Aurélien Chalot

Dumping LSASS is old school. If an admin is connected on a server you are local admin on, just create a scheduled task asking for a certificate on his behalf, get the cert, get its privs. All automatized in the schtask_as module for NetExec 🥳🥳🥳

@thatjiaozi @SinSinology Of course ahahah!

@Defte_ @SinSinology Can I pet the cows?

Note to self: i should quit and open a bakery fml

@SinSinology @thatjiaozi I'll open a farm next to you guys to provide cereals and milk if that's okay 🤣

@thatjiaozi pastries, cookies, breads with me cinnamon buns too

Stealthy WMI lateral movement - StealthyWMIExec.py ghaleb0x317374.github.io/2026/03/15/Ste…

Releasing one of my research tools: EVENmonitor🖥️ Inspired by LDAPmonitor, I implemented a monitoring tool for the Windows Event log in pure python. You can just attach it via the network and then filter for specific event IDs or keywords. Available at: github.com/NeffIsBack/EVE…

New post on the MDSec blog and another Windows EoP.... RIP RegPwn - mdsec.co.uk/2026/03/rip-re… Saying goodbye to a much loved EoP, by @filip_dragovic

@stewart_sec @sekurlsa_pw @RedHatPentester This ^ 💯💯💯

@sekurlsa_pw @RedHatPentester So from a low priv user you can determine if a PSO exists and which users it applies to but you can’t see the policy details. W/ a DA acct you can see policy details. If I see a PSO I just refuse to spray any users that it applies to unless the client will tell me the details

If a pentester ignores the password policy and performs password spraying blindly, they may unintentionally lock multiple user accounts. This can disrupt business operations and immediately alert system administrators to suspicious activity. For example, if the policy locks accounts after five failed login attempts, spraying several passwords too quickly across many accounts could trigger a mass lockout event. By reviewing the password policy first, the penetration tester can design a controlled and stealthy spraying strategy. Knowing the lockout threshold allows the tester to limit attempts to safe numbers and space them out over time.

@unsigned_sh0rt @Sniffler0x1 Omg thank you so much dude 🥳! That's exactly what I was looking for!!

@Defte_ @Sniffler0x1 I'm re-reading the thread and realizing the perspective you're coming from now. In SCCM you can enable a setting to not automatically approve unknown clients. You can also define boundary groups for new clients which gives your some granularity on approval.

Dumb question. I'm fine-tuning my AD recommendation and work on the NAA SCCM. There's one thing I don't get. Since we need the domain computer password to retrieve the NAA password from the HTTP endpoint, why do we need the NAA account if we already have a computer account ?

@unsigned_sh0rt @Sniffler0x1 But what prevents a random non domain joined computer to enroll on the MP via the self signed certificate and then get the NAA ?

@Defte_ @Sniffler0x1 initially it's a self-signed certificate (or PKI if they have AD CS setup) that's used by the client to start the enrollment process with the management point management point sends the NAA, NAA gives access to shares

@Sniffler0x1 and ultimately, how ehttp fixes the problem ? There's no more NAA account but I don't get how the DP knows that a non domain joined account can authenticate and be provisionned. I should just read more documentations I guess D

@Sniffler0x1 So the real question I have got, is why would that account be spread via the HTTP endpoint. If the computer is not domain joined, it cannot reach that endpoint anyway. But yeah, if the computer boots via PXE, then the password is used to reach the AD

@ShitSecure Found some reasons althought I still don't get why that mechanism even exists xD

@ShitSecure Is this some kind of a legacy issue as we see everyday in the windows world ? ahah

Is this just a fallback account, in case the computer account fails at doing something ?

Some papers mention the "if another account is needed to provision the computer" but the computer account is enough to read SMB shares where scripts and packages are stored. Also, the computer is already enrolled in the AD. What would be a legit use case of that account then?

@sama How can you even trust AI won't be misused by dow when your country is run by a fool crying on twitter when Anthropic refused the deal ? "Communist leftist" whatever bullcrap this is. The guy broke every rules but still you manage to believe he won't break your terms ?

I'd like to answer questions about our work with the DoW and our thinking over the past few days. Please AMA.

Discovered 2 RCEs in Unitree Go2 with @ruikai. CVE-2026-27509 is unauth'd over DDS. CVE-2026-27510 is the same sink, different source. Dropped the 32-minute technical writeup from unboxing to shells. Hope you enjoy the read! ❤️ boschko.ca/unitree-go2-rce

@Od3dV Dude what ?

I hacked Claude Code! It turns out "agentic" is just a fancy new way to get a shell. I achieved full RCE and hijacked organization API keys. CVE-2025-59536 | CVE-2026-21852 research.checkpoint.com/2026/rce-and-a… #ai #Claude

Fuck you discord, 1984 is not the goal