This vulnerability was such a gaping hole in the Windows Error Reporting service that Microsoft completely removed the affected feature. A low privilege user could simply send a specially crafted A...

It’s been a while since I last dug into a Patch Tuesday release. With an extraordinarily high number of 177 CVEs, including 6 that were either already public or exploited in the wild, the October 2...

In the previous post, I highlighted some of the changes made in the Symantec Management Agent, and showed how it affected the retrieval of the Account Connectivity Credentials (ACCs), based on orig...

You may have heard or read about Symantec Account Connectivity Credentials (ACCs) thanks to a blog post published by MDSec last December (2024). I wanted to integrate this research as a new check i...

The built-in “MareBackup” scheduled task is susceptible to a trivial executable search order hijacking, which can be abused by a low-privileged user to gain SYSTEM privileges whenever a vulnerable ...

I like PowerShell, I like it a lot! I like its versatility, its ease of use, its integration with the Windows operating system, but it also has a few features, such as AMSI, CLM, and other logging ...

Following the publication of my blog post A Practical Guide to PrintNightmare in 2024, a few people brought to my attention that there was a way to bypass the Point and Print (PnP) restrictions rec...

Back to the Basics: MiniDumpWriteDump The most common way of dumping the memory of a process is to call MiniDumpWriteDump. It requires a process handle with sufficient access rights, a process ID,...

In the previous part, I showed how a technique called “Bring Your Own Vulnerable DLL” (BYOVDLL) could be used to reintroduce known vulnerabilities in LSASS, even when it’s protected. In this second...

In this series of blog posts, I will explore yet another avenue for bypassing LSA Protection in Userland. I will also detail the biggest challenges I faced while developing a proof-of-concept, and ...