BloodHound 8.0 update adds BloodHound OpenGraph — expanding attack path visibility beyond AD and Entra ID. Learn More
blog category

Research & Tradecraft

image for The Renaissance of NTLM Relay Attacks: Everything You Need to Know

Research & Tradecraft

The Renaissance of NTLM Relay Attacks: Everything You Need to Know

NTLM relay attacks have been around for a long time. While many security practitioners think NTLM relay is a solved problem, or at least a not-so-severe one, it...

By: Elad Shamir
Apr 8, 2025 • 40 min read
Read Post
image for Dough No! Revisiting Cookie Theft

Research & Tradecraft

Dough No! Revisiting Cookie Theft

TL;DR Chromium based browsers have shifted from using the user’s Data Protection API (DPAPI) master key...

By: Andrew Gomez
Aug 27, 2025 • 15 min read
Read Post
image for Operating Outside the Box: NTLM Relaying Low-Privilege HTTP Auth to LDAP

Research & Tradecraft

Operating Outside the Box: NTLM Relaying Low-Privilege HTTP Auth to LDAP

TL;DR When operating out of a ceded access or phishing payload with no credential material, you...

By: Logan Goins
Aug 22, 2025 • 13 min read
Read Post
image for Transforming Red Team Ops with Mythic’s Hidden Gems: Browser Scripting

Research & Tradecraft

Transforming Red Team Ops with Mythic’s Hidden Gems: Browser Scripting

TL;DR Mythic’s browser scripting provides tons of flexibility that operators can tailor to their unique needs...

By: Alexander K. DeMine
Aug 21, 2025 • 30 min read
Read Post
image for ARM-ed and Dangerous: Dylib Injection on macOS 

Research & Tradecraft

ARM-ed and Dangerous: Dylib Injection on macOS 

Modern Dylib Injection Techniques for AArch64 macOS TL;DR This post details how I extended the Mythic...

By: West Shepherd
Aug 21, 2025 • 24 min read
Read Post
image for Will WebClient Start

Research & Tradecraft

Will WebClient Start

TL;DR WebClient is a common targeted service for NTLM relay attacks. In this post we will...

By: Steven Flores
Aug 19, 2025 • 31 min read
Read Post
image for Juicing ntds.dit Files to the Last Drop

Research & Tradecraft

Juicing ntds.dit Files to the Last Drop

TL;DR Several new Active Directory offline attack capabilities have recently been added to the DSInternals PowerShell module....

By: Michael Grafnetter
Aug 14, 2025 • 11 min read
Read Post
image for Going for Broke(ring) – Offensive Walkthrough for Nested App Authentication

Research & Tradecraft

Going for Broke(ring) – Offensive Walkthrough for Nested App Authentication

TL;DR: Microsoft uses nested app authentication (NAA) for many applications. Access and refresh tokens for select...

By: Hope Walker
Aug 13, 2025 • 19 min read
Read Post
image for HKLM\SYSTEM\Setup\sMarTdEpLoY –  The (Static) Keys to Abusing PDQ SmartDeploy

Research & Tradecraft

HKLM\SYSTEM\Setup\sMarTdEpLoY –  The (Static) Keys to Abusing PDQ SmartDeploy

TL;DR: Prior to version 3.0.2046, PDQ SmartDeploy used static, hardcoded, and universal encryption keys for secure...

By: Garrett Foster
Aug 12, 2025 • 10 min read
Read Post
image for Certify 2.0

Research & Tradecraft

Certify 2.0

TL;DR Due to modern advances in the AD CS attack landscape, an update to Certify was...

By: Valdemar Carøe
Aug 11, 2025 • 16 min read
Read Post