7 Minute Security's Substack

We'll be back in April!

Brian Johnson — Mon, 23 Mar 2026 20:27:47 GMT

Hi friends, in our last post I announced a break from 7MinSec.club to focus on helping our local community/neighbors. I detailed the specifics of my break in these three podcast episodes:

I’m getting back into the regular swing of things now, and plan on posting regular 7MinSec.club content starting in April. I’m not sure if I’ll go back to a strict “Tuesday TOOLSday” schedule we used to have. I’m entertaining the idea of being a bit more frequent in posting throughout the week, rather than a formal big post on Tuesdays. Either way, thanks for your patience and I look forward to getting back into the swing of things in April.

Leave a comment

Brian

Subscribe now

7MinSec.club is taking a break

Brian Johnson — Tue, 13 Jan 2026 16:10:58 GMT

Hello friends. I’m pushing the pause button on this Substack for the time being. I work in the Twin Cities area and there’s a lot of work to do to take care of my family, friends, neighbors and community. I appreciate your support and look forward to resuming our Tuesday TOOLSdays and other content as soon as possible.

-Brian

Tuesday TOOLSday: eramba - a free GRC tool

Brian Johnson — Tue, 06 Jan 2026 16:03:07 GMT

Happy new year! Today I give you a quick getting-started guide for eramba (not a partner/sponsor), a “community driven GRC solution that doesn’t break the bank.” It’s pretty easy to get installed via docker, and I added some personal instructions/tweaks of my own on our BPATTY project. Eramba looks super feature-packed, has a huge documentation library (complete with an accompanying video series), and even includes a beefy templates library full of policies, compliance frameworks and more.

Enjoy!

Subscribe now

-Brian

Tuesday TOOLSday: wifi pentesting with USB adapters and Proxmox

Brian Johnson — Tue, 30 Dec 2025 16:02:07 GMT

Today I give a quick primer on how to use a USB wifi card (such as the Panda PAU09) with Proxmox and the monitor mode script (and other tips) to successfully position yourself for maximum wifi pentest pwnage!

Subscribe now

Comments/questions/concerns?

Leave a comment

Anything you want me to know?

Thanks,

-Brian

Tuesday TOOLSday: how to fix the ESC8 vulnerability

Brian Johnson — Tue, 23 Dec 2025 15:02:46 GMT

This week I jump over to the blue team side of the world and walk through how to find, attack and fix the ADCS ESC8 vulnerability! Microsoft has some guidance on various cert fix-ups here as well. During our penetration tests, we see a ton of the ESC1 and ESC8 vulnerabilities. You should also review the excellent article/research from SpecterOps on finding/fixing all flavors of ESC vulnerabilities. Lastly, I’ve had many clients report that the Locksmith tool is excellent for finding, understanding, and even fixing ESC vulnerabilities in your environment.

Leave a comment

Thanks,

-Brian

Subscribe now

LPLITE:GOAD pentesting course has launched!

Brian Johnson — Thu, 18 Dec 2025 13:07:32 GMT

Hello friends! I’m super excited to share that our brand new Active Directory pentesting course, Light Pentest LITE:GOAD (Live Interactive Training Experience: Game of Active Directory) is now open for enrollment!

When: Tuesday, January 27 - Thursday, January 29 (9:00 a.m. - 1:00 p.m. each day)

Where: online via a Web browser (nothing to download/install on your end!)

Where to sign up and get more details:

https://training.7minsec.com/events/90c5636a-a642-45f1-acc3-9c6c547fd887

If you have any comments/questions/concerns, please let me know!

Thanks,

Brian

Leave a comment

Subscribe now

Tuesday TOOLSday: coercion attacks against Windows 11

Brian Johnson — Tue, 16 Dec 2025 16:01:51 GMT

Hey friends! In today’s Tuesday TOOLSday I demonstrate an attack that I thought Windows 11 and higher was hardened against. On many a internal pentest you might find a Windows system with WebClient enabled - thus (potentially) opening the opportunity to coerce authentication out of that system with a relay attack, thus giving you excessive rights on that victim machine.

