Yeeb

New research is wrapping up. Spoilers: Microsoft Teams External Access is enabled in 973,328 out of 1,323,512 domains tested. A whopping 73% of organizations never changed the default setting in Teams which allows anyone to spy on user availability, OOO, and allows messaging.

If you're lazy like me and you use Linux for testing, the last thing you want is to spin up your Windows VM to compile some windows tooling. 😩 DockPiler lets you cross-compile Windows binaries right from Linux using docker. github.com/ar0x4/DockPiler

📢macOS LAPS in Intune is now available! 🥳 Securely provision a local administrator account during setup assistant for devices going through Automated Device Enrollment and configure the first account as a standard user or an admin. See learn.microsoft.com/intune/intune-… for more info.

I'm always watching what @mrd0x is publishing because he is the only malware-related security researcher finding new initial access techniques. He's the LeBron James on finding weird social engineering malware delivery techniques. Bro is up to some funny business

👑 Our researcher has discovered LPE in VMWare Tools (CVE-2025-22230 & CVE-2025-22247) via VGAuth! Write-up by the one who broke it: Sergey Bliznyuk (@justbronzebee) swarm.ptsecurity.com/the-guest-who-…

Hi, I just released this python-version of @CICADA8Research's nice RemoteKrbRelay-tool. It is based on @_dirkjan's KrbRelayx and @sploutchy's potato.py and rpcrelayserver.py. Please check it out: github.com/OleFredrik1/re…

These labs are pretty unique, hope you enjoy them :)

🔥 Modern Initial Access 2.0 is here🔥 Long-awaited class finally opens for registration, but only three live classes & then it's gone ✅ Modern Phishing Tactics ✅ Proven Payloads ✅ Effective Shellcode Loaders ☢️Snatch your seat today: binary-offensive.com/initial-access… So excited! 🔥

As a fun little weekend project, I have weaponized OpenReplay for exploiting XSS on "HttpOnly" websites. It allows you to remotely control a victim's browser without the need for stealing any cookies. github.com/EgeBalci/evilr…

The SharePoint patch for Pwn2Own Berlin has been released - patch ASAP The exploit need only one request💣 I’d name this bug ToolShell - ZDI did say the endpoint is ToolPane after all😅 zerodayinitiative.com/advisories/ZDI… #CVE_2025_49706 #CVE_2025_49704 #SharePoint #Pwn2Own

Introducing Havoc Professional: A Lethal Presence We’re excited to share a first look at Havoc Professional, a next-generation, highly modular Command and Control framework, and Kaine-kit our fully Position Independent Code agent engineered for stealth! infinitycurve.org/blog/introduct…

Created small tool that joins a device to a Tailscale network and exposes a local SOCKS proxy. It’s built for red team pivots and quick access into (restricted) environments. The underlying tsnet library is currently Go-only, so it's semi-portable for now. github.com/Yeeb1/SockTail

Regarding #CVE-2025-33073 fixing NTLM/Kerberos reflection attacks via SMB: the patch only covers SMB clients. The "CredMarshal" trick still works on RPC and HTTP. But those protocols sets the unverified target flags, which block exploitation. So, is reflection dead? Let’s see…

BOFs are powerful, but error-prone! We dropped a post and new BOF linting tool to catch bugs early, and to prevent crashing implants. This will speed up your Beacon Object File dev workflow. If you're building custom C2 payloads, it's a must-read. 🔍 📖 outflank.nl/blog/2025/06/3…

So you've compromised a host that isn’t cloud-joined. Antero Guy breaks down how to request OAuth tokens & enumerate an Entra ID tenant by using an SSO cookie from a non cloud-joined device. Read more ⬇️ ghst.ly/445tQKL

Following @ShitSecure's TROOPERS talk and release of BitlockMove, we're releasing our internal DCOMRunAs PoC made by @SAERXCIT last year. It uses a similar technique with a few differences, such as DLL hijacking to avoid registry modification. github.com/AlmondOffSec/D…

Do i read this correctly as "One click on a link is enough to take over a windows system" ? That is baaaaad! O.o trellix.com/blogs/research…

TIL that there's a Defender 365 detection for use of the Microsoft logo from a wiki page - "Phish_HTML_WithMsLogoFromWiki_A" 🤣

After today’s talk at #TROOPERS25 I’m releasing BitlockMove, a PoC to execute code on remote systems in the context of a loggedon user session 🔥 github.com/rtecCyberSec/B… No need to steal credentials, no impersonation, no injection needed 👌

In the year since Misconfiguration Manager's release, the security community has been actively researching new tradecraft & identifying new attack paths. @subat0mik & @unsigned_sh0rt dive into the research & its impact on the state of SCCM security. ⬇️ ghst.ly/460vI9d