Sirfis
@sir-fis.bsky.social
Red teamer @mdsec, trying to be a little better at this every day he/him🇵🇸
Reposted by Sirfis
Cookie theft has evolved. 🍪
Over the last year, stealing cookies on Windows devices has changed significantly for Chromium browsers like Chrome and Edge. Andrew Gomez dives into these changes, how threat actors adapt, & new detection opportunities. ghst.ly/45S1ZgW
Over the last year, stealing cookies on Windows devices has changed significantly for Chromium browsers like Chrome and Edge. Andrew Gomez dives into these changes, how threat actors adapt, & new detection opportunities. ghst.ly/45S1ZgW
Dough No! Revisiting Cookie Theft - SpecterOps
Explore how cookie theft has evolved in Chromium browsers with the shift from DPAPI to App-Bound encryption. This post breaks down modern cookie stealing techniques via COM, remote debugging, and exte...
ghst.ly
August 27, 2025 at 4:55 PM
Cookie theft has evolved. 🍪
Over the last year, stealing cookies on Windows devices has changed significantly for Chromium browsers like Chrome and Edge. Andrew Gomez dives into these changes, how threat actors adapt, & new detection opportunities. ghst.ly/45S1ZgW
Over the last year, stealing cookies on Windows devices has changed significantly for Chromium browsers like Chrome and Edge. Andrew Gomez dives into these changes, how threat actors adapt, & new detection opportunities. ghst.ly/45S1ZgW
Reposted by Sirfis
For anyone who was at DC4420 (@dc4420.bsky.social) on Tuesday, thanks for all the appreciation for my talk. Slides are available here:
github.com/N1ckDunn/SOS...
github.com/N1ckDunn/SOS...
GitHub - N1ckDunn/SOSLInjection
Contribute to N1ckDunn/SOSLInjection development by creating an account on GitHub.
github.com
May 31, 2025 at 1:54 PM
For anyone who was at DC4420 (@dc4420.bsky.social) on Tuesday, thanks for all the appreciation for my talk. Slides are available here:
github.com/N1ckDunn/SOS...
github.com/N1ckDunn/SOS...
Reposted by Sirfis
Microsoft has disabled the ICC Chief prosecutors email account.
But let’s keep all dependencies on US IT alive. What could possibly go wrong?
www.techzine.eu/news/privacy...
But let’s keep all dependencies on US IT alive. What could possibly go wrong?
www.techzine.eu/news/privacy...
Microsoft's ICC blockade: digital dependence comes at a cost
In February, the United States imposed sanctions on the International Criminal Court (ICC) in The Hague. As a result, Chief Prosecutor Karim Khan has no
www.techzine.eu
May 20, 2025 at 6:07 AM
Microsoft has disabled the ICC Chief prosecutors email account.
But let’s keep all dependencies on US IT alive. What could possibly go wrong?
www.techzine.eu/news/privacy...
But let’s keep all dependencies on US IT alive. What could possibly go wrong?
www.techzine.eu/news/privacy...
Reposted by Sirfis
10/10 no notes, excellent blending in
April 18, 2025 at 2:36 PM
10/10 no notes, excellent blending in
Reposted by Sirfis
Hello @miamiuniversity.bsky.social ,
You should probably be aware that someone has compromised your organization and has attempted to notify you.
They wrote to your I.T. department, but it was ignored. You should (probably) fix it.
You should probably be aware that someone has compromised your organization and has attempted to notify you.
They wrote to your I.T. department, but it was ignored. You should (probably) fix it.
April 18, 2025 at 12:05 AM
Hello @miamiuniversity.bsky.social ,
You should probably be aware that someone has compromised your organization and has attempted to notify you.
They wrote to your I.T. department, but it was ignored. You should (probably) fix it.
You should probably be aware that someone has compromised your organization and has attempted to notify you.
They wrote to your I.T. department, but it was ignored. You should (probably) fix it.
Reposted by Sirfis
We've got a 0day exploit.
The 0day impacts an organization which provides managed services for Danone, SeaGate, Unity, Shopify, Paramount Pictures, HubSpot, Amazon, PWC, Yamaha, L'Oreal
The exploit was reported, but the vendor ignored it.
Chat, do we drop a 0day on a Friday?
