7 Minute Security's Substack

Tuesday TOOLSday: Mythic C2

Brian Johnson — Tue, 16 Jun 2026 18:05:11 GMT

Hi friends, this week I give you a quick tour of Mythic C2 including (at a high level):

Install overview
Building your first payload
Obfuscation techniques
Getting an initial shell
Privesc to SYSTEM shell
Mimikatz maximum pwnage!

P.S. I’m thinking of doing a live, long livestream (multiple hours?) where I pwn Ninja Hacker Academy from start to finish. I want to even include the install/setup/configuration of Mythic and use it throughout the stream. What do you think? Fun, or dumbest thing ever? Let me know!

Leave a comment

Thanks,
Brian

Tuesday TOOLSday: Hermes

Brian Johnson — Wed, 10 Jun 2026 20:02:21 GMT

Hey friends. I’ll talk more about this on the podcast this week, but wanted to announce that I’ve moved from OpenClaw to Hermes. This week I was able to set it up on my Mac Mini in about an hour, and completed the install by setting up a Telegram bot. Then, as I zipped around the Twin Cities running errands, I told Hermes to:

Install UptimeKuma
Install Assistant
Research scary movies
Create a “daily digest” email with info I care about

…and I’ve only scratched the service. This is awesome!

-Brian

Tuesday TOOLSday: 7MinSecWikiScripts

Brian Johnson — Wed, 03 Jun 2026 22:08:11 GMT

Hey friends!

Yes, I know it’s Wednesday — sorry, mom. 😅 But I’ve got a new Tuesday TOOLSday for you anyway!

This week I’m announcing a brand new GitHub repo: 7MinSec WikiScripts — a soon-to-be-growing collection of scripts (built with a lot of AI help) to make pentesting life easier. You can find it linked from the Scripts section over at 7MinSec.wiki.

The repo is organized into folders for lab setup, Dropbox deployments, maintenance tasks, and pentesting goodies. The first script out of the gate is install-exegol.sh — a one-shot installer for Exegol, which is basically my must-have toolkit for every internal network pentest. It bundles CrackMapExec, Impacket, Responder, and a ton more into a clean container environment so you’re not wrestling with dependency nightmares on a fresh Kali box.

Check out the video, grab the script, and let me know what you think!

Have a great week,

Brian

Tuesday TOOLSday: How to turn your phone into a "Brick"

Brian Johnson — Tue, 12 May 2026 19:09:56 GMT

This week’s Tuesday TOOLSday is a bit of a departure from the usual pentest/blue team chatter — but stay with me! Burnout and too much screen time are very real in IT/security, so I wanted to share a $50 gizmo called Brick that’s helped me doom scroll less, focus more, and sleep better over the past week.

The short version: Brick is a small NFC device (magnetic back, so I stuck mine on the fridge) that pairs with the Brick app. You pick the apps you want bricked — socials, games, whatever your time-sucks are — and tap your phone to the device to enable “mindfulness mode.” To get those apps back, you have to physically walk over and tap again. That tiny bit of friction has been surprisingly effective at breaking my continual “pocket check” habit.

A few things I dig about it:

$50 one-time fee, no subscription
One brick pairs with multiple devices (good for the family)
5 emergency unbricks are allowed within the app (if you’re stuck somewhere without the physical device)
Lets you schedule brick/unbrick on a timer without the physical device (great for a “Tommy Needs Sleepy” wind-down)

Grab one at getbrick.com if you’re curious. (7MinSec is not a sponsor, not an affiliate, this is not an ad, etc.)

Got your own focus/mental health hacks for fellow burnt-out IT folks? Leave a comment!

Thanks,

-Brian

Tuesday TOOLSday: 7MinSec.wiki - April updates

Brian Johnson — Wed, 06 May 2026 00:07:52 GMT

Hi friends, long time no posts! Sorry about that. I took a break for a while, and was hoping to be back in April, but only my mom noticed I didn’t get back into the swing of things until now.

In today’s Tuesday TOOLSday I wanted to (re)introduce you to 7MinSec.wiki and some new/updated pages I pushed in April, including:

A way to reboot your Mac remotely and skip FileVault protections
RunasCs - when for whatever reason runas won’t cut it
Why I use Twingate, like, all the time now
…and more!

Have a great week,

Brian

We'll be back in April!

