Suraj

New post! Crimes against NTDLL - Implementing Early Cascade Injection in Rust: fluxsec.red/implementing-e… Original research by @OutflankNL

New post on the MDSec blog and another Windows EoP.... RIP RegPwn - mdsec.co.uk/2026/03/rip-re… Saying goodbye to a much loved EoP, by @filip_dragovic

We decided to revisit an old research problem with some new LLM powered tooling. Check out our latest blog post to see how we approached this research, and the new Java deserialization gadget chains it discovered in just two days! buff.ly/CeAQZ2B

Your EDR just coerced itself. 🫠 Drop a crafted LNK → MsSense.exe makes a CreateFile call → machine account hands over its Net-NTLMv2 hash over WebDAV → relay to LDAP → Shadow Credentials or RBCD. No user interaction. No exotic exploit. Just vibes and a shortcut file. If you're running Microsoft Defender for Endpoint, this one is literally about you. 👀 Full attack + detection breakdown 👇 youtu.be/30Qiq_Gt_bA #purpleteam #MDE #NTLMcoercion #detectionengineering

In Active Directory, there is a method that’s been around for many years which changes the password last set date but not the actual password. This is what I call a “fake password change” since the account appears to have a recent password when scanning for old passwords based on password last set, but the underlying password hasn’t actually changed. I spoke about this in my 2015 @BSidesCharm talk which was my first conference talk. More details including step-by-step screenshots are here: adsecurity.org/?p=4969 Why does this happen? There are times where service account (or admin accounts) need to have password changes, but someone doesn’t want to do the work to change them. The ability to fake a password change requires modify rights on the pwdLastSet attribute which provides the ability to check/uncheck the setting “User must change password at next logon”. This setting is enabled when you want the user to change their own password when they logon. How does this work? This is simple to do when you have rights on the target account (in this example the password last changed in August 2025). We open up Active Directory Users and Computers (ADUC), double-click on the target account to open up the account properties and then click on the Account tab. From here we check the box for “User must change password at next logon” and click Apply. The PasswordLastSet date is now blank. Which makes it seem like the account has never had a password set. We continue with our process where we uncheck the box for “User must change password at next logon” we checked and then click Apply. After performing this action, the password change date has now been set to the current date and time even though the password itself hasn’t been changed since August 2025. We have successfully faked a password change! Why does this happen? This happens because the “User must change password at next logon” option is used to force a user to change their password at next logon. With it checked, Active Directory is waiting for the user to attempt to logon which is when the user is directed to change their password. During this time the PasswordLastSet value is blank since it is waiting for a new password. Once the user changes their password, the checkbox is effectively removed and the current date and time are set for the user’s passwordlastset property (technically this is the “pwdlastset” attribute, but the AD PowerShell cmdlets use that property). An attacker could use this technique for an account with an old password they discover and have control of the account (with the ability to flip this bit). This would show that the password changed without it actually changing. Detect fake Active Directory password changes at scale I wrote a PowerShell script that will scan either the Active Directory Admins or All Users in the domain to see if there’s a fake password change that has been performed on them. github.com/PyroTek3/Activ…

Automating COM/DCOM vulnerability research #COM #DCOM #Fuzzing #VulnerabilityResearch #Automation incendium.rocks/posts/Automati…

Our latest post on the blog details a Windows EoP courtesy of @filip_dragovic... "Total Recall – Retracing Your Steps Back to NT AUTHORITY\SYSTEM" - mdsec.co.uk/2026/02/total-…

GhostKatz bypasses EDR by dumping LSASS credentials directly from physical memory. Learn how this new Red Team tool abuses signed drivers to stay invisible. meterpreter.org/screaming-at-t…

Last month, @d_tranman and I gave a talk @MCTTP_Con called "COM to the Darkside" focusing on COM/DCOM cross-session and fileless lateral movement tradecraft. Check out the slides here: github.com/bohops/COM-to-… Recording should be released soon.

I've been hacking on a new Windows Named Pipe tool called PipeTap which helps analyse named pipe communications. Born out of necessity while doing some vulnerability research on a target, its been super useful in reversing it's fairly complex protocol. :)

A new lateral movement PoC was published on GitHub: SpeechRuntimeMove (COM Hijacking via SpeechRuntime DCOM) We added the repo to our stack to build, test, and analyze The sample uploaded to VirusTotal is already covered by at least 5 of our generic rules (VT only shows up to 5 matches – the rule names can be used on our Valhalla portal to find more related samples.) We recently wrote about rules like these – the ones that detect what AV engines tend to miss. We called it the Blind Spot Scanner, which fits well here: nextron-systems.com/2025/06/18/the… Tool: github.com/rtecCyberSec/S… VT Sample: virustotal.com/gui/file/ea756…

We are very excited to announce our new tool - ATEAM Thomas Elling and I have been working on this project for the last year and this tool is the result of the research that we presented at the DEF CON Cloud Village this year. netspi.com/blog/technical…

github.com/LloydLabs/dele… now works on Windows 11 24H2! 🥳

It's been almost a year since my last blog... So, here is a new one: Extending AD CS attack surface to the cloud with Intune certificates. Also includes ESC1 over Intune (in some cases). dirkjanm.io/extending-ad-c… Oh, and a new tool for SCEP: github.com/dirkjanm/scepr…

I have launched YSoNet (ysonet.net) and added #SharePoint CVE-2025-49704 payload generator to it as the first thing. Here is how this can work: Running command: ``` ysonet.exe -p sharepoint --cve=CVE-2025-49704 -var 1 -c "calc" ``` Running C# code: ``` ysonet.exe -p sharepoint --cve=CVE-2025-49704 -var 2 -c "C:\\temp\\ExploitClass.cs;System.dll" ``` Payloads will be url-encoded already. YSoNet is a fork and replacement of YSoSerial .Net (for me) and I will try to maintain my own version now to have full control over the settings. There are many things I have to change there but all changes will be gradual. Of course you can still use the great YSoSerial .NET repo but I won't be the one maintaining it. Hopefully I can make @pwntester proud 😊

❗️Blog post❗️ Love for Microsoft Component Object Model, RPC and AMSI attack surface [+] Discussion on overlooked aspects of AMSI - COM and RPC . [+] Attack opportunities .. sabotagesec.com/love-for-micro…

Stoked! Our (@r00treaver) work on SVG Smuggling is now part of MITRE ATT&CK (T1027.017)! attack.mitre.org/techniques/T10… #infosec #redteam

KrbRelayEx-RPC tool is out! 🎉 Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;) github.com/decoder-it/Krb…

I just did the first stable release for my project "SmuggleShield" which aims to block HTML smuggling attacks. This version implements machine learning which analyzes/learn the pattern from the current signature sets and blocks smuggling attempts in future. GitHub Repo - github.com/RootUp/Smuggle… #infosec #redteam #blueteam

I made a collection of PIC friendly resources. Most of it is in C. If anyone knows any other shellcoding or position independent resources, feel free to add them here or link it so I can add. github.com/silentwarble/P…