My understanding as of a few months ago, though, is that Windows 11 OS and greater were immune to that type of coercion. Turns out I was wrong - check out https://github.com/Hypnoze57/rpc2efs and today’s video to see Windows 11 coercion in action!

Leave a comment

Thanks,

Brian

Subscribe now

Tuesday TOOLSday: I'm out of commission

Brian Johnson — Tue, 09 Dec 2025 16:02:51 GMT

Hello friends,

Sorry (mom), no Tuesday TOOLSday video today (maybe later this week though). My calendar went a bit sideways with work and personal things.

On the topic of Tuesday TOOLSday, though, I’ve started to take some of the videos from these streams and bake them into my BPATTY (Brian’s Pentesting And Technical Tips for You) site for easier reference:

https://bpatty.rocks/tags/video/

Have a great week!

-Brian

Tuesday TOOLSday: DIY pentest dropbox tips

Brian Johnson — Thu, 04 Dec 2025 15:16:04 GMT

This week I show some tips to help make pentest dropbox deployments easier and faster, and also share a shift I’m making in remote access to these boxes. The skinny:

Using a Proxmox Twingate LXC makes persistent remote access easy. You can leave this slim VM on your Proxmox box at all times, and not have to nuke and rebuild it with every new customer project!
With a little scripting and some use of the qm command at the Proxmox SSH command line, you can set the admin password for both VMs and also set the VMs to start upon Proxmox boot (in whatever order you choose).

Have fun!

-Brian

Leave a comment

Subscribe now

Tuesday TOOLSday: SQL server defense 101

Brian Johnson — Thu, 27 Nov 2025 13:07:40 GMT

Today we cover an easy way you can defend against a common SQL server attack - specifically by disabling stored procedures that attackers and pentesters use to give themselves free AD credentials. I’ve got a write-up on the defensive commands here: https://bpatty.rocks/blueteam/sql/.

While you’re here, why not subscribe?

Subscribe now

Comment/question/concern for me?

Thanks,

Brian

Tuesday TOOLSday: Lithnet AD Password Protection

Brian Johnson — Thu, 20 Nov 2025 13:07:38 GMT

This week I came across Lithnet’s Password Protection for Active Directory (not a sponsor!). It’s awesome! It’s a free utility you can install on your domain controllers to block all of the Have I Been Pwned password list, as well as any custom password lists and words you want to manually import. Perhaps my favorite feature is the ability to add a banned word like 7minutesecurity and have it automatically block variations such as:

7minutesecurity!
7minutesecurity2025!
7m1nut3s3cur1ty2028

Check it out, and while you’re here, why not subscribe?

Subscribe now

Comment/question for me?

Oh and before I forget, I’ve got a cheat sheet write-up on installing password protection here.

Thanks,

-Brian

Light Pentest LITE:GOAD logo winner announced!

Brian Johnson — Mon, 17 Nov 2025 13:07:55 GMT

Hello friends,

Just wanted to share with you that we landed on a winner for our Light Pentest LITE:GOAD logo contest - check it out:

Ohhhh I love it so much! This will start getting worked into our LPLITE:GOAD page, and you’ll definitely see more of it if you attend the first live class, which is coming in January, 2026. I’ll announce the class sign-up link here in Substack first, so please subscribe if you haven’t already:

Subscribe now

And don’t forget to join us for tomorrow’s Tuesday TOOLSday where we’ll be showcasing Lithnet AD password protection.

Thanks,

-Brian

Tuesday TOOLSday: LAPS quick install

Brian Johnson — Thu, 13 Nov 2025 13:07:37 GMT

This week we did a super quick install/demo of LAPS (Local Administrator Password Solution). LAPS is built right into Active Directory and gives you a free/easy way to assign all of your endpoints a unique local Administrator account password, thus making it harder for hackers who compromise one endpoint to compromise all endpoints.