Brian Johnson — Mon, 23 Mar 2026 20:27:47 GMT

Hi friends, in our last post I announced a break from 7MinSec.club to focus on helping our local community/neighbors. I detailed the specifics of my break in these three podcast episodes:

I’m getting back into the regular swing of things now, and plan on posting regular 7MinSec.club content starting in April. I’m not sure if I’ll go back to a strict “Tuesday TOOLSday” schedule we used to have. I’m entertaining the idea of being a bit more frequent in posting throughout the week, rather than a formal big post on Tuesdays. Either way, thanks for your patience and I look forward to getting back into the swing of things in April.

Leave a comment

Brian

Subscribe now

7MinSec.club is taking a break

Brian Johnson — Tue, 13 Jan 2026 16:10:58 GMT

Hello friends. I’m pushing the pause button on this Substack for the time being. I work in the Twin Cities area and there’s a lot of work to do to take care of my family, friends, neighbors and community. I appreciate your support and look forward to resuming our Tuesday TOOLSdays and other content as soon as possible.

-Brian

Tuesday TOOLSday: eramba - a free GRC tool

Brian Johnson — Tue, 06 Jan 2026 16:03:07 GMT

Happy new year! Today I give you a quick getting-started guide for eramba (not a partner/sponsor), a “community driven GRC solution that doesn’t break the bank.” It’s pretty easy to get installed via docker, and I added some personal instructions/tweaks of my own on our BPATTY project. Eramba looks super feature-packed, has a huge documentation library (complete with an accompanying video series), and even includes a beefy templates library full of policies, compliance frameworks and more.

Enjoy!

Subscribe now

-Brian

Tuesday TOOLSday: wifi pentesting with USB adapters and Proxmox

Brian Johnson — Tue, 30 Dec 2025 16:02:07 GMT

Today I give a quick primer on how to use a USB wifi card (such as the Panda PAU09) with Proxmox and the monitor mode script (and other tips) to successfully position yourself for maximum wifi pentest pwnage!

Subscribe now

Comments/questions/concerns?

Leave a comment

Anything you want me to know?

Thanks,

-Brian

Tuesday TOOLSday: how to fix the ESC8 vulnerability

Brian Johnson — Tue, 23 Dec 2025 15:02:46 GMT

This week I jump over to the blue team side of the world and walk through how to find, attack and fix the ADCS ESC8 vulnerability! Microsoft has some guidance on various cert fix-ups here as well. During our penetration tests, we see a ton of the ESC1 and ESC8 vulnerabilities. You should also review the excellent article/research from SpecterOps on finding/fixing all flavors of ESC vulnerabilities. Lastly, I’ve had many clients report that the Locksmith tool is excellent for finding, understanding, and even fixing ESC vulnerabilities in your environment.

Leave a comment

Thanks,

-Brian

Subscribe now

LPLITE:GOAD pentesting course has launched!

Brian Johnson — Thu, 18 Dec 2025 13:07:32 GMT

Hello friends! I’m super excited to share that our brand new Active Directory pentesting course, Light Pentest LITE:GOAD (Live Interactive Training Experience: Game of Active Directory) is now open for enrollment!

When: Tuesday, January 27 - Thursday, January 29 (9:00 a.m. - 1:00 p.m. each day)

Where: online via a Web browser (nothing to download/install on your end!)

Where to sign up and get more details:

https://training.7minsec.com/events/90c5636a-a642-45f1-acc3-9c6c547fd887

If you have any comments/questions/concerns, please let me know!

Thanks,

Brian

Leave a comment

Subscribe now

Tuesday TOOLSday: coercion attacks against Windows 11

Brian Johnson — Tue, 16 Dec 2025 16:01:51 GMT

Hey friends! In today’s Tuesday TOOLSday I demonstrate an attack that I thought Windows 11 and higher was hardened against. On many a internal pentest you might find a Windows system with WebClient enabled - thus (potentially) opening the opportunity to coerce authentication out of that system with a relay attack, thus giving you excessive rights on that victim machine.

My understanding as of a few months ago, though, is that Windows 11 OS and greater were immune to that type of coercion. Turns out I was wrong - check out https://github.com/Hypnoze57/rpc2efs and today’s video to see Windows 11 coercion in action!

Leave a comment

Thanks,

Brian

Subscribe now

Tuesday TOOLSday: I'm out of commission

Brian Johnson — Tue, 09 Dec 2025 16:02:51 GMT

Hello friends,

Sorry (mom), no Tuesday TOOLSday video today (maybe later this week though). My calendar went a bit sideways with work and personal things.

