Aurélien Chalot

Dumping LSASS is old school. If an admin is connected on a server you are local admin on, just create a scheduled task asking for a certificate on his behalf, get the cert, get its privs. All automatized in the schtask_as module for NetExec 🥳🥳🥳

@kmkz_security Merci à toi pour ces gentils mots 🫶🏼

@Defte_ Ce 2eme post impacte plus à mes yeux que le premier, condoléances à toi et ta famille🙏🏻, sincèrement, qu'elle soit en paix🕊 Merci ensuite pour le paper, à partager et très intéressant merci.

For the past two years, I have been thinking about how to build proper tiering models. The do's, the don'ts, what to watch out for, and the mistakes you will eventually make.

I dedicate this article to my grandmother, Ginette Chalot, a strong woman who passed away two days ago, hopping it will help you build a security as resilient as she was. ❤️

In this blogpost I tried to sum up everything I know, walking you from the "I have an EDR, I'm secure" mindset to "let's build a resilient tiering model". Let me know what you think about it :)! sensepost.com/blog/2026/from…

@bygregorr @HackAndDo 🤭

@Defte_ @HackAndDo Socks proxy pivoting through a trusted service handle is nasty for defenders because it blends into legitimate admin traffic almost perfectly.

Thanks to Azox, it is now possible to use psexecsvc (github.com/sensepost/susi…) through a socks proxy like ntlmrelayx allowing executing system commands via a trusted service, as NT System, and evading EDR's. Also thanks to @HackAndDo for his fixes :D

Stay tuned because this exec method will soon arrive on NetExec as well ;)!

Following the blogpost about implementing the Channel Binding token for TDS.py on Impacket (sensepost.com/blog/2025/a-jo…), here is the module you can use to check whether or not CBT is required on MSSQL databases via NetExec github.com/Pennyw0rth/Net… 🔥🔥

@tyche_rle Réflexion simple, tes parents achètent deux maisons, tu en hérites, les loues, en rachète 3, ton enfant 8, son enfant 20. L'expentionalité du patrimoine mène à une fine couche de la population qui détient tout et une énorme qui n'a rien. Tu trouves ça moral et juste ?

Unpopular opinion : L'héritage ne devrait pas etre taxé du tout. C'est pas normal que le premier reflex de l'état ce soit de piller ton cadavre.

@thatjiaozi @SinSinology Of course ahahah!

@Defte_ @SinSinology Can I pet the cows?

Note to self: i should quit and open a bakery fml

@SinSinology @thatjiaozi I'll open a farm next to you guys to provide cereals and milk if that's okay 🤣

@thatjiaozi pastries, cookies, breads with me cinnamon buns too

Stealthy WMI lateral movement - StealthyWMIExec.py ghaleb0x317374.github.io/2026/03/15/Ste…

Releasing one of my research tools: EVENmonitor🖥️ Inspired by LDAPmonitor, I implemented a monitoring tool for the Windows Event log in pure python. You can just attach it via the network and then filter for specific event IDs or keywords. Available at: github.com/NeffIsBack/EVE…

New post on the MDSec blog and another Windows EoP.... RIP RegPwn - mdsec.co.uk/2026/03/rip-re… Saying goodbye to a much loved EoP, by @filip_dragovic

@stewart_sec @sekurlsa_pw @RedHatPentester This ^ 💯💯💯

@sekurlsa_pw @RedHatPentester So from a low priv user you can determine if a PSO exists and which users it applies to but you can’t see the policy details. W/ a DA acct you can see policy details. If I see a PSO I just refuse to spray any users that it applies to unless the client will tell me the details

If a pentester ignores the password policy and performs password spraying blindly, they may unintentionally lock multiple user accounts. This can disrupt business operations and immediately alert system administrators to suspicious activity. For example, if the policy locks accounts after five failed login attempts, spraying several passwords too quickly across many accounts could trigger a mass lockout event. By reviewing the password policy first, the penetration tester can design a controlled and stealthy spraying strategy. Knowing the lockout threshold allows the tester to limit attempts to safe numbers and space them out over time.

@unsigned_sh0rt @Sniffler0x1 Omg thank you so much dude 🥳! That's exactly what I was looking for!!

@Defte_ @Sniffler0x1 I'm re-reading the thread and realizing the perspective you're coming from now. In SCCM you can enable a setting to not automatically approve unknown clients. You can also define boundary groups for new clients which gives your some granularity on approval.

Dumb question. I'm fine-tuning my AD recommendation and work on the NAA SCCM. There's one thing I don't get. Since we need the domain computer password to retrieve the NAA password from the HTTP endpoint, why do we need the NAA account if we already have a computer account ?

@unsigned_sh0rt @Sniffler0x1 But what prevents a random non domain joined computer to enroll on the MP via the self signed certificate and then get the NAA ?

@Defte_ @Sniffler0x1 initially it's a self-signed certificate (or PKI if they have AD CS setup) that's used by the client to start the enrollment process with the management point management point sends the NAA, NAA gives access to shares

@Sniffler0x1 and ultimately, how ehttp fixes the problem ? There's no more NAA account but I don't get how the DP knows that a non domain joined account can authenticate and be provisionned. I should just read more documentations I guess D

@Sniffler0x1 So the real question I have got, is why would that account be spread via the HTTP endpoint. If the computer is not domain joined, it cannot reach that endpoint anyway. But yeah, if the computer boots via PXE, then the password is used to reach the AD

@ShitSecure Found some reasons althought I still don't get why that mechanism even exists xD

@ShitSecure Is this some kind of a legacy issue as we see everyday in the windows world ? ahah