> Jake Otte

Microsoft Windows ships with the program klist.exe, found in C:\Windows\System32. Technology and security professionals may be most familiar with the program's default, parameter-less behavior of listing Kerberos tickets loaded in the current logon session. However, this behavior is just the surface of klist's capabilities.

There's a belief in offensive security that impactful red team operations hinge on robust implants, custom C2 profiles, and elaborate execution chains. Entire corners of the industry orbit around loader development, obfuscated payloads, and whatever new post-ex update Cobalt Strike pushed last month.

On a recent pentest I discovered a client was hosting a couple of internet-facing ManageEngine applications. These applications are almost always tied to on-prem Active Directory and are a great way to conduct password spraying attacks without involving Entra and O365 endpoints.

Note: This article and associated tool was written before the updates to Netexec and the release of RelayInformer. Better tools and methodologies now exist to enumerate insecure configurations in your environment.

Wazuh SIEM Dashboard

AMSI, or Anti Malware Scanning Interface, is what Windows uses to detect malware contained in scripts. Scripts may be downloaded remotely and executed only from memory, thereby never touching disk. Windows Defender

If you're in the threat intelligence space, you've probably seen headlines about $1 billion dollar crypto heists pulled off by Lazarus group in North Korea. You've seen multi-million dollar deals being made for decrypting ransomware and infostealers with nine figures in estimated damages. What you probably haven't seen is the cyber battlefield of children's online gaming - particularly a game called Roblox.