Offsec Ramblings

An Operator’s Guide to Device-Joined Hosts and the PRT Cookie

Introduction

Apr 7, 2025 • Matt Creel

3

December 2024

Breaching AWS Course Review

CloudBreach's OAWSP Certification

Dec 27, 2024 • Matt Creel

October 2024

BOFHound: AD CS Integration

A targeted approach to AD CS enumeration

Oct 30, 2024 • Matt Creel

August 2024

TAKEOVER-1 with PySQLRecon

The intersection of SQL and SCCM exploitation

Aug 10, 2024 • Matt Creel

January 2024

BOFHound: Session Integration

Background

Jan 30, 2024 • Matt Creel

November 2023

Abusing Slack for Offensive Operations: Part 2

When I first started diving into offensive Slack access, one of the best public resources I found was a blog post by Cody Thomas from back in 2020…

Nov 10, 2023 • Matt Creel

1

November 2022

RITM In-Depth

Taking a closer look at the Roast-in-the-Middle attack

Nov 14, 2022 • Matt Creel

1

1

September 2022

Hunting Resource-Based Constrained Delegation in Active Directory

Recently, I have encountered a couple of environments susceptible to lateral movement through resource-based constrained delegation (RBCD) attacks…

Sep 9, 2022 • Matt Creel

June 2022

Granularize Your Active Directory Reconnaissance Game Part 2

Last month Fortalice open-sourced BOFHound, an offline BloodHound ingestor for raw ldapsearch results.

Jun 15, 2022 • Matt Creel

February 2022

Reintroducing redlure

A year and a half later - the redlure setup guide

Feb 21, 2022 • Matt Creel

Keeping Up with the NTLM Relay

Back in when I was getting started as a junior pentester, I vividly remember reading @byt3bl33d3r‘s 2017 post: Practical guide to NTLM Relaying in 2017…

Feb 11, 2022 • Matt Creel

January 2022

Utilizing Mailcow for Phishing

Setting Up a Self-Hosted Mail Server with Mailcow

Jan 25, 2022 • Matt Creel