2023
2022
- 04 Dec Debugging Protected Processes
- 24 Jul The End of PPLdump
- 23 May Revisiting a Credential Guard Bypass
2021
- 02 Sep From RpcView to PetitPotam
- 01 Aug Fuzzing Windows RPC with RpcView
- 22 Apr Bypassing LSA Protection in Userland
- 07 Apr Do You Really Know About LSA Protection (RunAsPPL)?
- 21 Feb An Unconventional Exploit for the RpcEptMapper Registry Key Vulnerability
2020
- 12 Nov Windows RpcEptMapper Service Insecure Registry Permissions EoP
- 19 Aug Windows .Net Core SDK Elevation of Privilege
- 21 Jun CVE-2020-1170 - Microsoft Windows Defender Elevation of Privilege Vulnerability
- 01 Jun Chimichurri Reloaded - Giving a Second Life to a 10-year old Windows Vulnerability
- 02 May PrintSpoofer - Abusing Impersonation Privileges on Windows 10 and Server 2019
- 24 Apr Windows DLL Hijacking (Hopefully) Clarified
- 10 Apr Windows Server 2008R2-2019 NetMan DLL Hijacking
- 18 Mar CVE-2020-0863 - An Arbitrary File Read Vulnerability in Windows Diagnostic Tracking Service
- 11 Mar CVE-2020-0787 - Windows BITS - An EoP Bug Hidden in an Undocumented RPC Function
- 14 Feb CVE-2020-0668 - A Trivial Privilege Escalation Bug in Windows Service Tracing
2019
- 11 Dec CDPSvc DLL Hijacking - From LOCAL SERVICE to SYSTEM
- 05 Dec Give Me Back My Privileges! Please?
- 19 Aug Weaponizing Privileged File Writes with the USO Service - Part 2/2
- 17 Aug Weaponizing Privileged File Writes with the USO Service - Part 1/2
- 18 Apr Windows Privilege Escalation - DLL Proxying
2018
- 29 Dec VBA RunPE - Breaking Out of Highly Constrained Desktop Environments - Part 2/2
- 12 Dec VBA RunPE - Breaking Out of Highly Constrained Desktop Environments - Part 1/2
- 03 Sep CVE-2019-19544 - CA Dollar Universe 5.3.3 'uxdqmsrv' - Privilege Escalation via a Vulnerable SUID Binary
- 06 Jun CVE-2017-13130 - BMC Patrol 'mcmnm' - Privilege Escalation via a Vulnerable SUID Binary