Security Review #279

This blog dives into why dMSA abuse is still a problem, the release of a new Beacon object file (BOF) labeled BadTakeover, plus additions to SharpSuccessor, all to show that BadSuccessor's impact as a technique (not a vulnerability) will still hold a lasting effect.

I will share research in both One-Way Outbound and Bidirectional Trust scenarios. I present several attack chains that can be abused using only the Trust account TDO in Active Directory, explain what this account can and cannot do, and conclude with an Outbound Trust case in which both domains trust the same certificate authority inside a compromised forest.

We bypassed human approval protections for system command execution in AI agents, achieving RCE in three agent platforms. This blog post focuses on the design antipatterns that create these vulnerabilities, with concrete examples demonstrating successful RCE.

In this post we are going to go over various way to encode your shellcode, obfuscate it, turn it into the popular alpha-mix character format, and of course make it polymorphic, meaning it will be uniquely different every single time it's built and ran.

The usage of Credential Guard renders known credential dumping techniques, such as those employed by the famous tool Mimikatz, ineffective. In this article, we delve into Credential Guard and explore potential methods for extracting secrets, aiming to assess the real-world feasibility and impact of credential dumping against contemporary protections.

An undocumented parameter of the "web-auth" command could allow an authenticated attacker to execute commands remotely due to improper input sanitization, potentially resulting in full device compromise of Zyxel ATP (CVE-2025-8078).

We demonstrate the impact of CVE-2025-54236, a deserialization vulnerability in Magento leading to unauthenticated file upload.

In this blog, I'll be presenting my research and analysis on CVE-2025-39965 (a Use-After-Free in the Linux XFRM subsystem) covering the patch-fix analysis, vulnerability analysis, and technical insights into my process of triggering the bug along with some PoC code.

In this blog post we take a look at a race condition we found in Microsoft Windows Cloud Minifilter (i.e. cldflt.sys). There is a time window between the filename validation and file creation where the user can alter the filename allowing the user to create a file or directory anywhere on the system, leading to a privilege escalation (CVE-2025-55680)

After prompt injection, we had M365 Copilot generate a Mermaid diagram resembling a login button containing CSS style elements with a hyperlink to an attacker’s server. The hyperlink contained the hex encoded sensitive tenant data, and when clicked, the sensitive tenant data was transmitted to the attacker’s web server.

In this post we are going to cover how to hunt for implants that abuse xray.amazonaws.com for C2 as well as detection opportunities on AWS side.

We found a business logic flaw in how Netty handled SMTP. By making SMTP command injection possible Netty allows bypass email trust mechanisms (SPF, DKIM and DMARC).

Alibaba's UC Browser runs on an outdated engine and lacks of site isolation, making it highly vulnerable to n-day exploits. We demonstrate how attackers can achieve one-click data theft without sandbox escapes - posing serious risks to user privacy and security.

We explain how to get SYSTEM access on a BitLocker encrypted laptop protected with a PIN. We're going to unlock the laptop's drive and discuss a few peculiarities found along the way.

Password-spray detection typically involves correlating bad password attempts based on time. This detection method is fraught with false positives because standard users mistype and/or forget their passwords regularly. This article describes how to detect Entra ID password-spraying without false positives by leveraging a honeypot account.

A technical analysis of Tykit, a new phishing kit that mimics Microsoft 365 login pages. It utilizes various evasion tactics like hiding code in SVGs or layering redirects. The client-side code executes in several stages and uses basic anti-detection techniques.

When you achieve code execution in the context of a Microsoft Virtual/Service account, you can request a certificate for the computer you’re running on without needing any prerequisite permissions. By exporting this certificate, you can use PKINIT to recover the NTLM hash of the machine account, then use S4U2SELF to escalate privileges on the host via crafting a silver ticket.

We go through the different steps taken to reverse engineer the obfuscation layer setup by Amazon to prevent ebooks to be read from other software.

We uncovered CVE-2025-61928, an unauthenticated API key creation flaw in better-auth's API keys plugin that enables attackers to mint privileged credentials for arbitrary users; this post details the bypass, exploitation path, and how we found it.

I will give a higher-level overview on what Windows forensics looks like to a practitioner. I will discuss some of the major artifacts, what they contain in them, and how some of their data can relate. I will dive into the registry artifacts, the prefetch artifacts, the jumplists, and the link (LNK) files.

This posts describes how I'm tunneling my WireGuard tunnels over HTTPS using Wstunnel, by tunneling the traffic over Websockets.

In this part we will dissect a Windows workstation memory image suspected of being compromised by a determined threat actor.

One of the safest places to write payloads and offensive tools is the folder of executable files for Antivirus (AV) software. Since these folders are protected by the AV, they automatically become part of the "exception" list. In this article, I will introduce a tool that helps find and exploit programs whitelisted by Antivirus to allow arbitrary file writing into the folder containing the AV's executable files.

We will delve into the vendor's insufficient fix for CVE-2024-10237 (a logical flaw in the firmware validation process) and explain how we were able to bypass it, which resulted in the new CVE-2025-7937. We also detail CVE-2025-6198, another firmware validation logic flaw.

