Evangelos Mitakidis 

I found a new one click NTLM leakage vulnerability / technique from a browser. A web server can redirect a client to a ms-photos URI handler followed by a fileName parameter. If the parameter value is a UNC path instead of a local path, photos.exe will leak the client’s NTLMv2-SSP hash, enabling relay attacks or offline cracking. Leaking hashes from URI handlers is not new, but combined with a browser redirection, it allows moving from website infection to capturing NTLMv2-SSP hashes (supply chain attack). No LLMNR is required, and except if the firewall blocks outbound SMB queries, the hash will leak to public facing SMB servers. The vulnerability can be combined in a supply-chain attack, by infecting public facing applications. MSRC will not release a patch for this issue. Find more details with a POC here: https://t.co/2gMKtGZfQt

Just saw a sick live demo of wireless headphone hijacking that allows the attacker to perform the following without ever pairing the device. All the attacker has to do is be in range. - read/write arbitrary bytes to device - read headphones information - dump firmware info - extract paired devices information (name, link key, MAC address) and since you can extract the above information, the attacker can then impersonate as the device and perform actions like - access voice assistants (send text and other possibly sensitive actions; may require phone unlock) - get phone numbers - call control - audio routing Lots of devices using the Airoha chipsets are affected, especially Sony devices. The vulns were first disclosed back in June. https://t.co/8qrS0IdcNP

During a recent incident response case, we observed the following file access: \\localhost\C$\@ GMT-2025.06.21-10.53.43\Windows\NTDS\ntds.dit This is a clever method of accessing a Volume Shadow Copy (VSS) snapshot. Many EDR and detection systems typically monitor for commands such as 'vssadmin list shadows', and may trigger alerts based on their use. However, by leveraging the "Previous Versions" feature in Windows (see screenshot), attackers can select a snapshot, view its properties, and enter the '@ GMT' path directly in Explorer. This allows them to browse the snapshot's contents without needing to use the command line. Because this technique doesn't rely on typical shadow copy commands, it may evade detection by your EDR or SIEM solution. You might want to test it in your environment to identify and close this potential detection gap 🦸‍♂️🦸‍♀️

You still can bypass microsoft Windows 11 requirement account, Microsoft has only removed the automatic script You just need to create a new Registry value by following these steps, I tested on my PC: >1 On the “Let’s connect you to a network” screen, press Shift + F10 to open Command Prompt. >2 Type regedit to open the Registry Editor. >3 In Registry Editor, navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE >4 Right-click on the blank space in the right panel and select: >5 New > DWORD (32-bit) Value >6 Name it exactly: BypassNRO >7 Double-click BypassNRO, and set the value data to 1. >8 Close Registry Editor. >9 Restart.