SkelSec

Recent LLM driven CVEs: "I have a concept of an LPE"

Anyone interested in what you need for proper loader development in 2026? My talk for @x33fcon was accepted, so I'll take about Malware again. 🔥 It's a unique talk and will only be held there this year! Hope to see some of you in Poland. 😎

I often need to explore Windows kernel crashdumps when I'm on Linux/macOS. WinDbg unfortunatelly doesn't work in Wine. So... I did a thing. It's multiplatform - doesn't depend on dbgeng.dll nor DIA. WinDbg-flavored. And it's fast. Really fast. github.com/vmi-rs/ephemera

Highly recommend reading this if you're into windows kernel vuln research! Juian found some cool vulns using this technique -which we can't publish :/ - Something new is also coming out for pypykatz bc of this in the upcoming months

Just pushed a minor update to #mimikatz 2 🥝(no - it's *NOT* the version 3) to support specific GMSA DPAPI passwords in LSA secrets to be able to to decrypt Masterkeys > #diff-164eabd1e5eb6fcdc4a56c9b68cf74d64ed26829feb90913b2c208a7d5d775be" target="_blank" rel="nofollow noopener">github.com/gentilkiwi/mim… Only for @topotam77 convenience ;)

@notdan As usual ppl "forget" to give kudos to me :/ that's all

@SkelSec They updated code, what am I missing?

Shit like this makes my blood boil, and ppl wondering why I'm pushing out less and less public code...

@UK_Daniel_Card pypykatz had this logic implemented since last year, most of this article is just porting that logic to mimikatz... without mentioning me. Again. At this point this is a running joke that I'm getting 0 fucking kudos either deliberately or by "forgetting"

@SkelSec wasn't meaning to be hurtful mate, it was a question... what's wrong with what they did? *hugs* wasn't throwing shade.

@UK_Daniel_Card Dunno how to react to your comment as it's completely missing the point, and is a bit hurtful :/

@SkelSec people innovating based on open source makes your blood boil? fairly sure everyone learns by reading books, looking at others work etc.

@abdo_mhanni @lowercase_drm @0x64616e Nah man, don't try to make my projects mainstream. After the fifth time I'm sure they'll get it right and they won't have to credit me again...

@lowercase_drm @0x64616e I don’t see why impacket isn’t moving to @SkelSec msldap. They mentioned in response to someone’s PR that they are moving away from ldap3 and improving their own. Kinda weird to reinvent the wheel when msldap already does it all very well

The conclusion of my last post (offsec.almond.consulting/ldap-authentic…) is « Since a lot of impacket’s examples are based on ldap3, it seems easy to adapt them to work against hardened domain controllers ». Good job @0x64616e!

Duuuude VulDB is the worst, they made public all 3 of my original disclosures that include the fully working root shell exploits ....

@foosecn00b A van? IN THIS ECONOMY???

@SkelSec You’re gonna need a van or a trench coat.

Pssst! Hey, kid! Wanna buy SOC2?

@byt3bl33d3r You mistyped falsify

The answer is yes*. Most pentests are for web apps and compliance driven anyway. If you think companies won't jump at the opportunity of cheaper pentests to satisfy their compliance requirements you're deluding yourself (regardless of the AI component). "AI driven" Internal network pentests I'd imagine will be a harder pill to swallow, but it's doable at a technical level with the current generation of LLMs . Red Teaming is a different story.

@IceSolst @daveaitel My point exactly

@daveaitel We’ve all had infinitely growing backlogs with no incentive to address them. Whatever we were doing wasn’t comprehensive, many things swept under the rug. All of this is inevitable, almost nothing to do with AI. But 14 year olds being able to report bs makes it more annoying.

Fwiw the problem was never that AI slop was going to overwhelm security teams: the problem was that having their hidden technical debt all called in at once was going to overwhelm them. Chrome having as many bugs as it still does is the perfect case example.

Ohh... you have reached the API limits, so we replaced your coder with a mental patient who will use half a crayon to randomly change values in your code. (he already ate the other helf)

Research workflow: 1. Idea 2. discussions with peers 3. chatting with LLMs 4. feasibility check 5. Airbus guys already did that 5 years ago I'm.... eeehhhh.... (Airbus people doing some really underrated research btw, props to them!)

@HackingLZ We have something interesting in this topic but stuck with explaining it to investors in EU so... :(

I’m really interested in what happens as places take a lot of investment money to build commodity OffSec LLM backed products, even as the barrier to entry keeps dropping. You eventually end up with what actually matters novel research, deep domain expertise, and humans.

@MDSecLabs github.com/Flangvik/RegPw…

WSUS fake updates for LPE or RCE when HTTP is being used? This one took many days and troubleshooting with claude but now we have a C2-Capable tool for the full stack including poisoning plus fake update delivery - the only thing we need is a low privileged C2 session! 🔥