Raph

shipping: WinSSHound maps SSH access in AD as BloodHound paths. because Windows OpenSSH cheerfully ignores your "Deny Logon" GPOs (pre-2025) and on a default sshd_config every Authenticated User in the domain can walk right in. Why? Because Microsoft. https://t.co/ONXuguz7r3

If you came to SOCON, you may have seen the fireside chat on Ouroboros (if you weren't too busy counting my "urm"s 😝). The blog post is now live, detailing how we can use Dev-Tunnels for lateral movement, and allow pivoting from GitHub/Entra ID access. https://t.co/yb1jl1xkgV

It's been a while since I wrote a blog post. My new post writes about some cool updates to the MS-RPC-Fuzzer for recursively fuzzing complex structures, logging using ETW, and we found a way to escalate to nt\authority system! https://t.co/Guxzx0gu2J

New Advisory from our Pentest Team: We've identified a Local Privilege Escalation vulnerability in the remote management software pcvisit (CVE-2026-0539). Insecure file permissions allow low-privileged users to gain SYSTEM access. Details: https://t.co/Gd16A9KbDZ

I just dropped some research: DSCourier and would love for your opinion and to check it out!! It’s a novel post-exploitation technique abusing WinGet’s COM API to execute code through Microsoft-signed binaries. GitHub: https://t.co/pgIhifT5cT Blog: https://t.co/kgeBvZw06N

ETW from C++: session setup, EnableTraceEx2, OpenTrace, ProcessTrace, and a real-time event callback. The full pipeline, including the parts the docs don't make obvious. https://t.co/pe9wyAG3WE

KslDump - Extraction of credentials from PPL-protected LSASS using only Microsoft-signed components https://t.co/pDHUeRw33I