Andrea P
1.8K posts

Andrea P
@decoder_it
Security Consultant @semperistech . Independent Security Researcher. Cyclist & Scubadiver. MSRC MVR 2022. "So di non sapere"
Katılım Mayıs 2009
322 Takip Edilen9.3K Takipçiler

@msftsecresponse Using total bounty awards as the ranking metric effectively turns the leaderboard into an earnings leaderboard 🤷♂️
English

Today, we're proud to recognize the Top 100 Microsoft 2026 Most Valuable Researchers (MVRs).
Security researchers play a critical role in helping protect customers by identifying and reporting vulnerabilities across Microsoft products and services. We're grateful for their partnership and the impact they have made over the past year.
Congratulations to this year's Top 10 MVRs:
🥇C46F3708A45EF0041BD0A49DDAEA0E25
🥈ShinHyuiq & Alan Pang
🥉cherrypick
4. Brad Schlintz (@nmdhkr)
5. wtm (@wtm_offensi)
6. Asaf Cohen (XBREACH.AI)
7. bccc95a61a3cc79d7b2c4423c808f744
8. Felix B.
9. 142a423e2574abf10d65eba46891ca5e
9. Anonymous
This year, we updated the MVR leaderboard to rank researchers based on total bounty awards, creating a clearer connection between recognition and security impact. We also introduced Special Mentions to recognize researchers who submitted valid vulnerability reports during the recognition period, regardless of leaderboard ranking.
See our blog for the complete list of the Top 100 MSRC 2026 Most Valuable Researchers and the top researchers by bounty program: microsoft.com/en-us/msrc/blo…
Thank you to every researcher who partnered with us this year to help protect customers worldwide.

English

Although this is a well-known topic, it's still one of my favorites. I put together a concise reference covering the most dangerous Windows privileges, how they can be abused, and why you should think twice before assigning them 👉 semperis.com/blog/windows-p…
English

For the IT admins & security folks who are unaware...
In Windows Server 2025, RPC over named pipes (via SMB) for the Print Spooler is disabled by default. I believe this started with Windows Server 2022 23H2 and up.
Also EFS is now similar to WebClient where it can be targeted but has to be activated first. There's a netexec module to perform this one for inquiring minds...
It's also common to see DFS on Domain Controllers but of course it's not enabled by default.
So tools like Coercer seem to not be too successful against Server 2025 in basic out of the box configurations.


English

@StefanoPutinati Non entro nel merito dell’articolo e del suo autore, ma senza quelli con la “piccozzetta” come scrivi tu non avremmo acqua, petrolio, minerali indispensabili per la tecnologa e il suolo su cui si regge l’agricoltura. Una professione così importante merita rispetto e riconoscenza.
Italiano

@PalliCaponera Vi ricordo che, per le raccomandate inviate dall’Agenzia delle Entrate e da altri enti pubblici, è possibile attivare il domicilio digitale, che consentirà di ricevere direttamente le comunicazioni e le raccomandate sulla vostra PEC.
Italiano

@vxunderground Totally agree, when my iPhone battery dies, I just buy a new iPhone 😂
English
Andrea P retweetledi

I just wrote a new blog on bypassing CA policies in Entra ID that have a resource exclusion, and why you probably want to enable baseline enforcement if you have such policies. Enjoy!
dirkjanm.io/bypassing-cond…
English

@_Nikkey__ @AndreaConsonni4 Va bene dai, fai come vuoi. Nel frattempo il mondo va avanti.
Italiano

@decoder_it @AndreaConsonni4 Certo, cosi te se 'nculano più comodamente.
L'app io è quella del green pass ?
Ora la installo, sicuro proprio...
Italiano

@malimorte Con i telefoni di oggi è più un rischio da laboratorio. Tecnicamente può esistere, ma nella pratica è raro e richiede condizioni particolari. Mi preoccuperei molto di più di phishing, link strani e app sospette 😅
Italiano

@Stefanino_65 @m_crosetti @RaiTre Io non sono riuscito a guardarlo fino alla fine proprio per lo stesso motivo però concordo un racconto di grandissima umanità
Italiano

@m_crosetti @RaiTre Ho fatto una gran fatica, scene di vita vissuta, ma veramente bello💔
Italiano

@gaiatortora Servizio da 10 e lode di Iannacone sugli hospice. Con grande sensibilità ha dato luce a operatori straordinari accanto ai malati terminali. Non sono riuscito a guardarlo fino alla fine: ha riaperto troppe ferite. Un racconto necessario e di grande umanità.
Italiano

@decoder_it Yep, sounds like classic MSRC stuff. Totally normal, apparently.
English

@ChaoticEclipse0 Believe me, life is too short for this stuff 🤷♂️ enjoy your life and have fun. We can all live without this.
English

@UK_Daniel_Card @techspence Same here, and sometimes need to read it twice to fully understand 😅
English

I sometimes find my own blogs when I’m searching for something and don’t really remember writing the thing 🤣
This field is way too broad and deep to remember everything. This is why we have databases and indexes + search 🤣😜❤️
spencer@techspence
@ZackKorman 100%. I can't remember what I had for lunch yesterday let alone some of the super nuanced Active Directory things my profile will lead you to believe I'm supposed to know. Part of being a practitioners is shrinking the gap between what you know and don't know.
English

@Pinperepette L’ultima volta che l’ho vista è stata al RomHack 2025, a settembre. Ho avuto il piacere di scambiare quattro chiacchiere con lei: davvero una grande persona e una grande giornalista.
Italiano
Andrea P retweetledi

Regarding Active Directory permissions, most people assume that a Deny ACE always wins. It doesn't!
Windows stops the access check the moment enough rights are granted — any ACE after that point is never evaluated.
New post: managedpriv.com/blog/acl-canon…
English













