Clément Labro

Screenshot showing the output of the proof-of-concept tool "SMAStorageDump", where ACCs are dully decrypted.

🆕 New blog post!

"Offline Extraction of Symantec Account Connectivity Credentials (ACCs)"

Following my previous post on the subject, here is how to extract ACCs purely offline.

👉 itm4n.github.io/offline-extr...

#redteam #pentesting

Sample output of PrivescCheck showing the information collected about the Symantec Management Agent (SMA).

🆕 New blog post!

"Checking for Symantec Account Connectivity Credentials (ACCs) with PrivescCheck"

This blog post is not so much about PrivescCheck, but rather brings additional insight to the original article published by MDSec on the subject.

👉 itm4n.github.io/checking-sym...

#redteam

🆕 New blog post! It's a rather short one, nothing crazy. Just wanted to share a random finding I made recently. 🤷‍♂️

'Hijacking the Windows "MareBackup" Scheduled Task for Privilege Escalation'

👉 blog.scrt.ch/2025/05/20/h...

#pentest #pentesting #redteam #windows #privilegeescalation

Automating MS-RPC vulnerability research Diving into the MS-RPC protocol and how to automate vulnerability research using a fuzzing approach.

This blog post brings automated Windows RPC research to the next level! 🔥

www.incendium.rocks/posts/Automa...

The writing quality is also excellent. 📝

#windows #research

Another example of a Windows 0-day found with PrivescCheck. Congrats to Compass Security for investigating the issue and exploiting it. 👏

blog.compass-security.com/2025/04/3-mi...

You're absolutely right! 😬
Thanks for your message. I'll do that. 🙂
This whole DLL thing is essentially a dirty hack anyway.

Screenshot showing the execution of the proof-of-concept named PowerChell in comparison to a typical PowerShell prompt. In particular, it shows that PowerChell is able to bypass the Constrained Language Mode (CLM).

In this blog post, I explain how I was able to create a PowerShell console in C/C++, and disable all its security features (AMSI, logging, transcription, execution policy, CLM) in doing so. 💪

👉 blog.scrt.ch/2025/02/18/r...

New blog post on the abuse of the IDispatch COM interface to get unexpected objects loaded into a process. Demoed by using this to get arbitrary code execution in a PPL process. googleprojectzero.blogspot.com/2025/01/wind...

Process Hollowing on Windows 11 24H2 Process Hollowing (a.k.a. RunPE) is probably the oldest, and the most popular process impersonation technique (it allows to run a malicious executable under the cover of a benign process). It is us…

In case if you wonder what broke #ProcessHollowing on Windows 11 24H2, I have something for you: hshrzd.wordpress.com/2025/01/27/p...

Windows BitLocker -- Screwed without a Screwdriver Breaking up-to-date Windows 11 BitLocker encryption -- on-device but software-only

Really great blog post about bypassing BitLocker using "PXE soft reboot" (even if PXE boot is disabled in the BIOS).

"Windows BitLocker -- Screwed without a Screwdriver"

👉 neodyme.io/en/blog/bitl...
👉 media.ccc.de/v/38c3-windo...

Diagram representing the various Windows Point and Print configurations that reintroduce the PrintNightmare exploit variants.

I updated the diagram representing the different Point and Print configurations and their exploitation on my blog.

Hopefully, this should provide a better understanding of the whole "PrintNightmare" situation to both defenders and red teamers. 🤞

Interestingly enough, MS disabled the "Use my Windows user account" checkbox when connecting to Wi-Fi on the lock screen to address CVE-2024-38143 in the August Patch Tuesday.

This change completely remediates the "Airstrike" attack as well. 🤯

support.microsoft.com/en-us/topic/...

I'm glad to release the tool I have been working hard on the last month: #KrbRelayEx
A Kerberos relay & forwarder for MiTM attacks!
>Relays Kerberos AP-REQ tickets
>Manages multiple SMB consoles
>Works on Win& Linux with .NET 8.0
>...
GitHub: github.com/decoder-it/K...

Thanks!
Yes, I already thought about doing something like this, and I already took a look at cross-references to find the offset of the object. I didn't take the time to check older versions though, there might be some diffs to take into consideration. There is clearly more to work on. :)

🆕 New blog post! "Exploiting KsecDD through Server Silos"

In my latest mini research project, I've been working with my teammate @PMa1n (X) on extending the work of @floesen_ (X) on the KsecDD driver. I'm thrilled to finally share the results.

👉 blog.scrt.ch/2024/11/11/e...

"A Trick, The Story of CVE-2024-26230" by k0shl

Write-up about the discovery and exploitation of a UAF vulnerability in the Windows Telephony service + CFG bypass leading to local privilege escalation. 🔥🔥🔥

whereisk0shl.top/post/a-trick...

GitHub - itm4n/PrivescCheck: Privilege Escalation Enumeration Script for Windows Privilege Escalation Enumeration Script for Windows - itm4n/PrivescCheck

🆕​ New PrivescCheck extended check!

ℹ️​ The script can now enumerate dangerous default file extension associations, such as '.bat' or '.wsh'.

⚠️​ A manual review of the result is always recommended, but for the most part, it should be fine.

github.com/itm4n/Prives...

Extracting PEAP Credentials from Wired Network Profiles A colleague of mine recently found himself in a situation where he had physical access to a Windows machine connected to a wired network using 802.1X and saved user credentials for the authentication....

​🆕 New blog post! "Extracting PEAP Credentials from Wired Network Profiles"

ℹ️​ Nothing new under the sun, you might think?! Well, think twice, because this seemingly trivial task took an unexpected turn.

👉 itm4n.github.io/peap-credent...