Two new posts from James Forshaw today: googleprojectzero.blogspot.com/2025/01/window… on reviving a memory trapping primitive from his 2021 post. googleprojectzero.blogspot.com/2025/01/window… where he shares a bug class and demonstrates how you can get a COM object trapped in a more privileged process. Happy Reading! 📚

Antonio Cocomazzi Are you sure they fixed? 🤨 This is the latest w11 insider canary ....

NTLM Relaying with DCOM cross-session activation over an external OXID resolver. This variant has the advantage over regular RemotePotato0 that all connections are established from victim to attacker and none in opposite direction. Credits go to MrAle98.

Notes from the Field: My journey in trying to change Windows password in the most complex way, purely for fun, very little profit, but definitely a fun challenge! More details here ➡️decoder.cloud/2025/02/11/cha…

Multi-Platform FINALDRAFT malware targeting government orgs. Outlook drafts for C2. We published a deep dive on the malware and another on the campaign. Great research by the team! elastic.co/security-labs/… elastic.co/security-labs/…

🚀 #RomHack 2025 #callforpapers is OPEN! Are you a #cybersecurity pro with a passion for sharing knowledge? This is your chance to take the stage at #RomHack2025 📩 Apply now: cfp.romhack.io/romhack-2025/c… #InfoSec #hackercommunity

Antonio Cocomazzi This tweet was mentioned in the BlackBasta Leak bestflowers.json ( timestamp: 2023-10-23 16:17:02 )

Skiing with Cyber Saiyan | RomHack Conference, Training, Camp sticker is priceless 😀

Another simple standalone tool for creating machine accounts with custom password in Windows AD github.com/decoder-it/New…

Great work! few detection points: - registry change "HKLM\\SOFTWARE\\Classes\\CLSID\\{0BE35203-8F91-11CE-9DE3-00AA004BB851}\\TreatAs\\" - WaaSMedicSvc loading CLR (result of .NET execution in the context) - Impersonation as Trusted Installer.

KrbRelayEx-RPC tool is out! 🎉 Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;) github.com/decoder-it/Krb…

new #elastic defend rules out : - PPL bypass via ComDotNetExploit - Execution via Windows-Run (trending delivery method ITW) github.com/elastic/protec…

We (me + Igor Kuznetsov) have discovered a new Google Chrome 0-day that is being used in targeted attacks to deliver sophisticated spyware 🔥🔥🔥. It was just fixed as CVE-2025-2783 and we are revealing the first details about it and “Operation ForumTroll” securelist.com/operation-foru…

Check out our new blog post!

Hey, we should really switch from NTLM to something like Kerberos, yet another good reason, right? cc S3cur3Th1sSh1t Antonio Cocomazzi 😂🤣

Microsoft has discovered post-compromise exploitation of CVE 2025-29824, a zero-day elevation of privilege vulnerability in Windows Common Log File System (CLFS), against a small number of targets. msft.it/6019qIVV9

NTLM relay is still a major threat and is now even easier to abuse. We just added new NTLM relay edges to BloodHound to help defenders fix and attackers think in graphs. Read my detailed post - the most comprehensive guide on NTLM relay & the new edges: ghst.ly/4lv3E31

I just published a blog post where I try to explain and demystify Kerberos relay attacks. I hope it’s a good and comprehensive starting point for anyone looking to learn more about this topic. ➡️decoder.cloud/2025/04/24/fro…

Another Monday. Another week of… endless emails, annoying meetings, and oh look, a three-headed monkey behind you! Now that we have your attention, we can unveil the agenda for #RomHack2025 romhack.io/romhack-confer… #infosec #securityconference