blog category
Research & Tradecraft
Research & Tradecraft
TL;DR WebClient is a common targeted service for NTLM relay attacks. In this post we will...
By: Steven Flores
Aug 19, 2025 • 31 min read
Read Post
Research & Tradecraft
Juicing ntds.dit Files to the Last Drop
TL;DR Several new Active Directory offline attack capabilities have recently been added to the DSInternals PowerShell module....
By: Michael Grafnetter
Aug 14, 2025 • 11 min read
Read Post
Research & Tradecraft
Going for Broke(ring) – Offensive Walkthrough for Nested App Authentication
TL;DR: Microsoft uses nested app authentication (NAA) for many applications. Access and refresh tokens for select...
By: Hope Walker
Aug 13, 2025 • 19 min read
Read Post
Research & Tradecraft
HKLM\SYSTEM\Setup\sMarTdEpLoY – The (Static) Keys to Abusing PDQ SmartDeploy
TL;DR: Prior to version 3.0.2046, PDQ SmartDeploy used static, hardcoded, and universal encryption keys for secure...
By: Garrett Foster
Aug 12, 2025 • 10 min read
Read Post
Research & Tradecraft
TL;DR Due to modern advances in the AD CS attack landscape, an update to Certify was...
By: Valdemar Carøe
Aug 11, 2025 • 16 min read
Read Post
Research & Tradecraft
TL;DR We took a chainsaw to Nemesis 1.0, kept the parts that operators loved (i.e., automated...
By: Will Schroeder
Aug 5, 2025 • 7 min read
Read Post
Research & Tradecraft
What’s Your Secret?: Secret Scanning by DeepPass2
TL;DR DeepPass2 is a secret scanning tool that combines regex rules, a fine-tuned BERT model, and...
By: Neeraj Gupta
Jul 31, 2025 • 14 min read
Read Post
Research & Tradecraft
Entra Connect Attacker Tradecraft: Part 3
TL;DR Attackers can exploit Entra Connect sync accounts to hijack device userCertificate properties, enabling device impersonation...
By: Daniel Heinsen
Jul 30, 2025 • 16 min read
Read Post
Research & Tradecraft
Make Sure to Use SOAP(y) – An Operators Guide to Stealthy AD Collection Using ADWS
Learn how to perform stealthy recon of Active Directory environments over ADWS for Red Team Assessments