When (NTLM) relaying potatoes lead you to domain admin. A "permanent" 0day Privilege Escalation Vulnerability in Windows RPC Protocol ;-). cc @splinter_code .Our writeup here:.

Regarding #CVE-2025-33073 fixing NTLM/Kerberos reflection attacks via SMB: the patch only covers SMB clients. The "CredMarshal" trick still works on RPC and HTTP. But those protocols sets the unverified target flags, which block exploitation. So, is reflection dead? Let’s see….

RT @ericonidentity: At @WEareTROOPERS I dropped new research on #nOAuth, an abuse of #EntraID that allows you to spoof users in vulnerable….

Looks like the patch for #CVE-2025-33073 might not fully resolve the issue. curious to see where this leads

Setting dsHeuristics flag 28 (AttributeAuthorizationOnLDAPAdd) to 1 (00000000010000000002000000010) blocks #BadSuccessor if the attacker has “Create All Children” rights. But with Full Control or WriteDACL on descendant objects, the attack still works.🤦‍♂️.

RT @_dirkjan: ESC1 via the cloud over Intune 😬.

RT @LinuxHandbook: No disrespect to Linus Torvalds, but this guy is the greatest geek alive 🫡. Created UNIX in 1971 when he was 28 years ol….

RT @offsectraining: Attention @kalilinux users! In the coming day(s), apt update is going to fail for pretty much everyone. The reason? W….

I just published a blog post where I try to explain and demystify Kerberos relay attacks. I hope it’s a good and comprehensive starting point for anyone looking to learn more about this topic. ➡️

Call for Papers for #Romhack2025 is still open! If you have cool research to share, don’t hesitate to submit. The perfect setting for great talks, great company, and a chance to visit the "Città Eterna".

RT @_EthicalChaos_: I spoke about the initial credential guard vulnerability at #SOCON2025, but I left out the part where the fix could be….

RT @elad_shamir: NTLM relay is still a major threat and is now even easier to abuse. We just added new NTLM relay edges to BloodHound to he….

AI makes writing regex in any language way easier. Especially for a dummy like me! 🤣.

RT @BlastometroTW:

Is there any valid reason why I'm still getting "Network Device Enrollment Service cannot provide its password because the user does not have Enroll permissions on the configured certificate template" even if the configured account has enroll perms on the configured template?.

Hey, we should really switch from NTLM to something like Kerberos, yet another good reason, right? cc @ShitSecure @splinter_code . 😂🤣

Quindi, per evitare che nella TL spuntino di continuo i profondissimi pensieri di personaggi e portaborse legati a X, l’unico metodo scientificamente testato resta, ad oggi, bloccare e segnalare. 🤷‍♂️.

RT @cybersaiyanIT: We know, we know, we understand that #Azure Entra ID can be quite complex. Buttttt, we assure you that Dirk-jan Molle….

RT @BlastometroTW:

RT @cybersaiyanIT: 🔥 HUGE #RomHack2025 updates you need to know this week. James @albinowax Kettle, one of the world’s leading figures in….