Dave Cossa
@G0ldenGunSec
Adversary Simulation @xforce/ Frequent reader of the first page of Google results / Occasional reader of the second page of Google results
Azure Arc is Microsoft's solution for managing on-premises systems in hybrid environments. My new blog covers how it can it be identified in an enterprise and misconfigurations that could allow it to be used for out-of-band execution and persistence. ibm.com/think/x-force/…
Recently, Microsoft changed the way the Entra Connect Sync agent authenticates to Entra ID. Check out our latest blog post from @hotnops to learn how the agent works now & how these changes affect attacker tradecraft. ghst.ly/3ZpMc6y
Had some time and decided to take a shot at Fabian’s RAITrigger project. After a look into the RPC internals, I put together a super lightweight C# version (no NtApiDotNet), plus a C++ and BOF version. Enjoy! github.com/klezVirus/RAIW…
Bypassing AMSI with your own custom COM interfaces inside CLR process - an excellent piece by Joshua Magri (@passthehashbrwn). The custom implementation allows to allocate and load assemblies from memory and invoke Load_2() method instead of typical call to Load_3(). This…
Uploaded mprecon, a tiny script I made while learning SCCM. It pulls info from MP server like DP locations, site version, build number, SMSID, and device's primary user etc. No special privileges are required. Sometimes works without authentication🤯 github.com/temp43487580/m…
I recently interviewed with Politico on the risks and benefits of the offensive use of AI. “This isn’t just malicious threat actors using it,” ... “There’s also the security research community that is leveraging this work to do their jobs better and faster as well. So it’s kind…
The Blog post about "Revisiting Cross Session Activation attacks" is now also public. Lateral Movement with code execution in the context of an active session? 😎 Here you go: r-tec.net/r-tec-blog-rev…
New video out 😊 showing how you can take control of port 445 and perform those magical relay attacks toward AD CS when working from a C2 agent. Way easier than before thanks to some great research by @zyn3rgy youtube.com/watch?v=e4f3h5…
I wrote a blogpost about Android on-device fuzzing -> Reproducing a million-dollar bug: WhatsApp CVE-2019-11932 (with AFL & Frida) ibm.com/think/x-force/…
Last week we added ELEVATE-4 github.com/subat0mik/Misc… to Misconfiguration Manager. tl;dr If SCCM uses AD CS for PKI, client auth certs are "borrowed" by clients during OSD. This will typically be a distribution point but could be the site server in all-in-one deployments...
Last two weeks I talked about BYO Identity Providers in Entra ID and backdoors to External Auth Methods to bypass MFA. Only possible because MSFT doesn't implement the mandatory OIDC security measures. Slides with optional dark mode on: dirkjanm.io/talks/
New video out, looking at freshly released Nemesis 2.0 by non other then @harmj0y and @tifkin_ 🥵No doubt this is going to bring next-level efficiency and offload one of the most tedious manual workloads an operator can face! youtu.be/5P9N1OQTUqM
This is my research project in creating read, write and allocate primitives that can be turned into an injection in order to evade certain telemetry which I presented last year in RedTreat. I hope everyone likes it \m/. trickster0.github.io/posts/Primitiv…
You can find my slide deck for @TheOffensiveX on GitHub. I also included a minimalist extension that you can build on and will load in any of the VSCode forks on any platform 👨💻⚔️
New research just dropped I'll be presenting at @WEareTROOPERS next week - Attacking ML Training Infrastructure 💥 Model poisoning for code execution ⚠️ Abusing ML workflows ⚙️ MLOKit updates and new threat hunting rules ibm.com/think/x-force/…
Microsoft just released the patch for CVE-2025-33073, a critical vulnerability allowing a standard user to remotely compromise any machine with SMB signing not enforced! Checkout the details in the blogpost by @yaumn_ and @wil_fri3d. synacktiv.com/publications/n…
🚨 Our new blog post about Windows CVE-2025-33073 which we discovered is live: 🪞 The Reflective Kerberos Relay Attack - Remote privilege escalation from low-priv user to SYSTEM with RCE by applying a long forgotten NTLM relay technique to Kerberos: blog.redteam-pentesting.de/2025/reflectiv…
CVE-2025-47956 - Windows Security App Spoofing Vulnerability msrc.microsoft.com/update-guide/v…
I'm super happy to announce an operationally weaponized version of @YuG0rd's BadSuccessor in .NET format! With a minimum of "CreateChild" privileges over any OU it allows for automatic escalation to Domain Admin (DA). Enjoy your inline .NET execution! github.com/logangoins/Sha…
🚀 We just released my research on BadSuccessor - a new unpatched Active Directory privilege escalation vulnerability It allows compromising any user in AD, it works with the default config, and.. Microsoft currently won't fix it 🤷♂️ Read Here - akamai.com/blog/security-…