Callstacks are largely used by the Elastic EDR to detect malicious activity. SAERXCIT details a technique to evade a callstack-based detection and allow shellcode to load a network module without getting detected. Post: offsec.almond.consulting/evading-elas... PoC: github.com/AlmondOffSec...

Following ShitSecure's TROOPERS talk and release of BitlockMove, we're releasing our internal DCOMRunAs PoC made by SAERXCIT last year. It uses a similar technique with a few differences, such as DLL hijacking to avoid registry modification. github.com/AlmondOffSec...

Did you know deleting a file in Wire doesn’t remove it from servers? Team member myst404 took a closer look at Wire's asset handling and identified 5 cases where behaviors may diverge from user expectations. offsec.almond.consulting/deleting-fil...

Attacks against AD CS are de rigueur these days, but sometimes a working attack doesn’t work somewhere else, and the inscrutable error messages are no help. Jacques replicated the most infuriating and explains what’s happening under the hood in this post: sensepost.com/blog/2025/di...

To escape a locked-down Citrix environnement, team member SAERXCIT (twitter.com/SAERXCIT) wrote a basic shellcode loader in OpenEdge ABL, a 40 years old english-like programming language. We're sharing it in the off chance someone else might one day need it: github.com/AlmondOffSec...

This issue was assigned CVE-2024-52531. While the CVE description states that the vulnerability cannot be reached from the network, it seems, in fact, possible (check the blogpost for details).

Team member sigabrt describes a fuzzing methodology he used to find a heap overflow in a public @yeswehack.bsky.social bug bounty program for Gnome: offsec.almond.consulting/using-aflplu...

New article on F5! A write-up on CVE-2024-45844 a privilege escalation vulnerability in BIG-IP by team member myst404 offsec.almond.consulting/privilege-es...

If you are lucky enough to have a Windows Server Datacenter with Hyper-V, you can automatically activate Mayfly's GOAD VMs, so rebuilding the lab every 180 days is no longer needed. We POCed a Vagrant-style script here: github.com/AlmondOffSec...

How does F5's Secure Vault, its "super-secure SSL-encrypted storage system" work? Response in this article by team member myst404 offsec.almond.consulting/deep-diving-...

Got root, what now? Practical post-exploitation steps on an F5 Big-IP appliance, by team members drm and myst404. offsec.almond.consulting/post-exploit...

Stoked to see #PassTheCert featured in ippsec ‘s solution to @hackthebox.bsky.social Authority! Video: www.youtube.com/watch?v=7AF5... Find the tool here: github.com/AlmondOffSec...

We updated this old gem by myst404 to include the new #GLPI decryption algorithm. offsec.almond.consulting/multiple-vul...