The 0day impacts an organization which provides managed services for Danone, SeaGate, Unity, Shopify, Paramount Pictures, HubSpot, Amazon, PWC, Yamaha, L'Oreal
The exploit was reported, but the vendor ignored it.
Chat, do we drop a 0day on a Friday?
April 18, 2025 at 12:42 AM
We've got a 0day exploit.
The 0day impacts an organization which provides managed services for Danone, SeaGate, Unity, Shopify, Paramount Pictures, HubSpot, Amazon, PWC, Yamaha, L'Oreal
The exploit was reported, but the vendor ignored it.
Chat, do we drop a 0day on a Friday?
The 0day impacts an organization which provides managed services for Danone, SeaGate, Unity, Shopify, Paramount Pictures, HubSpot, Amazon, PWC, Yamaha, L'Oreal
The exploit was reported, but the vendor ignored it.
Chat, do we drop a 0day on a Friday?
Reposted by Sirfis
Is DefCon conf org already making plans for a smaller venue?
A few more stories like this and I recon not a single hacker from outside of the US wants to go to DefCon.
A few more stories like this and I recon not a single hacker from outside of the US wants to go to DefCon.
An Australian man with a US work visa was detained upon reentry, called a “retard” and told, “Trump is back in town; we’re doing things the way we should have always been doing them.”
He was held with 100 people including many Canadians.
Posters celebrating equity had DEI scribbled out in marker.
He was held with 100 people including many Canadians.
Posters celebrating equity had DEI scribbled out in marker.
April 12, 2025 at 5:23 AM
Is DefCon conf org already making plans for a smaller venue?
A few more stories like this and I recon not a single hacker from outside of the US wants to go to DefCon.
A few more stories like this and I recon not a single hacker from outside of the US wants to go to DefCon.
Reposted by Sirfis
Think NTLM relay is a solved problem? Think again.
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
April 8, 2025 at 11:00 PM
Think NTLM relay is a solved problem? Think again.
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
Relay attacks are more complicated than many people realize. Check out this deep dive from Elad Shamir on NTLM relay attacks & the new edges we recently added to BloodHound. ghst.ly/4lv3E31
Reposted by Sirfis
Our red team is growing and we have a rare open position for a Principal RT Operator - if this sounds like you, get in touch 🙏
April 9, 2025 at 6:55 PM
Our red team is growing and we have a rare open position for a Principal RT Operator - if this sounds like you, get in touch 🙏
Reposted by Sirfis
This must be the most informative graphic contained in the Microsoft docs
learn.microsoft.com/en-us/opensp...
learn.microsoft.com/en-us/opensp...
March 18, 2025 at 12:55 PM
This must be the most informative graphic contained in the Microsoft docs
learn.microsoft.com/en-us/opensp...
learn.microsoft.com/en-us/opensp...
Reposted by Sirfis
Lengthy thread with lots covered, looking back and forward.
Raphael is right on many things, especially for the bad press he got from people just blatantly shouting things without knowing the actual facts and details.
But most important: Rafi, its great to have your voice back in the community!
Raphael is right on many things, especially for the bad press he got from people just blatantly shouting things without knowing the actual facts and details.
But most important: Rafi, its great to have your voice back in the community!
Dig through this timeline and you'll figure out what I'm here to do. I spoke to a commercial leader in the offensive security space last year. My words: you're fucking it up.
What I didn't say: I feel compelled, even though I DON'T want the bullshit, to try and fix it.
What does all of this mean?
What I didn't say: I feel compelled, even though I DON'T want the bullshit, to try and fix it.
What does all of this mean?
March 15, 2025 at 12:30 PM
Lengthy thread with lots covered, looking back and forward.
Raphael is right on many things, especially for the bad press he got from people just blatantly shouting things without knowing the actual facts and details.
But most important: Rafi, its great to have your voice back in the community!
Raphael is right on many things, especially for the bad press he got from people just blatantly shouting things without knowing the actual facts and details.
But most important: Rafi, its great to have your voice back in the community!
Reposted by Sirfis
I’m calling on all InfoSec Rockstars to join us in giving back to the community. Got a killer workshop idea? Reach out to me directly or swing by our website to submit your proposal. Let’s make waves together!
