🆕 New blog post!

"Offline Extraction of Symantec Account Connectivity Credentials (ACCs)"

Following my previous post on the subject, here is how to extract ACCs purely offline.

👉 itm4n.github.io/offline-extr...

#redteam #pentesting

🆕 New blog post!

"Checking for Symantec Account Connectivity Credentials (ACCs) with PrivescCheck"

This blog post is not so much about PrivescCheck, but rather brings additional insight to the original article published by MDSec on the subject.

👉 itm4n.github.io/checking-sym...

#redteam

🆕 New blog post! It's a rather short one, nothing crazy. Just wanted to share a random finding I made recently. 🤷‍♂️

'Hijacking the Windows "MareBackup" Scheduled Task for Privilege Escalation'

👉 blog.scrt.ch/2025/05/20/h...

#pentest #pentesting #redteam #windows #privilegeescalation

This blog post brings automated Windows RPC research to the next level! 🔥

www.incendium.rocks/posts/Automa...

The writing quality is also excellent. 📝

#windows #research

Another example of a Windows 0-day found with PrivescCheck. Congrats to Compass Security for investigating the issue and exploiting it. 👏

blog.compass-security.com/2025/04/3-mi...

You're absolutely right! 😬
Thanks for your message. I'll do that. 🙂
This whole DLL thing is essentially a dirty hack anyway.

In this blog post, I explain how I was able to create a PowerShell console in C/C++, and disable all its security features (AMSI, logging, transcription, execution policy, CLM) in doing so. 💪

👉 blog.scrt.ch/2025/02/18/r...

New blog post on the abuse of the IDispatch COM interface to get unexpected objects loaded into a process. Demoed by using this to get arbitrary code execution in a PPL process. googleprojectzero.blogspot.com/2025/01/wind...

In case if you wonder what broke #ProcessHollowing on Windows 11 24H2, I have something for you: hshrzd.wordpress.com/2025/01/27/p...

Really great blog post about bypassing BitLocker using "PXE soft reboot" (even if PXE boot is disabled in the BIOS).

"Windows BitLocker -- Screwed without a Screwdriver"

👉 neodyme.io/en/blog/bitl...
👉 media.ccc.de/v/38c3-windo...

I updated the diagram representing the different Point and Print configurations and their exploitation on my blog.

Hopefully, this should provide a better understanding of the whole "PrintNightmare" situation to both defenders and red teamers. 🤞

Interestingly enough, MS disabled the "Use my Windows user account" checkbox when connecting to Wi-Fi on the lock screen to address CVE-2024-38143 in the August Patch Tuesday.

This change completely remediates the "Airstrike" attack as well. 🤯

support.microsoft.com/en-us/topic/...

I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...

Thanks!
Yes, I already thought about doing something like this, and I already took a look at cross-references to find the offset of the object. I didn't take the time to check older versions though, there might be some diffs to take into consideration. There is clearly more to work on. :)

🆕 New blog post! "Exploiting KsecDD through Server Silos"

In my latest mini research project, I've been working with my teammate @PMa1n (X) on extending the work of @floesen_ (X) on the KsecDD driver. I'm thrilled to finally share the results.

👉 blog.scrt.ch/2024/11/11/e...

"A Trick, The Story of CVE-2024-26230" by k0shl

Write-up about the discovery and exploitation of a UAF vulnerability in the Windows Telephony service + CFG bypass leading to local privilege escalation. 🔥🔥🔥

whereisk0shl.top/post/a-trick...

🆕​ New PrivescCheck extended check!

ℹ️​ The script can now enumerate dangerous default file extension associations, such as '.bat' or '.wsh'.

⚠️​ A manual review of the result is always recommended, but for the most part, it should be fine.

github.com/itm4n/Prives...

​🆕 New blog post! "Extracting PEAP Credentials from Wired Network Profiles"

ℹ️​ Nothing new under the sun, you might think?! Well, think twice, because this seemingly trivial task took an unexpected turn.

👉 itm4n.github.io/peap-credent...