XiaoliChan

Ghost Bits is a brilliant research: i.blackhat.com/Asia-26/Presen… Now you can reproduce CVE-2025-41242 in Vulhub, Spring/Jetty Path traversal caused by Ghost Bits: github.com/vulhub/vulhub/… This issue exists in spring-boot-starter-jetty <= 3.2.4 with zero configuration

So here is new local privilege escalation zero-day I discovered, not patched yet too :). In simple terms, if you have a service like RDP that exposes an RPC server, there many system services running as SYSTEM connect to it as RPC clients. If that service is turned off (RDP is off by default), it seems that any other process in Windows can expose the same RPC server using the same endpoint. Now all the RPC calls from that SYSTEM processes will come to this fake server and If the process that deployed the server has SeImpersonatePrivilege, it can escalate to SYSTEM by impersonate the RPC client. In the white paper below, I describe five exploit paths you can abuse. However it's architecture problem and maybe there are more. It's Not A Potato securelist.com/phantomrpc-rpc…

Advanced Active Directory to Entra ID Lateral Movement Techniques, by @_dirkjan youtube.com/watch?v=rzfAut…

Your EDR just coerced itself. 🫠 Drop a crafted LNK → MsSense.exe makes a CreateFile call → machine account hands over its Net-NTLMv2 hash over WebDAV → relay to LDAP → Shadow Credentials or RBCD. No user interaction. No exotic exploit. Just vibes and a shortcut file. If you're running Microsoft Defender for Endpoint, this one is literally about you. 👀 Full attack + detection breakdown 👇 youtu.be/30Qiq_Gt_bA #purpleteam #MDE #NTLMcoercion #detectionengineering

Our latest post on the blog details a Windows EoP courtesy of @filip_dragovic... "Total Recall – Retracing Your Steps Back to NT AUTHORITY\SYSTEM" - mdsec.co.uk/2026/02/total-…

@ipurple @0x64616e Good for http coerce auth if efsr got block

Stuck Without Coercion options? Why not just Coerce MDE? @Sniffler/stuck-without-coercion-options-why-not-just-coerce-mde-aecc23b43b66" target="_blank" rel="nofollow noopener">medium.com/@Sniffler/stuc…

Forgot to post it, but the recording of my Black Hat talk was released last week. If you're interested in all the hybrid AD attack surface you never knew about, give it a watch: youtu.be/rzfAutv6sB8?si…

The Windows Defender engine is doing *a lot* behind the scenes. More than you may realize. github.com/HackingLZ/defe…

Advanced Active Directory to Entra ID Lateral Movement Techniques, by @_dirkjan youtube.com/watch?v=rzfAut…

SMB alternative ports techcommunity.microsoft.com/blog/filecab/s…

Dropping a new article. It's about a new local privilege escalation technique that becomes viable when a writable system path is present. Yet another technique. It uses Windows Audio for escalation and doesn't require system reboots. @S.1.l.k.y/abusing-windows-audio-for-local-privilege-escalation-1d59440116cb?postPublishedType=repub" target="_blank" rel="nofollow noopener">medium.com/@S.1.l.k.y/abu…

@decoder_it Great work, bro!

Lots of recent posts on NTLM reflection → AD compromise. To be clear: real fix is CVE-2025-54918, not CVE-2025-33073. Until Oct 2025, any user could own a 2025 domain if DCs ran Print Spooler. shorturl.at/4WpRh

Blog post about my recent CVE-2025-58726, aka “The Ghost Reflection” is out, read it here: semperis.com/blog/exploitin… 🙃

SCCM admins: review your roles. MSSQL admins: review ALTER ANY LOGIN exposure. @_Mayyhem details CVE-2025-47179 & CVE-2025-49758 and how these escalations can be identified through graph analysis. Check out his blog post for more! ghst.ly/49Fj4fM

NTLM reflection attacks can be used to compromise Active Directory domains even with SMB signing if systems aren’t fully patched depthsecurity.com/blog/using-ntl…

Spent some time porting DumpGuard to C as a BOF. Abuses Remote Credential Guard to pull NTLMv1 hashes without going near LSASS or needing admin. Shoutout to @bytewreck for the original research. github.com/0xedh/dumpguar…

Service triggers can be a pentester’s secret weapon, letting low-priv users quietly fire up powerful services. In our new blog, @freefirex2 breaks down the types of service triggers that exist and how they can be activated with little to no code required. trustedsec.com/blog/theres-mo…

We suggest assigning such vulnerable templates the new ESC number 17 (ESC17) to help identify and mitigate these risks. You can read our blog post here: blog.digitrace.de/2026/01/using-… 2/2🧵