News

• Google + Wiz: Strengthening Multicloud Security - $32 billion... Google is positioning itself to be the "security" cloud provider after the Mandiant and Wiz acquisitions.
• Trimarc Joins TrustedSec: Strengthening Our Commitment to Security - TrustedSec snatches Sean Metcalf and his team! Good luck guys!
• Microsoft Trusted Signing service abused to code-sign malware - The Microsoft hosted signing service is being abused to sign malware. Why not use the Azure service when it's cheap and easy?
• The Trump Administration Accidentally Texted Me Its War Plans - Politics aside, the planning and dissemination of national security information via Signal is wild. This is why iOS 0days are so valuable; with access to the phone all the end-to-end encryption isn't worth anything and an adversary can just read the messages out of Signal's database. One wonders what would happen to an Army soldier who shared operational details via Signal and if that same punishment will befall any members of this group chat. The US Director of National Intelligence, who was in the Signal group where the information was shared, tweeted on 2025-03-14 (10 days ago) "Any unauthorized release of classified information is a violation of the law and will be treated as such." We shall see.

Techniques and Write-ups

• Next.js and the corrupt middleware: the authorizing artifact - Adding a header can bypass any middleware (i.e. authentication) of unpatched Next.js applications.
• RDP without the risk: Cloudflare's browser-based solution for secure third-party access - Put RDP behind the secured Cloudflare Zero Trust platform (i.e. hardware 2FA) without any configuration changes to Windows endpoint. If you can get over the fact that Cloudflare is a TLS Man-in-the-middle for all your traffic, it's an amazing solution to many security issues.
• Red Teaming with ServiceNow - This is adversary simulation at its finest. Any "red team" can phish and deploy some beacons, but the true pros are understanding the network better than the defenders and using their own tools against them. This is how the pros do it.
• Pre-authentication SQL injection to RCE in GLPI (CVE-2025-24799/CVE-2025-24801) - GLPI SQLI (pre-auth) and authenticated RCE. Happy hunting!
• Bypassing Windows Defender Application Control with Loki C2 - 0xBoku keeps cooking Loki C2. This time he is bypassing Windows Defender Application Control (WDAC) by exploiting trusted Microsoft Electron applications. While Loki C2 hasn't been released yet, the community is already creating POCs like asar-backdoor.
• By Executive Order, We Are Banning Blacklists - Domain-Level RCE in Veeam Backup & Replication (CVE-2025-23120) - You patched that Veeam RCE? Oops, it's vulnerable again! Another entry in the "just because it's patched doesn't mean it's not vulnerable" file.
• SAML roulette: the hacker always wins - The SAML bug from last week written up in detail for Gitlab.
• !exploitable Episode Three - Devfile Adventures - A nice write up of the 2024 Gitlab path traversal bug in devfiles. Comes complete with an exploit: malicious-devfile-registry - Exploit for CVE-2024-0402 in Gitlab.
• Bypassing Detections with Command-Line Obfuscation - The regex you cooked up to detected "malicious" command line args? Probably not considering all the edge cases! Check out the tool: ArgFuscator.
• Talk To Your Malware – Integrating AI Capability in an Open-Source C2 Agent - This isn't another Model Context Protocol for Mythic, it's a prompt command you can use to trust (i.e. YOLO) an LLM to do actions you describe in plain english.
• The Things We Think and Do Not Say: The Future of Our Beacon Object Files (BOFs) - Beacon Object Files (BOFs) came to Cobalt Strike, and soon many C2s, in 2020. Five years later, it's worth discussing how BOFs can be improved. This post even comes with BOF-PE - An example reference design for a proposed BOF PE.
• Rust for Malware Development - "Rewrite it in rust" comes for malware.
• Understanding Windows Kernel Pool Memory - Some low level investigation of the Windows Kernel including memory types, debugging in WinDbg, and analyzing pool tags.
• What not to do with on prem virtualization - Don't underestimate the value of .vmdk disk files - they contain everything!

Tools and Exploits

• spinningcat - A program to "demonstrate impact" by filling the target's screen with a cat gif and playing techno music (based on: spinningcat).
• CloudPEASS - The current goal of Cloud PEASS is simple: Once you manage to get some credentials to access Azure, GCP or AWS, use different techniques to get the permissions the principal has and highlight all the potential attacks (privilege escalation, read sensitive information, etc) it's possible to do. [Note: this is the first tool I've seen to ship data to an LLM by default (that isn't explicitly an AI based tool). Be careful with sensitive data]
• CVE-2025-24071_PoC - NTLM Hash Leak via RAR/ZIP Extraction and .library-ms File.
• verizon_burp_extensions_ai - Verizon Burp Extensions: AI Suite.
• CVE-2025-29927 - Vulnerability in Next.js where the internal header x-middleware-subrequest can be used to bypass middleware checks like authentication.
• ludus_ghosts_server - Ansible GHOSTS server role for Ludus.
• defending-off-the-land - Assortment of scripts and tools for our Blackhat EU 2024 talk. [The file_access_token is so cool!]
• kernel-callback-removal - kernel callback removal (Bypassing EDR Detections).

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

• phisherman - A real fake social engineering app.
• The biggest mistake: ServicePrincipalName’s - Old blog but still valuable. Must read for all kerberos enthusiast or anyone confused about what SPNs are.
• nuclei-templates-labs - Vulnerable environments paired with ready-to-use Nuclei templates for security testing and learning! 🚀.
• landrun - Run any Linux process in a secure, unprivileged sandbox using Landlock LSM. Think firejail, but lightweight, user-friendly, and baked into the kernel.
• active-directory-firewall - Active Directory Firewall.
• Ultimate-RAT-Collection - For educational purposes only, exhaustive samples of 450+ classic/modern trojan builders including screenshots.
• cascii is a web-based ASCII and Unicode diagram builder written in vanilla Javascript.
• Time crystal - 🤯

Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.