2025

• 18 Feb Reinventing PowerShell in C/C++

2024

• 05 Oct The PrintNightmare is not Over Yet
• 02 Sep Ghost in the PPL Part 3: LSASS Memory Dump
• 16 Aug Ghost in the PPL Part 2: From BYOVDLL to Arbitrary Code Execution in LSASS
• 09 Aug Ghost in the PPL Part 1: BYOVDLL
• 25 Feb Extracting PEAP Credentials from Wired Network Profiles
• 28 Jan A Practical Guide to PrintNightmare in 2024
• 21 Jan Insomni'hack 2024 CTF Teaser - Cache Cache

2023

• 15 Sep A Deep Dive into TPM-based BitLocker Drive Encryption
• 14 Aug CVE-2022-41099 - Analysis of a BitLocker Drive Encryption Bypass
• 17 Mar Bypassing PPL in Userland (again)
• 26 Jan Insomni'hack 2023 CTF Teaser - InsoBug

2022

• 04 Dec Debugging Protected Processes
• 24 Jul The End of PPLdump
• 23 May Revisiting a Credential Guard Bypass

2021

• 02 Sep From RpcView to PetitPotam
• 01 Aug Fuzzing Windows RPC with RpcView
• 22 Apr Bypassing LSA Protection in Userland
• 07 Apr Do You Really Know About LSA Protection (RunAsPPL)?
• 21 Feb An Unconventional Exploit for the RpcEptMapper Registry Key Vulnerability

2020

• 12 Nov Windows RpcEptMapper Service Insecure Registry Permissions EoP
• 19 Aug Windows .Net Core SDK Elevation of Privilege
• 21 Jun CVE-2020-1170 - Microsoft Windows Defender Elevation of Privilege Vulnerability
• 01 Jun Chimichurri Reloaded - Giving a Second Life to a 10-year old Windows Vulnerability
• 02 May PrintSpoofer - Abusing Impersonation Privileges on Windows 10 and Server 2019
• 24 Apr Windows DLL Hijacking (Hopefully) Clarified
• 10 Apr Windows Server 2008R2-2019 NetMan DLL Hijacking
• 18 Mar CVE-2020-0863 - An Arbitrary File Read Vulnerability in Windows Diagnostic Tracking Service
• 11 Mar CVE-2020-0787 - Windows BITS - An EoP Bug Hidden in an Undocumented RPC Function
• 14 Feb CVE-2020-0668 - A Trivial Privilege Escalation Bug in Windows Service Tracing

2019

• 11 Dec CDPSvc DLL Hijacking - From LOCAL SERVICE to SYSTEM
• 05 Dec Give Me Back My Privileges! Please?
• 19 Aug Weaponizing Privileged File Writes with the USO Service - Part 2/2
• 17 Aug Weaponizing Privileged File Writes with the USO Service - Part 1/2
• 18 Apr Windows Privilege Escalation - DLL Proxying

2018

• 29 Dec VBA RunPE - Breaking Out of Highly Constrained Desktop Environments - Part 2/2
• 12 Dec VBA RunPE - Breaking Out of Highly Constrained Desktop Environments - Part 1/2
• 03 Sep CVE-2019-19544 - CA Dollar Universe 5.3.3 'uxdqmsrv' - Privilege Escalation via a Vulnerable SUID Binary
• 06 Jun CVE-2017-13130 - BMC Patrol 'mcmnm' - Privilege Escalation via a Vulnerable SUID Binary