Marc André Tanner

We successfully used winget as a PowerShell execution proxy for initial access. While in that setting you can't get around the exe invocation itself, it works well if the feature isn't disabled. blog.compass-security.com/2026/03/winget… Next usecase: lateral movement? 👀

WinGet can be more than a package manager. We show how .winget configs + a self-referencing LNK become a viable initial access payload when Microsoft Store is enabled. Includes detection queries & mitigation tips. blog.compass-security.com/2026/03/winget… #RedTeam #Windows #LOLBins #InitialAccess

GitLab is a prime DevOps target for attackers—IP, supply chain risk, & access to connected systems. 🎯 At #SOCON2026, @marcandretanner shows how an OpenGraph GitLab collector uncovers hybrid attack paths across CI/CD, service accounts, AD & Entra ID. ➡️ ghst.ly/socon26-tw

We have a collision! Cyrill Bannwart, Emanuele Barbeno, Yves Bieri, Lukasz D., and Urs Mueller of Compass Security (@compasssecurity) earned $25,000 USD and 4 Master of Pwn points with the Charging Connector Protocol/Signal Manipulation add‑on against the Grizzl‑E Smart 40A, chaining an authentication bypass (CWE‑306) to remote code execution via CWE‑494. #Pwn2Own #P2OAuto

Confirmed! Cyrill Bannwart, Emanuele Barbeno, Yves Bieri, Lukasz D., and Urs Mueller of Compass Security (@compasssecurity) exploited one exposed dangerous method/function bug on the Alpine iLX-F511, winning Round 2 for $10,000 USD and 2 Master of Pwn points. #Pwn2Own #P2OAuto

@ShitSecure With my recent improvements for both ADExplorerSnapshot and BOFHound these should also be directly visible within BloodHound. github.com/c3c/ADExplorer… github.com/coffeegist/bof…

Direct parsing of Adexplorershapshot data or BloodHound .json files (and more formats) to quick-win check for PKI vulnerabilities? Colleage of mine vibe coded a script to do that: github.com/vianic/ace_ana…

Last week presented at an university alumni event, this week successfully used during a red teaming engagement.

📢 Confirmed! The @compasssecurity team combined an arbitrary file write and cleartext transmission of sensitive data to exploit the @home_assistant Green. The unique bugs in their third round win earns them $20,000 and 4 Master of Pwn points. #Pwn2Own

@Neodyme After some more tests and helpful community feedback I managed to successfully exploit the same testing device using the WinPE method. The blog post has been updated with a corresponding demonstration video.

Curious why I was rebooting random laptops? Credit goes to Rairii for the original research and Thomas from @Neodyme for the initial PoC.

@domchell @x33fcon @mrgretzky @mariuszbit @MarcOverIP @max__grim @olafhartong @_dirkjan @SEKTOR7net @Cyb3rWard0g @Jean_Maes_1994 @rad9800 @C5pider Thanks for offering a beer, sorry that I sliced it in half and made a mess of it

Had a blast at @x33fcon, thanks to whole crew of organisers! Was great to catch up and grab a beer with so many ppl again @mrgretzky @mariuszbit @MarcOverIP @max__grim @olafhartong @_dirkjan @SEKTOR7net @Cyb3rWard0g @Jean_Maes_1994 @rad9800 @C5pider and a bunch more 🥳

Now merged into Certipy 5.0.2

Last week I had a fantastic experience at @SpecterOps' #SOCON2025 and subsequent IDOT training. It was a great opportunity to get in touch with leading experts. Apparently I also bugged them enough to merge my small BloodHound contribution. github.com/SpecterOps/Blo…

bloodyAD v2.1.8 is out with a new feature to resolve foreign SID when displaying security descriptors with "get object" or "get search" and a lifetime option on "add user" offered by @marcandretanner to make them vanish magically once expired github.com/CravateRouge/b…

TokenPhisher now forces recent MFA logins from victims which comes in handy when emulating these device code phishing tactics: github.com/CompassSecurit…

Avoid LDAP monitoring by leveraging local registry data with certipy parse! Check out our latest pull request and read Marc Tanner's (@marcandretanner) blog post: blog.compass-security.com/2025/02/stealt…

Another update for the Linux kernel exploitation collection. github.com/xairy/linux-ke…

Timothy Roscoe's keynote at #atc21 #osdi21 had both aspects --- soul searching about current state of OS research and a call to arms with actionable items.

Preliminary (design) work to enable a more flexible editing experience based on a client/server architecture has been started. brain-dump.org/blog/vis-to-se…

The code has been cleaned up and refactored to facilitate experimentation with different core text management data structures. brain-dump.org/blog/rethinkin…

I am pleased to announce a new release of the Vis editor, combining modal editing with structural regular expressions, now supporting Lua 5.4, NetBSD and Wayland clipboard integration. github.com/martanne/vis/r…