How NTLM Relay Ruins Your Exchange Servers, by Dlive conference.hitb.org/hitbsecconf202…

During #BHASIA Briefing "CertifiedDCOM: The Privilege Escalation Journey to Domain Admin with DCOM" we will uncover a remote attack surface of DCOM and disclose a critical vulnerability related to it. Register now >> bit.ly/49yr4xw

We can relay back to the same machine using Kerberos relay instead of NTLM relay. I discovered this attack vector more than a year ago. I will describe it in detail in upcoming Black Hat Asia 2024 blackhat.com/asia-24/briefi… and introduce more interesting attacks.

Great content from Dlive, introducing 𝗿𝗲𝗺𝗼𝘁𝗲 privilege escalation via #NTLM & #Kerberos over DCOM. I would recommend also using the #RPCFirewall as mitigation on your ADCS servers :) #BHASIA

.Dlive Andrea Pierini Antonio Cocomazzi Cube0x0 ^^^^BEASTS^^^^

I had also submitted this issue to MSRC before. Don't understand why Microsoft is not going to fix it.

Taking a cue from Dlive and Andrea Pierini's work on inducing authentication out of remote DCOM I thought I'd quickly write up a post about getting Kerberos authentication out of the initial OXID resolving call. tiraniddo.dev/2024/04/relayi…

James Forshaw Andrea Pierini Great research! I think it's not limited to OXID resolving call, I can even use previous coerced authentication methods like PetitPotam to perform Kerberos Relay. Long live Kerberos Relay!

Without further ado - here is EtwInspector! This is a C++ tool to help users interact with ETW providers. This tool supports the enumeration of providers, their events, and capture events. github.com/jsecurity101/E…

How can I analyze and reproduce the Nexus Repository 3 Path Traversal Vulnerability (CVE-2024-4956) with Java Fuzzing (Jazzer) exp10it.io/2024/05/%E9%80…

The first part of the blog series: #Iconv, set the charset to RCE. We'll use #PHP filters and #CVE-2024-2961 to get a very stable code execution exploit from a file read primitive. #cnext

We found a Remote Code Execution (RCE) vulnerability in @Ollama - one of the most popular AI inference projects on GitHub. Here is everything you need to know about #Probllama (CVE-2024-37032) 🧵👇

Didn't check the code yet, but looks like SilverPotato and CertifiedDCOM have a working public weaponized tool by now: github.com/CICADA8-Resear… That's huge news from my perspective🔥

Jeff McJunkin To understand what it does you should better read the original publications from Andrea Pierini and or Dlive. Plus the linked blog from James Forshaw. For me this readme is perfectly fine. All details were published before.

Windows Server 2025 Active Directory Updates Thread! Server 2025 is in preview, so I took a look at updated features, specifically Active Directory, with a focus on security features. Article: What's new in Windows Server 2025 (preview) learn.microsoft.com/en-us/windows-… #AD2025🧵

In today's WTF?!?!? moment When a ESXi server is domain-joined, it assumes any "ESX Admins" group & its members should have full admin rights. So.... anyone who can create & manage a group in AD, can get full admin rights to the VMware ESX hypervisors! microsoft.com/en-us/security…

DCOM cross-session coercion + Kerberos = 💣 We took a closer look at the attacks discovered by Andrea Pierini and Dlive earlier this year and made a PoC in Python! Curious? Full blog post here: blog.compass-security.com/2024/09/three-… #potato #impacket

During a recent engagement, Justin Bollinger discovered how an attacker can craft a CSR by using default system certificates. After finding out this method was novel, the team kept digging. Read what they found in our new #blog! hubs.la/Q02SCqpG0

We have identified vulnerabilities in Microsoft Azure Data Factory’s integration with Apache Airflow that allow attackers to gain persistent shadow admin control, impact centralized log tampering, and more. Learn how to protect your cloud environment: bit.ly/3VJlrbf

Nice analysis but it seems this PoC is an information leak bug (CVE-2024-49113 ?) I reported that is incorrectly tagged as DoS. So instead of calling it LDAPNightmare I'd prefer LdapBleeding. And Security Response could you please help to correct the bulletin🤣?