Security Review #261

We look at the new Prompt Guard 2 model from Meta, how "confusing" Unigram tokenization can lead to misclassification of malicious prompts, and why building up our ML knowledge will lead to better findings when assessing LLM API’s. This post looks at how much knowledge of ML we need to be effective at testing these LLM WAFs.

In this blog post, we provide a comprehensive reference of coercion techniques in Windows Domains, and discuss their current effectiveness, quirks, and typical applications. We further explain, how our recent patches to Impacket and NetExec help circumvent some of Microsoft’s new mitigations and present an implementation of a coercion technique that is currently not widely used.

We discuss a security vulnerability related to Puny-Code inconsistencies between mail servers and databases, which can lead to account takeovers. We discovered that MySQL treats certain Unicode characters differently than SMTP servers, allowing attackers to exploit email parsing discrepancies in password reset process or OAuth provider trust relationships.

We're going to talk about one of the most powerful protections for Windows: PatchGuard, also known as KPP (Kernel Patch Protection). In a first part, I will cover a theoretical perspective on this mitigation, the second part will dive into some internals, what it implies and why it's so hard to reverse engineer. Finally, we'll explore potential bypasses.

In this blog post, we'll briefly explore MCP and dive into a Tool Poisoning Attack (TPA). The true attack surface extends across the entire tool schema, coined Full-Schema Poisoning (FSP). Following that, we introduce a new attack that manipulates the tool’s output to significantly complicate detection through static analysis. We refer to this as the Advanced Tool Poisoning Attack (ATPA).

We detail 5 vulnerabilities in on Infoblox's NetMRI: unauthenticated command injection (CVE-2025-32813), SQL injection (CVE-2025-32814), hardcoded credentials (CVE-2025-32815), cookie forgery, and arbitrary file read as root (CVE-2024-54188).

This blog explores another Chromium command line flag that can be used to spy on a user by continuously taking pictures through their camera and recording their microphone audio.

Disabling password authentication of your OBS WebSocket server can have devastating consequences. We'll attack from the browser to construct an RCE payload on Windows formed from the pixels of an image, a polyglot.

In this blogpost I want to describe how to exploit gMSA Accounts that are configured with unconstrained delegation to get elevated privileges.

In this article, we will cover 5 various ways to detect possible hidden input parameters, including open-source tools to help you automate the entire process at scale.

The Azure Arc service design can be leveraged to build a C2 infrastructure. We will first explain what Azure Arc actually is and how it operates, then delve into the details of how to deploy it and how it works from an adversary perspective.

We discovered arbitrary SYSTEM file delete (CVE-2025-23009) and overwrite (CVE-2025-23010) vulnerabilities in SonicWall NetExtender for Windows, a popular enterprise VPN client. In this blog, we'll discuss how they were discovered and subsequently leveraged for local privilege escalation.

This blog explores a Chromium command line flag and how it can be used to spy on a user by continuously taking screenshots of their screen.

In this article, we explore the design and implementation of Rust-based hypervisors for memory introspection and reverse engineering on Windows. We cover two projects - illusion-rs, a UEFI-based hypervisor, and matrix-rs, a Windows kernel driver-based hypervisor. Both leverage Extended Page Tables (EPT) to implement stealthy control flow redirection without modifying guest memory.

In this analysis, we will delve into the technical details of Katz Stealer, a credential-stealing malware as a service. We will explore its infection chain and the various techniques it employs to evade detection and exfiltrate sensitive data. We will also discuss detection opportunities and include YARA and Sigma rules to help identify this threat.

We provide a detailed exploration of CVE-2025-31200, a security vulnerability in Apple's CoreAudio. The vulnerability stems from a mismatch between the expected number of remapping entries and the actual number of elements in memory. This discrepancy allows attackers to manipulate the audio processing pipeline, leading to memory corruption.

In this blog post, I will explain the root cause of CVE-2023-6241, a vulnerability in the Arm Mali GPU that allows a malicious application to gain arbitrary kernel code execution and root on an Android phone. I will also provide an alternative exploitation technique used to exploit the page UAF.

In this blog, we test Claude AI's ability to craft some convincing phishing pretexts and how much work would be needed to make it happen.

OtterCookie hides behind clean code and fake job offers, then silently steals credentials, crypto wallets, and more. In this step-by-step technical analysis, we break down the full attack chain.

A deep technical breakdown of CVE-2025-49113, a post-authentication RCE vulnerability in Roundcube Webmail involving PHP session serialization.

In this article, I'll walk you through every major ADCS attack technique discovered to date - from the foundational ESC1-8 attacks to the latest ESC13-16 techniques. You'll learn not just how these attacks work, but how to implement them in real environments with practical code examples.

We explore the security vulnerabilities of the Worldline Yomani XR payment card terminal. Especially we gained root access via a serial console without needing an exploit or password.

We detail a security vulnerability, nicknamed GraphGhost, that previously existed in Microsoft Entra ID (formerly Azure AD). The flaw allows attackers to determine whether a password is valid, even though login attempts were marked as failures in system logs.

We detail various techniques for bypassing security mechanisms like AMSI (Antimalware Scan Interface), ETW (Event Tracing for Windows), and CLM (Constrained Language Mode) using Microsoft's own debugging tools, specifically CDB and NTSD.

In this article, I details how I was able to go from having zero credentials to obtaining Enterprise Admin. The attack chain demonstrates how several seemingly minor misconfigurations can be chained together to compromise an entire Active Directory forest.

In this blog post, I will start to get more practical and show you how to create a starter policy for lightly managed devices using Smart App Control policy as a template.

In this post, I will describe something what a application tagging policy is, how you can use the tagging policy in combination with windows firewall rules and also talk a bit about the managed installer construct.

In this second post I will talk about the policy templates, which already exists in Windows 11, and how the policy XML files are structured and which rule options exist.

We explore how agents can support Red Team operations using a C2 framework. In this post, we look at two examples: host triage, and LPE analysis - as well as some other use cases for agents in red teaming.

In this first post of the series, I introduce the key concept and terms from App Control for Business, also known as Microsoft Defender Application Control (WDAC), and how it can strengthen your security strategy.

We show a previously unknown vulnerability of LLMs in addressing tokenization attacks whereby simply retokenizing an unsafe request elicits dangerous responses in state-of-the-art LLMs.

We examine key Windows Defender's Event Tracing for Windows (ETW) functions like EtwTiLogReadWriteVm, EtwProviderEnabled, and various event descriptors, analyzing how Windows logs and detects suspicious activity. Additionally, we discusse ways attackers might evade detection, such as allocating memory without execution permissions and reprotecting it later.