Security Review #306

This blog shows how generative AI allows defenders to instantly create diverse honeypots, like Linux shells or Internet of Things (IoT) devices, using simple text prompts.

LLMs leave statistical fingerprints in the passwords they generate. We built a 100-year-old model to find them and detected 28,000 in the wild.

Delegated Managed Service Accounts (dMSAs) move away from LDAP-based password retrieval toward a Kerberos-based credential issuance flow, introducing new logic-based risks. Specifically, the Ouroboros primitive demonstrates that if an attacker controls dMSA permissions, they can inherit the privileges of the superseded legacy account.

Peel back the layers of Microsoft Dev Tunnels and you'll find embedded protocols, RPC message exchanges, and a full command-and-control architecture hiding in plain sight.

We detail how we improved the MS-RPC fuzzer with support for fuzzing over complex structures and logging using ETW, and how we found a way to escalate to nt authority\system.

A fully patched Windows Server 2025 domain is vulnerable to dMSA Ouroboros - a self-sustaining credential extraction technique requiring only standard delegated permissions. This article discusses how this attack works, why remediation fails, and how to detect it.

This article documents the security risks introduced by AWS Bedrock API keys, the authentication method AWS for Amazon Bedrock. The most critical risk being the "phantom user" problem: when long-term Bedrock API key is created through the AWS Console, AWS automatically provisions an IAM user and attaches the AmazonBedrockLimitedAccess managed policy without explicit user confirmation.

Saiga 2FA is a rare but highly sophisticated boutique phishing kit that uses adversary-in-the-middle (AitM) techniques to bypass multifactor authentication and steal session cookies in real time. Phishing campaigns leverage DocuSign-themed lures, QR code phishing, and layered redirection chains to appear legitimate.

We explain how attackers can steal a domain controller's Active Directory database (NTDS.dit) by using Volume Shadow Copy (VSS) and how investigators can detect this theft by correlating low‑level NTFS operational logs and related artifacts to reconstruct the exfiltration timeline.

Working through HackTheBox's Windows Privilege Escalation module as a beginner, we will document every token abuse, group membership exploit, and real mistake identified. This journey will lead us to SYSYEM through SeImpersonate, DnsAdmins, Server Operators, SeBackupPrivilege and more.

We discovered multiple critical flaws in Salesforce Marketing Cloud’s templating engine and its “view‑email” link encryption: unsafe AMPScript/SSJS template injection, double‑evaluation of subject lines, and a weak, exploitable CBC‑based encryption scheme. Chained together they let attackers read or alter any subscriber data and emails across tenants.

A threat actor walked in on stolen VPN credentials, pivoted via Impacket's smbexec.py, and installed Komari, a 4.3k-star open-source monitoring agent, as a SYSTEM-level backdoor masquerading as the "Windows Update Service". No custom loader, no attacker-controlled staging - the installer came straight from GitHub.

BloodHound is a tool used to enumerate Active Directory (AD) information. It provides a visual view of relationships between AD objects, which can be used to identify paths of domain privilege escalation. In this blog , we will focus on various methods to collect AD data to provide BloodHound as input.

We observed attackers exploiting a Jenkins honeypot to deploy a new DDoS botnet targeting video game servers. Leveraging Jenkins scriptText abuse, the malware installs a multi-platform payload, evades detection, and launches UDP, TCP, and application-layer attacks.

This blog post explores Entra ID applications, the complexities of auditing application permissions in Microsoft Entra ID, highlighting hidden risks and pitfalls. It introduces QAZPT tool, designed to compute and visualize effective permissions in an Entra ID tenant, providing insights into the full picture of permissions and inheritance paths.

We review how ADScan and ADPulse can speed up reconnaissance steps in an Active Directory pentesting context.

How we built an open-source, drop-in CI template that uses signal extraction and LLM reasoning to catch CI/CD abuse in GitHub Actions, GitLab CI, and Azure DevOps pipelines.

This article details the research conducted on the Philips Hue Bridge to achieve remote code execution (RCE) from the Zigbee network.

I found an interseting chain of intended features and behaviors in ISC DHCP Server (dhcpd), a common DHCP implementation in Linux environments. When combined together, give you unauthenticated remote code execution as root.

Technical analysis of TCLBANKER, a banking trojan deployed by a trojanized Logitech installer, with environment-gated payloads, WPF fraud overlays, and self-propagating WhatsApp and Outlook worm modules.

Windows forensic artefacts are one of the core evidence sources used in digital forensics and incident response (DFIR) investigations. In this article, we’ll cover why Windows artefacts are evidence, the difference between indicators and evidence, how scope, retention, environment, and noise affect interpretation, a model for building defensible evidence claims, and common cognitive traps that lead analysts to overstate conclusions.

I'm going to deep dive into how I built an autonomous vulnerability hunting system using Claude Code and MCP, and some of the bugs it's found along the way.

We discovered a type-confusion vulnerability in Chrome’s V8 engine that can be exploited to achieve remote code execution (CVE-2025-2135). In this post, we’ll walk through the bug’s root cause, demonstrate a proof of concept, detail the step-by-step exploitation process, and examine how Google patched the vulnerability.

We detail how attackers with elevated privileges can disable or hide EDR sensors by blocking the agents' outbound traffic, using Windows Filtering Platform filters, hosts‑file or DNS policy edits, routing/IPSec tweaks, and secondary IP assignment. We also outline the corresponding detection methods and mitigation steps.

A list of tools, tips, and advice to help you understand how to begin your malware analysis journey.

A complete journey from understanding Named Pipes to building an undetectable PrintSpoofer learning Windows internals, token impersonation, RPC, and evasion techniques along the way.