The countdown to BSidesABQ is on.
The countdown to BSidesABQ is on.
March 15, 2025 at 8:18 PM
I’m calling on all InfoSec Rockstars to join us in giving back to the community. Got a killer workshop idea? Reach out to me directly or swing by our website to submit your proposal. Let’s make waves together!
The countdown to BSidesABQ is on.
The countdown to BSidesABQ is on.
Reposted by Sirfis
#SCCM forest discovery accounts can be decrypted—even those for untrusted forests. If the site server is a managed client, all creds can be decrypted via Administration Service API.
Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp
Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp
Decrypting the Forest From the Trees - SpecterOps
TL;DR: SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If the site server is a managed client, service account credentials can be decrypted via ...
ghst.ly
March 6, 2025 at 8:34 PM
#SCCM forest discovery accounts can be decrypted—even those for untrusted forests. If the site server is a managed client, all creds can be decrypted via Administration Service API.
Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp
Check out our latest blog post from @unsignedsh0rt.bsky.social to learn more. ghst.ly/4buoISp
Reposted by Sirfis
Recently came across a pretty neat technique to silently load (malicious) VS Code extensions using its bootstrapping and portability features. Thought it was interesting enough to warrant my first blog post in 4 years 🙃
Check it out 👇
casvancooten.com/posts/2025/0...
Check it out 👇
casvancooten.com/posts/2025/0...
Abusing VS Code's Bootstrapping Functionality To Quietly Load Malicious Extensions
Wow, been a while since my last blog 😅. During some research I came across a technique variation which I felt was interesting enough to share in a brief blog post. It relates to how the bootstrapping ...
casvancooten.com
February 28, 2025 at 3:57 PM
Recently came across a pretty neat technique to silently load (malicious) VS Code extensions using its bootstrapping and portability features. Thought it was interesting enough to warrant my first blog post in 4 years 🙃
Check it out 👇
casvancooten.com/posts/2025/0...
Check it out 👇
casvancooten.com/posts/2025/0...
Reposted by Sirfis
Virtual fortresses aren’t as invincible as they seem 🏰⚔️.
Read about the latest @outflank.bsky.social research on using Secure Enclaves in Windows for offensive ops — plus fresh insights for red teamers.
Check out Part 1 of our blog series here: www.outflank.nl/blog/2025/02...
Read about the latest @outflank.bsky.social research on using Secure Enclaves in Windows for offensive ops — plus fresh insights for red teamers.
Check out Part 1 of our blog series here: www.outflank.nl/blog/2025/02...
Secure Enclaves for Offensive Operations (Part I) | Outflank | OST
Learn the anatomy of Virtualization-Based Security (VBS) enclaves, their internals, and the unique ways they could be leveraged for offensive operations on Windows systems.
www.outflank.nl
February 5, 2025 at 7:35 AM
Virtual fortresses aren’t as invincible as they seem 🏰⚔️.
Read about the latest @outflank.bsky.social research on using Secure Enclaves in Windows for offensive ops — plus fresh insights for red teamers.
Check out Part 1 of our blog series here: www.outflank.nl/blog/2025/02...
Read about the latest @outflank.bsky.social research on using Secure Enclaves in Windows for offensive ops — plus fresh insights for red teamers.
Check out Part 1 of our blog series here: www.outflank.nl/blog/2025/02...
