Sylvain Heiniger

Ups and downs of #redteam engagements. When the standard payloads don’t cut it, innovation wins. Learn how we misused a screenshot tool to load shellcode… at the fifth attempt!… blog.compass-security.com/2024/12/a-nift…

I am excited to share with you my latest research - "DCOM Upload & Execute" An advanced lateral movement technique to upload and execute custom payloads on remote targets Forget about PSEXEC and dive in! deepinstinct.com/blog/forget-ps… github.com/deepinstinct/D…

Oh, you didn't know? Cool kids are now relaying Kerberos over SMB 😏 Check out our latest blogpost by @hugow_vincent to discover how to perform this attack: synacktiv.com/publications/r…

You can also find me there: bsky.app/profile/splout…

COM is old but gold—for attackers! 🚨 In our latest blog, Sylvain Heiniger (@sploutchy) exposes a privilege escalation vulnerability in the Google Chrome updater. Want to know how cross-session EoP still happens today? Check it out! #COM blog.compass-security.com/2024/10/com-cr…

@stratosberry @compasssecurity @decoder_it @D1iv3 Hey @stratosberry, default AD settings allow users to create new machine accounts (github.com/fortra/impacke…). In hardened environments, you need privileges to modify a computer object (e.g. github.com/dirkjanm/krbre…). Hope this helps!

@compasssecurity @decoder_it @D1iv3 The only confusing part for me is the attacker controlled SPN. Is there a linux tool I can use for this? @decoder_it @sploutchy

DCOM cross-session coercion + Kerberos = 💣 We took a closer look at the attacks discovered by @decoder_it and @D1iv3 earlier this year and made a PoC in Python! Curious? Full blog post here: blog.compass-security.com/2024/09/three-… #potato #impacket

@decoder_it @compasssecurity @D1iv3 @tiraniddo This is the cherry on the top ;) Then one doesn't need to implement the whole OXID resolving. Thanks for your great research!

@compasssecurity @D1iv3 Cool stuff! And first auth an be relayed with Kerberos too using @tiraniddo's marshaled target info trick, allowing SPN control via a fake DNS entry. Users can typically perform secure DNS updates in AD ⬇️

@Jonas_B_K Great blog post, thanks for sharing! I made a PR in certipy (@ly4k_) for checking ESC13: github.com/ly4k/Certipy/p…

Wrote a blog post about a new ADCS abuse technique involvering issuance policies and OID group links 📝 posts.specterops.io/adcs-esc13-abu…

You like device code phishing? You will like Felix Aeppli’s latest research even more. He shows how to backdoor Entra ID phished accounts by adding a new sign-in method. Details and PoC here: blog.compass-security.com/2024/01/device…

Collision – Compass Security was able to execute their stack overflow attack against the Synology BC500. However, the exploit they used was previously known. They still earn $3,750 and 0.75 Master of Pwn points. #Pwn2Own

Outlook for Windows can be tricked into displaying a fake domain, but open another one. Add a <base> tag with a fake domain + left-to-right mark (U+200E) Links in <a> tags will show the fake domain, but open the real domain. No need to buy .zip! :) Convincing #phishing #redteam

@0xdeaddood Self-plug: github.com/fortra/impacke… adds relay to ADCS over RPC to ntlmrelayx

What PR would you like to see added to #Impacket?

We did it again with #LocalPotato! A not-so-common NTLM reflection attack allowing for arbitrary read/write. Basically EoP from user to SYSTEM. Tracked as #CVE-2023-21746 - Windows NTLM EoP Soon more details --> localpotato.com cc @splinter_code

🆕More personal news here .. I want to share that the Impacket project is moving to @fortraofficial's @CoreSecurity! It will now be part of their open source portfolio, and funded with a team of very talented security professionals. github.com/fortra/impacket #impacket

Recordings of #blackalps22 are available here: blackalps.ch/ba-22/talks.php

Next week I will present a #talk at #BlackHat Europe 2022 on how to automate the search of RPC functions allowing to coerce authentications on #Windows. Alongside this talk, I'm publishing a brand new version of #Coercer! ➡️Check it out here: github.com/p0dalirius/Coe…

Found an vhdx/vmdk/vhd file in a network share? Volumiser from @_EthicalChaos_ gets you covered to exfiltrate e.G. SAM/SYSTEM to compromise the system via Administrator Pass-The-Hash: github.com/CCob/Volumiser Really easy and intuitive to use 👏

Si tu as aidé une dame à vélo aujourd'hui devant un tram à Genève, peut-être tu as perdu cet airpod qui est tombé par terre. #airpod #28.11.2022 #geneve #geneva pic.twitter.com/ewTvyrRI8C

At @BlackAlpsConf, our analyst Sylvain Heiniger @sploutchy presented a new attack path to AD CS. Read his blog post for details and tools updates. #adcs #esc11 #ntlmrelay #rpc #msrpc blog.compass-security.com/2022/11/relayi…