Almond Offsec
@almondoffsec.bsky.social
Offensive Security team at Almond.
Blog: https://offsec.almond.consulting/
Blog: https://offsec.almond.consulting/
Callstacks are largely used by the Elastic EDR to detect malicious activity. SAERXCIT details a technique to evade a callstack-based detection and allow shellcode to load a network module without getting detected.
Post: offsec.almond.consulting/evading-elas...
PoC: github.com/AlmondOffSec...
Post: offsec.almond.consulting/evading-elas...
PoC: github.com/AlmondOffSec...
November 6, 2025 at 1:19 PM
Callstacks are largely used by the Elastic EDR to detect malicious activity. SAERXCIT details a technique to evade a callstack-based detection and allow shellcode to load a network module without getting detected.
Post: offsec.almond.consulting/evading-elas...
PoC: github.com/AlmondOffSec...
Post: offsec.almond.consulting/evading-elas...
PoC: github.com/AlmondOffSec...
Following ShitSecure's TROOPERS talk and release of BitlockMove, we're releasing our internal DCOMRunAs PoC made by SAERXCIT last year.
It uses a similar technique with a few differences, such as DLL hijacking to avoid registry modification.
github.com/AlmondOffSec...
It uses a similar technique with a few differences, such as DLL hijacking to avoid registry modification.
github.com/AlmondOffSec...
June 27, 2025 at 3:07 PM
Following ShitSecure's TROOPERS talk and release of BitlockMove, we're releasing our internal DCOMRunAs PoC made by SAERXCIT last year.
It uses a similar technique with a few differences, such as DLL hijacking to avoid registry modification.
github.com/AlmondOffSec...
It uses a similar technique with a few differences, such as DLL hijacking to avoid registry modification.
github.com/AlmondOffSec...
Did you know deleting a file in Wire doesn’t remove it from servers?
Team member myst404 took a closer look at Wire's asset handling and identified 5 cases where behaviors may diverge from user expectations.
offsec.almond.consulting/deleting-fil...
Team member myst404 took a closer look at Wire's asset handling and identified 5 cases where behaviors may diverge from user expectations.
offsec.almond.consulting/deleting-fil...
June 25, 2025 at 9:47 AM
Did you know deleting a file in Wire doesn’t remove it from servers?
Team member myst404 took a closer look at Wire's asset handling and identified 5 cases where behaviors may diverge from user expectations.
offsec.almond.consulting/deleting-fil...
Team member myst404 took a closer look at Wire's asset handling and identified 5 cases where behaviors may diverge from user expectations.
offsec.almond.consulting/deleting-fil...
Reposted by Almond Offsec
Attacks against AD CS are de rigueur these days, but sometimes a working attack doesn’t work somewhere else, and the inscrutable error messages are no help. Jacques replicated the most infuriating and explains what’s happening under the hood in this post: sensepost.com/blog/2025/di...
SensePost | Diving into ad cs: exploring some common error messages
Leaders in Information Security
sensepost.com
March 7, 2025 at 1:15 PM
Attacks against AD CS are de rigueur these days, but sometimes a working attack doesn’t work somewhere else, and the inscrutable error messages are no help. Jacques replicated the most infuriating and explains what’s happening under the hood in this post: sensepost.com/blog/2025/di...
To escape a locked-down Citrix environnement, team member SAERXCIT (twitter.com/SAERXCIT) wrote a basic shellcode loader in OpenEdge ABL, a 40 years old english-like programming language. We're sharing it in the off chance someone else might one day need it:
github.com/AlmondOffSec...
github.com/AlmondOffSec...
December 9, 2024 at 12:37 PM
To escape a locked-down Citrix environnement, team member SAERXCIT (twitter.com/SAERXCIT) wrote a basic shellcode loader in OpenEdge ABL, a 40 years old english-like programming language. We're sharing it in the off chance someone else might one day need it:
github.com/AlmondOffSec...
github.com/AlmondOffSec...
This issue was assigned CVE-2024-52531. While the CVE description states that the vulnerability cannot be reached from the network, it seems, in fact, possible (check the blogpost for details).