In this part, we dig into the footprints the adversary left in the Linux server's RAM, identifying lateral move artifacts.

In this blog post, we will explain what WMI event subscriptions are, then we'll compromise our own lab machine using two different techniques : atomic red team and powerlurk. Most importantly, we'll learn how to hunt for these artifacts using a combination of sysmon, the elk stack, and osquery.

We analyze the Whisper 2FA phishing kit, featuring a well-obfuscated credential harvester with anti-debugging, anti-analysis, and brand mimicking features.

The Directory Services Restore Mode (DSRM) Administrator account is a critical Tier 0 local account on every domain controller (DC), used for Active Directory recovery scenarios. Given its high privilege, we revisit best practices for managing its password securely in modern environments.

We detail 3 vulnerabilities in Supermicro BMC firmware: a critical signature verification bypass (CVE-2024-10237) and 2 stack overflow vulnerabilities in the firmware's image verification routine (CVE-2024-10238 and CVE-2024-10239).

OAuth misconfigurations show how common dev settings can lead to account takeovers. We explore real cases where failing to account for differences between desktop and mobile environments left SDKs, exchanges, and wallets vulnerable to exploits.

Local LLMs prioritize privacy over security. We present two ways attackers can exploit local LLMs to generate malicious code. The first plants hidden backdoors that look like normal features. The second forces immediate code execution during your AI-assisted coding session.

We will examine CVE-2025-59287 in the Microsoft Windows Server Update Services (WSUS), an unsafe deserialization of AuthorizationCookie objects sent to the GetCookie() endpoint, where encrypted cookie data is decrypted using AES-128-CBC and subsequently deserialized through BinaryFormatter without proper type validation, enabling remote code execution with SYSTEM privileges.

We discovered a stealthy backdoor targeting GNU/Linux systems relying on the installation of two eBPF modules. This article details the capabilities of this rootkit and presents the infection chain observed in this case, which allowed its installation on several nodes of an AWS EKS environment.

In this article, we'll look at a proven methodology to identify reflective XSS vulnerabilities while also diving deeper into some advanced exploitation methods.

This is research on detecting attacks on Kerberos using traffic analysis, especially, we prove that Kerberos attacks can be detected purely from network telemetry without relying on host logs.

When investigating intrusion attempts or suspicious login activity in Windows environments, one of the most overlooked sources of truth lies in the authentication failure logs - specifically Kerberos Event ID 4771 and NTLM Event ID 4776.

We discovered several cryptographic issues in Cloudflare's CIRCL library - specifically with the implementation of the FourQ elliptic curve. The vulnerability lies in the invalid point computation, leading to a possible invalid curve attack.

A vulnerability in the zysh-cgi component of the Zyxel USG/ATP Series allows a low-privileged, semi-authenticated attacker to access the device's configuration, bypassing authorization controls. This issue arises due to missing authorization checks and an incomplete validation of disallowed inputs, enabling the attacker to interact with restricted system functionalities through crafted requests.

The Nokia Beacon 1 proved to be an interesting journey covering the full spectrum of techniques from hardware debug interfaces to firmware extraction and finally both static and dynamic analysis. I was rewarded with interesting findings including a command injection.

Time-to-Exploit reaches -1 days for the first time: attackers exploit vulnerabilities faster than defenders can apply patches. This article decodes the advanced self-update mechanisms that enable malware to deploy zero-day exploits in seconds, not hours.

We first review the known MCP vulnerabilities: tool poisoning (or line jumping), tool shadowing, "rug-pulling", and generic web 2.0 issues. We then provide a security checklist and requirements both for MCP server and client.

We detail how to recover the BitLocker encryption key on a laptop that had no PIN protection, for instance if the laptop gets briefly accessed by an attacker or simply stolen.

I explain how to create an infinite money cheat in Cyberpunk 2077 using Cheat Engine to find and modify the in-game money address. It further details how to perform pointer scanning to locate a permanent money address that persists across game restarts and provides a C++ code example to create a custom trainer for direct memory manipulation.

I found a critical vulnerability in GitHub Copilot Chat (CVSS 9.6) that allowed silent exfiltration of secrets and source code from private repos, and gave me full control over Copilot's responses, including suggesting malicious code or links. The attack combined a novel CSP bypass using GitHub’s own infrastructure with remote prompt injection.

This first part explores how three fundamental components (the rendering engine that transforms markup into visual content, the JavaScript engine that executes dynamic code, and the network stack that manages all web communication) work together within Chrome/Chromium's architecture, which has become the industry standard influencing all major browsers.

We dig into a lesser known articfact, the Windows Defender Detection History (WDDH) file. This file is generated by Windows Defender (on Windows 10 and later) upon threat identification and contains some valuable information such as threat file hash, associated users, file path and initiating processes.

Capabilities provide a more granular and potentially stealthy way to grant necessary privileges than SUID/SGID, and if not monitored, they can introduce significant security risks. In this article, we provide some techniques to effectively hunt for files with capabilities set.

This blog post contains an example of running and configuring the FortiGate VPN-SSL Honeypot project. We will se how to install and run it, collect and analyse logs, generate reports, provide an example of hunting for leaked or deliberately planted passwords, and detect a symlink exploit attempt.