Friends & Security

A Microsoft-signed Windows Defender kernel driver (KslD.sys) exposes unrestricted physical memory read primitives, enabling KASLR bypass, PPL-protected LSASS credential dumping, and EDR evasion—without loading any external driver.

We show a Cross-Tenant ROPC issue that evades Conditional Access Policies. Attackers can successfully authenticate and generate "Success" logs without triggering MFA, though the resulting token grants no actual access to resources.

What happens when you skip memory allocation, skip writing, and weaponize thread context alone? This post explores a new class of process injection that lives entirely in the execution layer — no alloc, no write, just a well-placed hijack.

ShareFiltrator is a Python tool designed for enumerating and bulk downloading sensitive files from SharePoint and OneDrive using authenticated cookies. It leverages SharePoint’s search API to identify files with credentials, highlighting misconfigurations from lax sharing permissions. The tool aids in extracting secrets while also discussing mitigation strategies.

ShadowHound is a PowerShell tool designed for mapping Active Directory environments without using known malicious binaries. It utilizes legitimate PowerShell modules for data collection through two methods: ADWS and LDAP.

In this blog, we reveal a new method for unprivileged users to identify Microsoft Defender exclusion paths using MpCmdRun.exe, without relying on event logs. We also introduce SharpExclusionFinder, a C# tool for automating exclusion discovery, and provide tips for defenders to monitor and mitigate this risk.

In this article, we will go over the WMI technology, the potential attack vectors it opens, some detection pitfalls (from an attacker’s perspective), and how we can enumerate the technology for useful capabilities. We will close up with an example of escalating a remote registry write primitive into remote execution.

Long story short — it is possible to phish the phishing resistant authentication method: Windows Hello for Business by downgrading the authentication, here’s how you can defend from it

In this blog we will dive into some unexpected techniques that allow an Azure user with Storage Account permissions to abuse them for privilege escalation and lateral movement. We will discuss prior work on storage to Azure Cloud Shell & Azure Function App and share a new technique around Azure Standard Logic App.

We found that it was possible to access sensitive log files before they were encrypted. This situation points to a potential security gap, allowing critical data to be accessed without the usual decryption steps.

In this blog, we will examine what DCOM and ActiveX are, how they work, and the potential security risks associated with using them to run commands remotely through Internet Explorer.