Team member sigabrt describes a fuzzing methodology he used to find a heap overflow in a public @yeswehack.bsky.social bug bounty program for Gnome: offsec.almond.consulting/using-aflplu...
December 5, 2024 at 10:52 AM
This issue was assigned CVE-2024-52531. While the CVE description states that the vulnerability cannot be reached from the network, it seems, in fact, possible (check the blogpost for details).
Team member sigabrt describes a fuzzing methodology he used to find a heap overflow in a public @yeswehack.bsky.social bug bounty program for Gnome: offsec.almond.consulting/using-aflplu...
October 30, 2024 at 12:53 PM
Team member sigabrt describes a fuzzing methodology he used to find a heap overflow in a public @yeswehack.bsky.social bug bounty program for Gnome: offsec.almond.consulting/using-aflplu...
New article on F5! A write-up on CVE-2024-45844 a privilege escalation vulnerability in BIG-IP by team member myst404
offsec.almond.consulting/privilege-es...
offsec.almond.consulting/privilege-es...
October 18, 2024 at 6:34 AM
New article on F5! A write-up on CVE-2024-45844 a privilege escalation vulnerability in BIG-IP by team member myst404
offsec.almond.consulting/privilege-es...
offsec.almond.consulting/privilege-es...
If you are lucky enough to have a Windows Server Datacenter with Hyper-V, you can automatically activate
Mayfly's GOAD VMs, so rebuilding the lab every 180 days is no longer needed. We POCed a Vagrant-style script here:
github.com/AlmondOffSec...
Mayfly's GOAD VMs, so rebuilding the lab every 180 days is no longer needed. We POCed a Vagrant-style script here:
github.com/AlmondOffSec...
September 27, 2024 at 12:30 PM
If you are lucky enough to have a Windows Server Datacenter with Hyper-V, you can automatically activate
Mayfly's GOAD VMs, so rebuilding the lab every 180 days is no longer needed. We POCed a Vagrant-style script here:
github.com/AlmondOffSec...
Mayfly's GOAD VMs, so rebuilding the lab every 180 days is no longer needed. We POCed a Vagrant-style script here:
github.com/AlmondOffSec...
How does F5's Secure Vault, its "super-secure SSL-encrypted storage system" work? Response in this article by team member myst404
offsec.almond.consulting/deep-diving-...
offsec.almond.consulting/deep-diving-...
June 4, 2024 at 10:04 AM
How does F5's Secure Vault, its "super-secure SSL-encrypted storage system" work? Response in this article by team member myst404
offsec.almond.consulting/deep-diving-...
offsec.almond.consulting/deep-diving-...
Got root, what now? Practical post-exploitation steps on an F5 Big-IP appliance, by team members drm and myst404.
offsec.almond.consulting/post-exploit...
offsec.almond.consulting/post-exploit...
May 29, 2024 at 9:30 AM
Got root, what now? Practical post-exploitation steps on an F5 Big-IP appliance, by team members drm and myst404.
offsec.almond.consulting/post-exploit...
offsec.almond.consulting/post-exploit...
Stoked to see #PassTheCert featured in ippsec ‘s solution to @hackthebox.bsky.social Authority!
Video: www.youtube.com/watch?v=7AF5...
Find the tool here: github.com/AlmondOffSec...
Video: www.youtube.com/watch?v=7AF5...
Find the tool here: github.com/AlmondOffSec...
December 11, 2023 at 5:43 AM
Stoked to see #PassTheCert featured in ippsec ‘s solution to @hackthebox.bsky.social Authority!
Video: www.youtube.com/watch?v=7AF5...
Find the tool here: github.com/AlmondOffSec...
Video: www.youtube.com/watch?v=7AF5...
Find the tool here: github.com/AlmondOffSec...
We updated this old gem by myst404 to include the new #GLPI decryption algorithm.
offsec.almond.consulting/multiple-vul...
offsec.almond.consulting/multiple-vul...
November 15, 2023 at 1:00 PM
We updated this old gem by myst404 to include the new #GLPI decryption algorithm.
offsec.almond.consulting/multiple-vul...
offsec.almond.consulting/multiple-vul...