This is quite a different post as it is not related as usual to Windows vulnerabilities π. In the past period, I have been looking into the myAudi connected vehicle platform "Audi Connect and Remote Control", specifically the APIs behind the myAudi web and mobile apps. The reason is quite simple. I was frustrated by…
LmCompatibilityLevel determines which NTLM and LM authentication protocols are accepted for inbound and outbound connections for Windows machines. On domain controllers, the minimum recommended setting is 3, but ideally it should be set to 5 to completely block incoming connections from clients still using the legacy NTLMv1 protocol. In some cases, however, you may need…
TL;DR This post is super short, nevertheless: The classic cross-DC coerce + relay to LDAPS technique, abusing a misconfigured LmCompatibilityLevel (0/1/2) to generate NTLMv1 + ESS and strip the MIC, is dead when the victim DC runs Windows Server 2025. And itβs not just a policy change. Itβs hardcoded in msv1_0.dll. Disclaimer I'm not 100%…
Authentication reflection has been around for more than 20 years, but its implications in modern Windows networks are far from obsolete. Even after all the patches Microsoft has rolled out over the years, reflection attacks are still very much exploitable π This post walks through what authentication reflection actually is, why it remains dangerous today,…
While I was reading Elad Shamir recent excellent post about NTLM relay attacks, I decided to contribute a companion piece that dives into the mechanics of Kerberos relays, offering an analysis and practical insights into how these attacks work and how they differ from NTLM based relays. If you've been following my posts , tweets…
Why write a post about changing Windows passwords programmatically when so many built-in and third-party tools already let us do it effortlessly? The answer is simple: curiosity. It drives us to understand the underlying mechanisms of the systems we interact with, explore hidden parts, and sometimes even uncover unintended behaviors or security flaws. This post…
Vulnerable Windows drivers remain one of the most exploited methods attackers use to gain access to the Windows kernel. The list of known vulnerable drivers seems almost endless, with some not even blocked by AV/EDR solutions or included in Microsoft's Driver Block List. Some time ago, I revisited an old post of mine about creating…
In this second super short post, I want to explore an unusual Group Policy Object (GPO) configuration I recently encountered. The GPO in question used a File Preference policy to copy a custom HOSTS file from a remote share to the local machine's HOSTS file: This caught my attention because it introduced an unexpected element…
In the realm of IT administration, Group Policies serve as a powerful tool for centrally managing and controlling various aspects of an Active Directory network environment in a Windows-based operating system. They provide a way to enforce consistent settings and configurations across multiple computers and user accounts within a domain or organizational unit. In this…
While exploring the DCOM objects for the "SilverPotato" abuse, I stumbled upon the "ShellWindows" DCOM application. This, along with "ShellBrowserWindows", is well-known in the offensive security community for performing lateral movements by instantiating these objects remotely with admin privileges. However, I was curious to understand if they could be abused locally by a standard user.…
Decoder's Blog 