Feb. 2017 - Loading .NET assemblies via SQL - Wrote the original code that inspired this post. Wrote a shellcode injector for this in C# after reading through the PowerUpSQL code and seeing a comment referring to it. Original use case was to get around command-line logging and heavy monitoring of common lateral spread techniques.
Jan. 2017 - Roasting AS-REPs/S4U2Pwnage - Figuring out how Kerberos pre-authentication and S4U2Self/S4U2Proxy work and how attackers can leverage/abuse them.
Jul. 2016 - KeeThief - How dump KeePass databases in post-exploitation scenarios. I wrote most of the memory scraping and decryption shell code.
Dec. 2014 - UnmanagedPowerShell - Executing PowerShell from unmanaged code. This code formed the basis of PowerShell capabilities in Empire, Cobalt Strike, Silent Break Security’s Slingshot, and Meterpreter12.