Chaotic Eclipse

Am I imagining things or did Microsoft not patch this yet ?

Another 0day unpatched LPE will be released soon.

Publicly disclosing the bluehammer exploit, at the time of writing this, this vulnerability is still unpatched. Full PoC source can be found here - deadeclipse666.blogspot.com/2026/04/public…

@chompie1337 not probing for write ?

@ClumsyLulz Someone verify if this is real

@0gtweet SAM hive is locked by kernel before smss starts

Unfortunately, MoveFileEx() with MOVEFILE_DELAY_UNTIL_REBOOT flag does not replace SAM file... 🙄 Somewhat expected, but I had to check 😅

Microsoft is preparing to kill many known KASLR bypasses in the next release. Unless the calling process has debug privilege enabled, kernel addresses will be stripped from the output data for all leaking NtQuery APIs

@EricaZelic You're already admin, what's the point ?

Stuck in *medium integrity* shell with *no credentials* running in context of local admin and cannot get a desktop session. You use a UAC bypass that gives you system. CVSSv3.1 score >8. Post-privesc to system, you get DA from breach host. How do you report this?

@never_released @mdowd @dwizzzleMSFT got convinced when he said big rocks ngl

@mdowd @dwizzzleMSFT I see all this (frankly) blah blah but the shipped product really does not convince.

Classic @dwizzzleMSFT

@EricaZelic Btw WIP has more services enrolled, not sure about W10 and W11

@EricaZelic Still work in progress and MSFT is working on fixing its weaknesses (SMB,REFS...). And a lot of services were enrolled (msiexec, profsvc, spoolsv, windows updates, AppX and several COM activated servers...) and yeah it's not audit only at this point.

. @dwizzzleMSFT what is this status on Redirection Guard? Does it apply only to the spooler? What Windows 10 and 11 editions come with it enabled? Or is it still in audit mode? Also, does this apply to Windows 10 as well? IDK how to tell a customer to mitigate it.

@YogevKotzer @BlueHatIL from the looks, I say he/she isn't even 1 year old

@BlueHatIL Im 21 +_+

You’re never too young too start hacking at #BlueHatIL 🐣

@ericlaw is it on edge yet ?

We should probably add IPFS Gateways to the list of "Suspicious Domains" in the Google Suspicious Site Reporter extension.

@cyb3rops Which AV is this one ?

I wished AV vendors would encrypt / pack their signature files

@janwilmans "Unused ram is wasted ram"

What are you doing windows?

@ericlaw @JosephRyanRies Just DebugPrivs lulz

@JosephRyanRies Nothing so exotic. Just Deny the Process.Terminate right. gist.github.com/ericlaw1979/45…

Lies MSDN tells.

@SwiftOnSecurity when Microsoft...

When Microsoft sees errors in the event log on a default installation of Windows

@ericlaw he didn't do anything wrong

Why was he arrested? abcnews.go.com/US/juvenile-ar…

@jonasLyk nvm figured it out

@jonasLyk which windows version you're using ? I keep getting STATUS_BAD_NETWORK_PATH

Allright, the following file open causes svchost to create the following file- a cached copy of the remote file, with quite restricted acl.