Aloïs Thévenot

You can find me on Bluesky at @techbrunch.fr, see you there.

These takes are weird when the industry as a whole has a fairly good understanding of how organizations actually get compromised. "Point AI agents at your own code and find the vulnerabilities before attackers do. That's Priority Action 1 in the briefing released today from the Cloud Security Alliance." It wouldn't be ensure MFA?(BEC is still loses people the most money) Conditional access? No device code/strong auth? Ensure EDR is on ALL endpoints? Reduce external attack surface? Understand risks of file transfer/edge appliance software? Strong protected backups?? x.com/robtlee/status…

Trusted access for the next era of cyber defense | OpenAI share.google/PPuWpQMRkUWv4Y… 3000 fixed bugs is a lot of fixed bugs imho

Just shipped GraphSpy v1.7.0 ✨ Mostly under-the-hood work this time with major refactoring to speed up future development ⚙️ Huge shoutout to n3rada for leading the effort! More exciting features coming soon 🚀 github.com/RedByte1337/Gr…

In collaboration with a couple of other leaders in the industry we are releasing SecurityTitles.com - It's an attempt to provide transparency about role levels, expectations and (just for the US market currently, salary ranges). For leaders writing JDs and candidates alike.

Le challenge SSTIC sortira demain (mercredi 15 avril 2026) à 15h (UTC+2) !

I'm thrilled to announce "Can AI Do Novel Security Research? Meet the HTTP Terminator" will premiere at @BlackHatEvents #BHUSA! Check out the abstract:

Time to nerd schizo rant for a second. "Hxr1" writes you can abuse the newly minted Windows Machine Learning API to execute shellcode in-memory without having to invoke VirtualAlloc. That is wrong ... because he himself in his proof-of-concept invokes VirtualAlloc, so I don't know why he wrote that. However, this paper is an interesting concept on smuggling malicious code and/or payloads. Without going on a deeper schizo rant however, I'd really like to emphasize this proof-of-concept does indeed work, but it has bugs... but, whatever. Basically Windows Runtime has a thingie that allows you to run pretty shrimple AI models (ONNX). It's called the Windows Machine Learning API (WinML). These are so lightweight it doesn't really require 9000 GPUs and 120pb (Peanut Butters) of memory. It is written using Windows Runtime so it is accessible from C, C++, and anything in the .NET family. It will work natively across the Windows platform (although it is a pain in the ass in C). If you're writing this in C/C++, the application flow goes as follows: 1. RoInitialize (although the original author did it all weird and ass backwards) 2. Get ONNX bytes (ReadFile, download, whatever) 3. Do dumb stream stuff 4. CreateFromStream (ONNX stream stuff) 5. LearningModelStatics->LoadFromStream In the simplest terms possible, load the ONNX stuff into memory using the fancy-schmany Windows Runtime stuff and let the Windows ML API hang out with it. In Hxr1's proof-of-concept the ONNX file (shrimple AI model) has a malicious payload baked inside of it. However, memory allocated from the dumb stream stuff, and the memory used by LearningModelStatics is NOT executable. To compensate for this, Hxr1 reads the content from the loaded ONNX file, copies it to a buffer allocated by VirtualAlloc, changes the allocated buffer to RWX, then does the malicious stuff. This fact contradicts his entire paper. In essence, all the WinML API is doing in this context is a really roundabout way to do ReadFile. He also misses out on some other interesting opportunities. 1. Using the WinML is it (probably) possible to make an AI model that evaluates the machine to determine if it is a VM. @0xTriboulet did something similar where he used the WinML to hunt for credentials in documents on machines. 2. It may be possible to change the memory characteristics from LearningModelStatics to be RWX. However, I haven't tested this and this contains a massive asterisk because several conditions need to be met which I haven't evaluated. hxr1.ghost.io/abusing-winml-…

Since GLPI maintainers see this as irrelevant: GLPI Agent blindly trusts its configured server,no command signing, no allowlists. Redirect it to a rogue server and a local admin can escalate to NT AUTHORITY\SYSTEM via malicious Deploy tasks. PoC: github.com/soufianetahiri…

Neat hxr1.ghost.io/abusing-winml-…

Attack surface.... attack surface everywhere

This year again, with @BitK_ and @_Worty, we've made the Web challenges 🚩 The CTF is solo and lasts 10 days, if you have some time, please give it a look 😁 Even if you're not doing Web challenges, there are challenges in various categories, you should find something you like!

some reflections of mine on the CTF i just helped run and AI in CTFs generally sylvie.fyi/posts/ritsec-2…

Top .0001% of vuln researchers on increasingly capable AI: “I don’t see what the big deal is, I’ve always been able to find zero days like this”

Did anybody actually look at this? Whole thing looks hallucinated, FreeBSD doesn't even have 'struct cred'. And look at how it gave the same gadget address for two different instruction sequences.

So, reading the latest GRU compromised all the home routers (I'm being a bit dramatic), I stumbled across the point that some DNS spoofing may have been conducted.... so I built a quick lab to replicate this! The objective, steal M365 (exchange online) credentials and/or OAUTH tokens..... I was able to do this but in very specific conditions: 1) webmail access using EDGE worked (I don't understand why HSTS did not block this) - I had to click past certificate warnings! 2) chrome webmail access - HSTS Blocked this! 3) Outlook classic: certificate warnings, no way for the user to click past this 4) outlook modern: I was able to click past security warnings and my OAUTH tokens were stolen I was running Windows 11 PRO (ARM) (latest build)... I used DNS spoofing and a reverse proxy (HTTPS) using self signed certificates. Based on my testing, mother is still very much reasonably safe when using her iPhone in Starbucks on public wifi! Lots of thoughts about this but I'm hungry and this subject is not going away. MITM is subject to so many variables, compromising thousands (or hundreds of thousands of routers) is significantly better than trying to catch a specific person via public wifi etc. (IMHO) #Cyber #Security #Research #MITM #WIFI #DNS #Spoofing #APT

@HackingLZ I used to laugh at "baselines" -- Until I burned a couple days trying to figure out why my paid C2 wasn't working on a client. Turned out to be the first client i came across that enabled "Windows FIPS Mode" and it was blocking XOR. Standard security hardening, does wonders lol.

Recap of my last month bug hunting with my bro Claude and finished Top 2 for Q1 2026 on yeswehack 🏆 edrabb.fr/posts/one-mont…

The only way to begin is by beginning. And season 8 is beginning soon... 🃏♠️♦️♣️♥️

😮‍💨 Taking a Break blog.badsectorlabs.com/taking-a-break…