#RemotePotato0 new release! Now you can also grab and steal the NTLMv2 hashes of every user logged on a machine from an unprivileged user! ✅ works fully local - no network interaction (except win 2019) ✅ ntlm related ✅ won't fix Windows in 2k21 cc Andrea Pierini

NTLM relay over and over again! Great blog post by Sylvain Heiniger explaining a new NTLM relay attack vector over RPC using MS-DCOM... and #impacket 😀 blog.compass-security.com/2021/08/relayi…

Thanks to @SAERXCIT, #PrivescCheck now enumerates volume shadow copies and checks whether SAM/SYSTEM/SECURITY files are readable as a low-priv user. #HiveNightmare #SeriousSAM 👉 github.com/itm4n/PrivescC…

Some of you asked for a part 2, so here you go! 🔥 From RpcView to #PetitPotam 🔥 👉 itm4n.github.io/from-rpcview-t… In this post I explain how you can reproduce the #PetitPotam trick using RpcView, but the same principle can be applied to any Windows RPC interface. 🙂

Exploit for CVE-2021-40449 released S/O to RedDrip Team who created an exploit based on my original PoC, and then I made an exploit based on their exploit, which is based on my PoC. Funny. Features a neat technique from RedDrip that I hadn't seen before github.com/ly4k/CallbackH…

My last blog post for 2021 is out! 🔥 The hidden side of Seclogon part 2: Abusing leaked handles to dump LSASS memory Enjoy the read :D splintercod3.blogspot.com/p/the-hidden-s…

There is now a check for this in PrivescCheck (available through the "-Extended" mode). Thanks Antonio Cocomazzi ! 🙏

You like NTLM relays to LDAP? Same. There's a unique error that will identify whether LDAP EPA (channel binding) is enforced, and it can be determined from an unauthenticated perspective. Here's a PoC to check for both channel binding and server signing: github.com/zyn3rgy/LdapRe…

I revisited the Credential Guard bypass originally discussed by NA. Have a nice reading! 🙂 👉 itm4n.github.io/credential-gua… TL;DR It is possible to get rid of hardcoded offsets...

Cheers to Clément Labro for inspiration, topotam for PetitPotam, and James Forshaw for NtObjectManager. New post detailing #RPC auditing with NtObjectManager clearbluejar.github.io/posts/from-nto…

🧵In part 5 of the blog series we're looking at implementing and bypassing common EDR functionality. As a part of this we look at Kernel Callbacks, Hooks, and Thread Call Stacks: pre.empt.dev/posts/maelstro… 1/3

The July 2022 update of Windows 10/11 killed PPLdump 💀😢 Find out how in this blog post... 👉 itm4n.github.io/the-end-of-ppl…

Certipy reached 1k stars on GitHub. Let’s celebrate with a brand new version, new research, a forked BloodHound GUI with ADCS support, and many new features, for instance Schannel authentication via LDAPS, SSPI authentication, and much more! research.ifcr.dk/certipy-4-0-es…

Some news about PrivescCheck! 📰 If you are a Metasploit user, please note that I finally solved a (stupid) issue that prevented the script from working properly with "powershell_execute". 🥳 More info on GitHub. 👉 github.com/itm4n/PrivescC… 👉 github.com/itm4n/PrivescC…

For the beady eyed, even on patched machines this should open up a new lateral movement technique too.

Save the Date ! Insomni'hack 2023 will be on March 20th - 25th 2023 and we will be at a brand new venue in Lausanne ! More details: insomnihack.ch/insomnihack-20… #INSO23 #CTF #STCC Photo: STCC

Here is my new blog "Technical Analysis of Windows CLFS Zero-Day Vulnerability CVE-2022-37969 - Part 1: Root Cause Analysis", Part 2 will be released soon. Stay tuned!

The python BloodHound ingestor was updated to support GPO/OU/container collection. Thanks to Thomas Seigneuret for the PR. The python version is now functionally equivalent to the official C# version for DCOnly collection. Also thanks to Clément Labro who added registry based session enum 🔥

I didn't want to rush it. Though, I finally took the decision to leave Twitter. 😢 See you on the other side. 👋 @[email protected] infosec.exchange/@itm4n#