Reposted by Sirfis
SlackPirate sets sail again! 🏴☠️
In his latest blog post, Dan Mayer intros his new PR to SlackPirate that lets you loot Slack again out of the box, a BOF to get you all the data you need to do it, & how to bee the most active slacker in your group chat. 🐝 ghst.ly/4hgwMIt
In his latest blog post, Dan Mayer intros his new PR to SlackPirate that lets you loot Slack again out of the box, a BOF to get you all the data you need to do it, & how to bee the most active slacker in your group chat. 🐝 ghst.ly/4hgwMIt
SlackPirate Set Sails Again! Or: How to Send the Entire “Bee Movie” Script to Your Friends in Slack
TLDR: SlackPirate has been defunct for a few years due to a breaking change in how the Slack client interacts with the Slack API. It has a…
ghst.ly
January 31, 2025 at 4:27 PM
SlackPirate sets sail again! 🏴☠️
In his latest blog post, Dan Mayer intros his new PR to SlackPirate that lets you loot Slack again out of the box, a BOF to get you all the data you need to do it, & how to bee the most active slacker in your group chat. 🐝 ghst.ly/4hgwMIt
In his latest blog post, Dan Mayer intros his new PR to SlackPirate that lets you loot Slack again out of the box, a BOF to get you all the data you need to do it, & how to bee the most active slacker in your group chat. 🐝 ghst.ly/4hgwMIt
Reposted by Sirfis
Part 2 of @hotnops.bsky.social's blog series on Entra Connect attacker tradecraft has dropped! 🙌 Check out this installment to learn more fundamentals of the Entra sync engine & how to interpret the sync rules. ghst.ly/3WqAQO4
Entra Connect Attacker Tradecraft: Part 2
Now that we know how to add credentials to an on-premises user, lets pose a question:
ghst.ly
January 22, 2025 at 7:39 PM
Part 2 of @hotnops.bsky.social's blog series on Entra Connect attacker tradecraft has dropped! 🙌 Check out this installment to learn more fundamentals of the Entra sync engine & how to interpret the sync rules. ghst.ly/3WqAQO4
Reposted by Sirfis
Speaking at SO-CON 2025 about SQL Server crypto! Excited for this one… first talk of 2025 🎉
January 17, 2025 at 6:26 PM
Speaking at SO-CON 2025 about SQL Server crypto! Excited for this one… first talk of 2025 🎉
Reposted by Sirfis
In Part 1 of my Intune Attack Paths series, I discuss the fundamental components and mechanics of Intune that lead to the emergence of attack paths: posts.specterops.io/intune-attac...
Intune Attack Paths — Part 1
Intune is an attractive system for adversaries to target…
posts.specterops.io
January 15, 2025 at 5:33 PM
In Part 1 of my Intune Attack Paths series, I discuss the fundamental components and mechanics of Intune that lead to the emergence of attack paths: posts.specterops.io/intune-attac...
Reposted by Sirfis
Achievement unlocked, my first blog with SpecterOps 🤗 This post looks at ADFS OAuth2 support, Device Registration, Enterprise PRT, and a brain dump of things that I didn’t want to leave sat on Notion. buff.ly/4j41VQU
ADFS — Living in the Legacy of DRS
It’s no secret that Microsoft have been trying to move customers away from ADFS for a while. Short of slapping a “deprecated” label on it…
buff.ly
January 7, 2025 at 2:33 PM
Achievement unlocked, my first blog with SpecterOps 🤗 This post looks at ADFS OAuth2 support, Device Registration, Enterprise PRT, and a brain dump of things that I didn’t want to leave sat on Notion. buff.ly/4j41VQU
@xpnsec.com Sorry for the message but I’m trying to write my own objc loader. Got the selector mapping working but soon as my dylib uses extra classes the refs break. Can you share any resources on it ? Tried to add classes in classlist sect as subclasses but nada
December 22, 2024 at 7:38 PM
@xpnsec.com Sorry for the message but I’m trying to write my own objc loader. Got the selector mapping working but soon as my dylib uses extra classes the refs break. Can you share any resources on it ? Tried to add classes in classlist sect as subclasses but nada
Xmas holiday is up now I can finally relax by the fire and stresslax my way through my backlog of things to do so I am neither rested nor productive come Jan 🤗
December 20, 2024 at 6:52 PM
Xmas holiday is up now I can finally relax by the fire and stresslax my way through my backlog of things to do so I am neither rested nor productive come Jan 🤗
Reposted by Sirfis
Microsoft's Threat-Intelligence ETW provider now supports events to identify token impersonation attacks. I wrote a blog on these events and how Microsoft is surfacing them:
jsecurity101.medium.com/behind-the-m...
jsecurity101.medium.com/behind-the-m...
Behind the Mask: Unpacking Impersonation Events
Introduction
jsecurity101.medium.com
December 4, 2024 at 1:36 PM
Microsoft's Threat-Intelligence ETW provider now supports events to identify token impersonation attacks. I wrote a blog on these events and how Microsoft is surfacing them:
jsecurity101.medium.com/behind-the-m...
jsecurity101.medium.com/behind-the-m...