Enjoying this content?

Subscribe now

Questions/comments/concerns for me?

Thanks,

Brian

Available for iOS and Android

Tuesday TOOLSday: Pretender

Brian Johnson — Thu, 06 Nov 2025 13:07:51 GMT

This week I gave a quick intro of pretender, a tool that has the powers of mitm6 + the spoofing capabilities of Responder. Specifically, I demonstrated how to selectively spoof a hostname that systems are querying but for which no DNS record exists. I’m definitely going to play with this more and use it on future assessments. There’s a great overview of the tool with some examples and videos here.

Do you use pretender on assessments?

Leave a comment

Questions/comments/concerns for me?

Thanks,

-Brian

Tuesday TOOLSday: Kerberoasting Kleanup

Brian Johnson — Thu, 30 Oct 2025 12:07:56 GMT

Hello friends! This week I talked about how you can clean up old Active Directory SPNs. The main page with all the links is over at our BPATTY repository, but here are the links we talked about during the livestream:

wald0’s tweet about Kerberoasting cleanup
Microsoft’s practical way to clean up dead SPNs in Active Directory
Script to cleanup dead SPNs
setspn - a tool to add/modify/delete SPNs

Enjoy, and why you’re here, why not:

Subscribe now

Thanks,

Brian

Tuesday TOOLSday: egress filtering

Brian Johnson — Tue, 21 Oct 2025 15:02:56 GMT

Hey friends,

I’m on the road this week but didn’t want to miss our Tuesday TOOLSday! Today we talk about egress filtering (with the help of this BPATTY article) and talk about:

What traffic you might want to hard block from traversing your internal > external network.
What traffic you might want to filter so that only specific hosts can send it outbound.
A quick demo of go-out to test egress filtering.

Enjoy!

Leave a comment

-Brian

Subscribe now

Tuesday TOOLSday: benefits of a security ticketing system

Brian Johnson — Wed, 15 Oct 2025 12:07:32 GMT

This week I talked through how 7MinSec is using a security ticketing system (JitBit specifically but they’re not a sponsor/advertiser) to help manage our internal infosec program. Specifically, we use tickets to:

Manage an asset inventory
Track incidents
Generate automatic tickets for important system maintenance (backups, patching, etc.)

Do you use a system like this to help manage your internal infosec program?

Leave a comment

Any thoughts you want to share directly?

Thanks,

Brian

Available for iOS and Android

Tuesday TOOLSday: mssqlkaren

Brian Johnson — Tue, 07 Oct 2025 14:55:26 GMT

Hey friends, in last week’s podcast I talked about a fun pentest where I relayed an SCCM machine account cred to a SCCM server with SQL installed, then dumped delicious information out of the database - which contained clear text SCCM creds! Today I show this in more detail, and how the credential stealing process was made much easier with the help of mssqlkaren.

Tuesday TOOLSday: coercing HTTP auth w/scheduled tasks

Brian Johnson — Fri, 03 Oct 2025 12:07:09 GMT

Hello friends! In this week’s Tuesday TOOLSday we continue the theme of using schtasks for evil - this time by camping out on a WinRM connection with local admin access, and then coercing HTTP authentication from a logged-in domain admin account to give us full control of the domain.

Hey and while you’re here, why not…

Subscribe now

Thoughts to share?

Leave a comment

Questions for me?

Brian

Available for iOS and Android

Tuesday TOOLSday: coercing SMB auth w/scheduled tasks

Brian Johnson — Fri, 26 Sep 2025 15:33:41 GMT

Today I demonstrate a method to leverage local admin access to coerce SMB auth out of that system, on behalf of a higher-privilege user, and “catch” the request with downgraded authentication you can crack using something like Vast.ai.

Enjoy!

Leave a comment

Brian

Available for iOS and Android