On the topic of Tuesday TOOLSday, though, I’ve started to take some of the videos from these streams and bake them into my BPATTY (Brian’s Pentesting And Technical Tips for You) site for easier reference:

https://bpatty.rocks/tags/video/

Have a great week!

-Brian

Tuesday TOOLSday: DIY pentest dropbox tips

Brian Johnson — Thu, 04 Dec 2025 15:16:04 GMT

This week I show some tips to help make pentest dropbox deployments easier and faster, and also share a shift I’m making in remote access to these boxes. The skinny:

Using a Proxmox Twingate LXC makes persistent remote access easy. You can leave this slim VM on your Proxmox box at all times, and not have to nuke and rebuild it with every new customer project!
With a little scripting and some use of the qm command at the Proxmox SSH command line, you can set the admin password for both VMs and also set the VMs to start upon Proxmox boot (in whatever order you choose).

Have fun!

-Brian

Leave a comment

Subscribe now

Tuesday TOOLSday: SQL server defense 101

Brian Johnson — Thu, 27 Nov 2025 13:07:40 GMT

Today we cover an easy way you can defend against a common SQL server attack - specifically by disabling stored procedures that attackers and pentesters use to give themselves free AD credentials. I’ve got a write-up on the defensive commands here: https://bpatty.rocks/blueteam/sql/.

While you’re here, why not subscribe?

Subscribe now

Comment/question/concern for me?

Thanks,

Brian

Tuesday TOOLSday: Lithnet AD Password Protection

Brian Johnson — Thu, 20 Nov 2025 13:07:38 GMT

This week I came across Lithnet’s Password Protection for Active Directory (not a sponsor!). It’s awesome! It’s a free utility you can install on your domain controllers to block all of the Have I Been Pwned password list, as well as any custom password lists and words you want to manually import. Perhaps my favorite feature is the ability to add a banned word like 7minutesecurity and have it automatically block variations such as:

7minutesecurity!
7minutesecurity2025!
7m1nut3s3cur1ty2028

Check it out, and while you’re here, why not subscribe?

Subscribe now

Comment/question for me?

Oh and before I forget, I’ve got a cheat sheet write-up on installing password protection here.

Thanks,

-Brian

Light Pentest LITE:GOAD logo winner announced!

Brian Johnson — Mon, 17 Nov 2025 13:07:55 GMT

Hello friends,

Just wanted to share with you that we landed on a winner for our Light Pentest LITE:GOAD logo contest - check it out:

Ohhhh I love it so much! This will start getting worked into our LPLITE:GOAD page, and you’ll definitely see more of it if you attend the first live class, which is coming in January, 2026. I’ll announce the class sign-up link here in Substack first, so please subscribe if you haven’t already:

Subscribe now

And don’t forget to join us for tomorrow’s Tuesday TOOLSday where we’ll be showcasing Lithnet AD password protection.

Thanks,

-Brian

Tuesday TOOLSday: LAPS quick install

Brian Johnson — Thu, 13 Nov 2025 13:07:37 GMT

This week we did a super quick install/demo of LAPS (Local Administrator Password Solution). LAPS is built right into Active Directory and gives you a free/easy way to assign all of your endpoints a unique local Administrator account password, thus making it harder for hackers who compromise one endpoint to compromise all endpoints.

Enjoying this content?

Subscribe now

Questions/comments/concerns for me?

Thanks,

Brian

Available for iOS and Android

Tuesday TOOLSday: Pretender

Brian Johnson — Thu, 06 Nov 2025 13:07:51 GMT

This week I gave a quick intro of pretender, a tool that has the powers of mitm6 + the spoofing capabilities of Responder. Specifically, I demonstrated how to selectively spoof a hostname that systems are querying but for which no DNS record exists. I’m definitely going to play with this more and use it on future assessments. There’s a great overview of the tool with some examples and videos here.

Do you use pretender on assessments?

Leave a comment

Questions/comments/concerns for me?

Thanks,

-Brian

Tuesday TOOLSday: Kerberoasting Kleanup

Brian Johnson — Thu, 30 Oct 2025 12:07:56 GMT

Hello friends! This week I talked about how you can clean up old Active Directory SPNs. The main page with all the links is over at our BPATTY repository, but here are the links we talked about during the livestream:

wald0’s tweet about Kerberoasting cleanup
Microsoft’s practical way to clean up dead SPNs in Active Directory
Script to cleanup dead SPNs
setspn - a tool to add/modify/delete SPNs

Enjoy, and why you’re here, why not:

Subscribe now

Thanks,

Brian