Tag: Lateral Movement
-
The Spectral Proxy: How the RoadK1ll Malware Uses WebSockets to Vanish into Your Network
An imperceptible presence within a network remains the paramount trump card of digital malefactors, and a nascent discovery by the savants at Blackpoint illuminates the profound sophistication these instruments are attaining. A venomous module christened “RoadK1ll” empowers assailants not merely to entrench themselves within an architecture, but to soundlessly broaden their dominion to auxiliary nodes,…
-
Edge of Extinction: How FortiGate Flaws Open the Gates to Active Directory Subjugation
The compromise of a perimeter network appliance can swiftly shepherd a malefactor toward domain controllers and the enterprise’s most critical data repositories. In the nascent months of 2026, cybersecurity sentinels chronicled a sequence of incursions wherein assailants weaponized vulnerabilities within FortiGate firewalls to breach corporate networks and subsequently orchestrate lateral movement deep within the infrastructure.…
-
Silent Pivot: Exploiting SpeechRuntimeMove for Stealthy Lateral Movement via DCOM
SpeechRuntimeMove Lateral Movement via SpeechRuntime DCOM trigger & COM Hijacking. This Proof of Concept (PoC) for Lateral Movement abuses the fact, that some COM Classes configured as INTERACTIVE USER will spawn a process in the context of the currently logged on users session. If those processes are also vulnerable to COM Hijacking, we can configure a COM…
-
FusterCluck PoC: Script Exploits RPC to Achieve Lateral Movement in Failover Clusters
FusterCluck is a POC script for attacking failover clusters via the cluster API over RPC. The tool allows enumeration of cluster nodes and the state of cluster roles. If an attacker has control of a cluster admin or a cluster virtual account, they can migrate cluster groups to every node of the cluster and target…
-
DCOMRunAs: Covert Technique for Remote Code Execution in a Logged-on Session
DCOMRunAs instantiates COM objects in the session of a logged-on user on a remote machine. By targeting a COM object subject to DLL hijacking and dropping a custom DLL at that path, the payload DLL will be loaded in the context of the logged-on remote user. Context & theory Initially an internal PoC developped last…
-
LdrShuffle: Stealthy Code Execution via DLL EntryPoint Overwriting
LdrShuffle Stealthy code execution via modification of the EntryPoint of loaded modules at runtime. Summary Windows processses have various modules loaded at runtime. Each of theses modules has a DllMain() function defined, which will be invoked on process or thread creation/destruction (four possible scenarios). In order to properly call those functions during the lifetime of the process, the Windows…
-
BitlockMove: New PoC for Covert Lateral Movement via BitLocker DCOM Hijacking
BitlockMove Lateral Movement via Bitlocker DCOM & COM Hijacking. This Proof of Concept (PoC) for Lateral Movement abuses the fact, that some COM Classes configured as INTERACTIVE USER will spawn a process in the context of the currently logged on users session. If those processes are also vulnerable to COM Hijacking, we can configure a COM Hijack…
-
The Quiet Threat: Why Ransomware and Infostealers Are Succeeding Where Encryption Fails
Ransomware operators and infostealers are adapting their tactics more swiftly than enterprises can recalibrate their defenses. Even substantial investments in ransomware resilience—primarily in backups and recovery—are increasingly failing to prevent tangible damage. According to the Picus Security Blue Report 2025, the most devastating incidents are no longer always tied to encryption: adversaries are shifting to…
-
SharpSCCM: post-exploitation tool designed to leverage SCCM for lateral movement
SharpSCCM SharpSCCM is a post-exploitation tool designed to leverage Microsoft Endpoint Configuration Manager (a.k.a. ConfigMgr, formerly SCCM) for lateral movement without requiring access to the SCCM administration console GUI. SharpSCCM was initially created to execute user hunting and lateral movement functions ported from PowerSCCM (by @harmj0y, @jaredcatkinson, @enigma0x3, and @mattifestation) and now contains additional functionality…
-
APT41’s New Frontier: Chinese Cyberespionage Group Targets African Governments
The China-linked cyber-espionage group APT41 has launched a new surveillance campaign targeting government IT services in Africa—an unexpected turn for a region previously considered an unlikely target. Researchers at Kaspersky Lab uncovered the operation after detecting anomalous activity on the workstations of an unnamed organization. The attackers employed remote administration tools and executed commands to…
-
RemoteMonologue: New Windows Technique Weaponizes DCOM for NTLM Credential Harvesting
RemoteMonologue is a Windows credential harvesting technique that enables remote user compromise by leveraging the Interactive User RunAs key and coercing NTLM authentications via DCOM. Features ? Authentication Coercion via DCOM (-dcom) Targets three DCOM objects (ServerDataCollectorSet, FileSystemImage, UpdateSession) to trigger an NTLM authentication against a specified listener (-auth-to). ? Credential Spraying (-spray) Validate credentials across multiple systems while…
-
Amnesiac: lateral movement within active directory environments
Amnesiac Amnesiac is a post-exploitation framework designed to assist with lateral movement within active directory environments. Amnesiac is being developed to bridge a gap on Windows OS, where post-exploitation frameworks are not readily available unless explicitly installed. It is entirely written in PowerShell and can be loaded and executed in memory, just like any other…
-
Maestro: Abusing Intune for Lateral Movement over C2
Maestro Maestro is a post-exploitation tool designed to interact with Intune/EntraID from a C2 agent on a user’s workstation without requiring knowledge of the user’s password or Azure authentication flows, token manipulation, and web-based administration console. Maestro makes interacting with Intune and EntraID (and potentially other Azure services) from C2 much easier, as the operator…