https://itm4n.github.io/A blog about pentesting with a focus on Windows security research. 2026-04-04T09:07:24+02:00 itm4n https://itm4n.github.io/ Jekyll © 2026 itm4n /assets/img/favicons/favicon.ico /assets/img/favicons/favicon-96x96.png 2026-04-02T00:00:00+02:00 2026-04-04T09:06:57+02:00 https://itm4n.github.io/bitlocker-little-secrets-the-undocumented-fve-api/ itm4n

The purpose of the BitLocker check I implemented in PrivescCheck is to determine whether the system drive is protected, and if so, whether two-factor authentication is configured (typically TPM+PIN). You’d think that it’s a simple thing to do, but it is not, at least without administrator rights. Known Techniques for Getting BitLocker Status All the official or publicly documented methods for...

2026-03-22T00:00:00+01:00 2026-03-28T13:53:03+01:00 https://itm4n.github.io/cve-2026-20817-wersvc-eop/ itm4n

This vulnerability was such a gaping hole in the Windows Error Reporting service that Microsoft completely removed the affected feature. A low privilege user could simply send a specially crafted ALPC message with a reference to a command line that the service executed with SYSTEM privileges. At least that’s what I thought initially. MSRC Vulnerability Summary CVE-2026-20817 is local privileg...

2026-02-24T00:00:00+01:00 2026-03-14T15:28:26+01:00 https://itm4n.github.io/cve-2025-59201-ncsi-eop/ itm4n

It’s been a while since I last dug into a Patch Tuesday release. With an extraordinarily high number of 177 CVEs, including 6 that were either already public or exploited in the wild, the October 2025 one seemed like a good opportunity to get back at it. The one I ended up investigating in depth was CVE-2025-59201, an elevation of privilege in the “Network Connection Status Indicator”. MSRC Vu...

2025-06-15T00:00:00+02:00 2025-06-15T00:00:00+02:00 https://itm4n.github.io/offline-extraction-of-symantec-account-connectivity-credentials/ itm4n

In the previous post, I highlighted some of the changes made in the Symantec Management Agent, and showed how it affected the retrieval of the Account Connectivity Credentials (ACCs), based on original research by MDSec. Although my initial intent was to implement a check for PrivescCheck, I ended up extending the research on the subject, and eventually found how to extract the credentials offl...

2025-06-11T00:00:00+02:00 2025-06-11T00:00:00+02:00 https://itm4n.github.io/checking-symantec-account-credentials-privesccheck/ itm4n

You may have heard or read about Symantec Account Connectivity Credentials (ACCs) thanks to a blog post published by MDSec last December (2024). I wanted to integrate this research as a new check in PrivescCheck, but this turned out to be a bit more challenging than I thought. Context Last December (2024), MDSec published a great blog post discussing some interesting findings about the Symant...