com
November 26, 2024 at 10:47 AM
New platform, who dis? It me, and @johnnyspandex.bsky.social dropping some VPN client exploit freshness! 🌮🔒
Today, we're releasing NachoVPN, our VPN client exploitation tool, as presented at SANS HackFest Hollywood. Get it on the @amberwolfsec.bsky.social blog:
blog.amberwolf.com/blog/2024/no...
Today, we're releasing NachoVPN, our VPN client exploitation tool, as presented at SANS HackFest Hollywood. Get it on the @amberwolfsec.bsky.social blog:
blog.amberwolf.com/blog/2024/no...
Reposted by Michael Schneider
Excited to share a tool I've been working on - ShadowHound.
ShadowHound is a PowerShell alternative to SharpHound for Active Directory enumeration, using native PowerShell or ADModule (ADWS). As a bonus I also talk about some MDI detections and how to avoid them.
blog.fndsec.net/2024/11/25/s...
ShadowHound is a PowerShell alternative to SharpHound for Active Directory enumeration, using native PowerShell or ADModule (ADWS). As a bonus I also talk about some MDI detections and how to avoid them.
blog.fndsec.net/2024/11/25/s...
November 25, 2024 at 12:25 PM
Excited to share a tool I've been working on - ShadowHound.
ShadowHound is a PowerShell alternative to SharpHound for Active Directory enumeration, using native PowerShell or ADModule (ADWS). As a bonus I also talk about some MDI detections and how to avoid them.
blog.fndsec.net/2024/11/25/s...
ShadowHound is a PowerShell alternative to SharpHound for Active Directory enumeration, using native PowerShell or ADModule (ADWS). As a bonus I also talk about some MDI detections and how to avoid them.
blog.fndsec.net/2024/11/25/s...
Reposted by Michael Schneider
RIP "Within this assessment, the red team (also referred to as ‘the team’) gained initial access through a web shell left from a third party’s previous security assessment."
www.cisa.gov/news-events/...
www.cisa.gov/news-events/...
Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization | CISA
www.cisa.gov
November 21, 2024 at 5:10 PM
RIP "Within this assessment, the red team (also referred to as ‘the team’) gained initial access through a web shell left from a third party’s previous security assessment."
www.cisa.gov/news-events/...
www.cisa.gov/news-events/...
Reposted by Michael Schneider
Reposted by Michael Schneider
Owning your own DNS and web and - gasp - even email - is a huge responsibility and more than ever a proving ground of learning how the world works. I encounter so many without this foundation and it costs them dearly. But it is a risk I can't recommend blindly.
November 19, 2024 at 9:06 PM
Owning your own DNS and web and - gasp - even email - is a huge responsibility and more than ever a proving ground of learning how the world works. I encounter so many without this foundation and it costs them dearly. But it is a risk I can't recommend blindly.
My Mastodon profile is now available on BlueSky: bsky.app/profile/misc...
Please follow that profile, I will mostly post there and do not cross post to keep your timeline clean ;-)
Please follow that profile, I will mostly post there and do not cross post to keep your timeline clean ;-)
bsky.app
November 14, 2024 at 7:48 AM
My Mastodon profile is now available on BlueSky: bsky.app/profile/misc...
Please follow that profile, I will mostly post there and do not cross post to keep your timeline clean ;-)
Please follow that profile, I will mostly post there and do not cross post to keep your timeline clean ;-)
I want “red teaming”, why terminology matters and why not every client needs a red team assessment. My new article shows how we at scip AG define red teaming and our different approaches depending on an organisation's defence maturity level: www.scip.ch/en/?labs.202...
www.scip.ch
November 14, 2024 at 6:01 AM
I want “red teaming”, why terminology matters and why not every client needs a red team assessment. My new article shows how we at scip AG define red teaming and our different approaches depending on an organisation's defence maturity level: www.scip.ch/en/?labs.202...
I wrote a new article about an "unpopular" topic: Reporting and Documentation - Unpopular and yet so important
www.scip.ch/en/?labs.202...
www.scip.ch/en/?labs.202...
February 8, 2024 at 4:09 PM
I wrote a new article about an "unpopular" topic: Reporting and Documentation - Unpopular and yet so important
www.scip.ch/en/?labs.202...
www.scip.ch/en/?labs.202...