Yehuda Smirnov

What if you skipped VirtualAlloc, skipped WriteProcessMemory and still got code execution? We explored process injection using nothing but thread context. Full write-up + PoCs: blog.fndsec.net/2025/05/16/the…

Who knew a really long string could make an Entra ID login disappear from the logs entirely? In our #blog, @nyxgeek breaks down how overflowing #Azure's sign-in logging mechanism allowed access tokens to be issued without a single log entry. Read it now! hubs.la/Q047xTVc0

New post on the MDSec blog and another Windows EoP.... RIP RegPwn - mdsec.co.uk/2026/03/rip-re… Saying goodbye to a much loved EoP, by @filip_dragovic

Needle in the haystack: LLMs for vulnerability research I've distilled my experience of sending thousands and thousands of prompts for using LLMs to discover vulnerabilities into a single write-up. These are the conclusions I came to.. (link in comment)

Are one-way trusts really one way? @lowercase_drm sums up how the TDO password lets you turn a one-way AD forest trust into bidirectional access, and releases a new tool to remotely extract these secrets. offsec.almond.consulting/trust-no-one_a…

🫣LeakyLooker: 1 Cross-tenant vulnerability? How about 9? (1/10)🧵 I’m incredibly proud to share LeakyLooker. I discovered 9 novel cross-tenant vulnerabilities in Google Cloud’s Looker Studio that broke fundamental design assumptions. Here is how I broke tenant isolation: 👇

Yet another LNK flaw allows for target spoofing, yet executes any DLL, including remote ones via WebDAV. Even worse, unless you installed the Feb 2026 updates, MotW will be ignored. See how this works on github.com/wietze/lnk-it-…

SysWhispers4 just dropped !!! github.com/JoasASantos/Sy…

I want to share a quick thought for people in cyber security. This will be my longest tweet ever. I’ve spoken to many lately who are having an existential crisis from the constant posts about “the end of cybersecurity jobs.” Yes, things are changing quickly. This is a significant moment for the tech industry. Change can be uncomfortable. But we’ve seen cycles like this before. • When GitHub and open source took off, people said software engineers would disappear because code was free. • When AWS and cloud computing emerged, people said infrastructure jobs would vanish. • When fuzzing and SAST tools improved, people said vulnerability research would disappear. • Virtualization would eliminate infrastructure jobs. • Mobile computing was going to end desktop dev. • Exploit mitigations would end exploitability. It didn't. Each time automation improved, the amount of software grew faster than the automation. It does feel "different" this time as it's explosive. Some roles will shrink: • repetitive pentesting • basic vulnerability scanning • tier-1 SOC monitoring But other areas are expanding rapidly: • AI system security • supply chain security • identity architecture • autonomous agent security • critical infrastructure protection Historically, every time we eliminate one class of bugs, new classes emerge. Right now people are vibe-coding entire systems, giving AI access to their machines, crossing trust boundaries, and deploying autonomous agents with excessive permissions. The legal and regulatory world is nowhere close to ready. There will absolutely be new failure modes. Humans are amazing and always adapt, finding new ways to do things. The worst thing you can do right now is fall into a doom loop. ...and I’ll be honest, I too have felt the "psychological paralysis" a few times thinking, “Is this time different?” It's especially impactful when it comes from someone I respect in the community. There are certainly unknowns, in an industry where we've become accustomed to predictability. But... the majority of those reactions are usually driven by social media, not reality. Platforms like X reward engagement, and sensational doom posts spread faster than measured thinking. If you see something like: “Holy #$%^! Opus 66.6 just found every bug in Chrome and replaced 50 startups!” …mute it and move on. Instead: Stay curious. Learn the new technology. Adapt your skillsets. Build things. We’ll get through this transition the same way we always have. If I'm wrong then Sam Altman better be right about UBI! :) I'm sure that if this tweet gets any engagement that I'll get some heat for it, but a good friend of mine reminds me often to focus on what you have control over. I'll revisit this tweet at DEF CON 40!

TotalRecall - Reloaded. Invested some time again into Windows Recall. Microsoft redesigned the entire architecture with VBS enclaves after the original TotalRecall. Took a closer look at the new defenses. This time going through MSRC.

New post: deep dive into BEDaisy.sys, BattlEye’s kernel anti-cheat driver used in PUBG, R6 Siege, Escape from Tarkov, and more. WinDbg output + annotated IDA pseudocode included. s4dbrd.github.io/posts/reversin… #ReverseEngineering #WindowsInternals #AntiCheat

So there are some real serious bugs found by LLM: anthropic.com/news/mozilla-f…. One thing I’d like to discuss is, can someone independently reproduce the bugs with Claude? Feed the source files and see if you can reproduce them?

Patch Diff to SYSTEM - using LLMs to exploit a LPE vuln on Windows. More importantly, some thoughts on model capabilities the implications on our security industry elastic.co/security-labs/…

Nice writeups by Opzero : 101 Chrome Exploitation — Part 1: Architecture opzero.ru/en/press/101-c… 101 Chrome Exploitation — Part 2: Common Browser Vulnerability Patterns opzero.ru/en/press/101-c…

I used MCP Ghidra and Claude Code to find 9 kernel driver vulnerabilities on my gaming laptop credrelay.com/p/cred-relay-i…

Stuck Without Coercion options? Why not just Coerce MDE? @Sniffler/stuck-without-coercion-options-why-not-just-coerce-mde-aecc23b43b66" target="_blank" rel="nofollow noopener">medium.com/@Sniffler/stuc…

Just dropped a short post on why some classic NTLM relay tricks seems to be dead on Server 2025. decoder.cloud/2026/02/25/wha…

Raptor turns Claude Code into a general-purpose AI offensive/defensive security agent. By using Claude.md and creating rules, sub-agents, and skills, and orchestrating security tool usage, we configure the agent for adversarial thinking, and perform research or attack/defense operations. github.com/gadievron/rapt…

@shahardorf & I found a phishing campaign abusing oauth applications in Entra in more than 50 organizations! And i promise you that in this blog we explain how you can do it too! And provide all the IOCs 🤭 It's one of these blogs i would enjoy reading! #tldr-0" target="_blank" rel="nofollow noopener">wiz.io/blog/detecting…

DumpBrowserSecrets v1.2 is out: • Custom SQLite file format parser, replacing sqlite-amalgamation. • Encrypted output packs for offline decryption. • Configurable extraction limits per category. • Bug fixes. github.com/Maldev-Academy…

After a long time, Nidhogg v2.0 is finally released. The project is already 4 years old and has evolved drastically over the years, which led to inconsistencies and lots of bugs. See the full changes and reasoning here: github.com/Idov31/Nidhogg 1/6