cybrz cybrz - Bluesky Statics

WinGet can be more than a package manager. We show how .𝚠𝚒𝚗𝚐𝚎𝚝 configs + a self-referencing LNK become a viable initial access payload when Microsoft Store is enabled. Includes detection queries & mitigation tips.
blog.compass-security.com/2026/03/wing...
#RedTeam #Windows #LOLBins #InitialAccess

03.03.2026 16:15 — 👍 4 🔁 3 💬 0 📌 0

John Ostrowski (Compass Security) and Manuel Kiesel (Cyllective AG) worked together on CVE-2025-13154, a Lenovo Vantage LPE. Even after Microsoft closed a known primitive, collaboration led to a working PoC.

blog.compass-security.com/2026/02/from...

#Windows #CVE #SecurityResearch #PrivEsc

10.02.2026 08:33 — 👍 6 🔁 4 💬 0 📌 0

People know I am all crazy about electricity and electronics. So, I am specially excited about this one and I must admit I am very tempted to get hands on European chargers. Unfortunately, there is no vacation in sight yet 🤪.

21.01.2026 06:40 — 👍 0 🔁 0 💬 0 📌 0

…. forgot to ask: Where can I get the nice screensaver for my Alpine infotainment? 😜

21.01.2026 06:35 — 👍 1 🔁 0 💬 0 📌 0

Congratz for the nice find! I am very impressed and would love to see Alpine fix one or the other issue eventually… sometime… any soon?

21.01.2026 06:33 — 👍 1 🔁 0 💬 0 📌 0

Zero Day Initiative — Pwn2Own Automotive 2026 - The Full Schedule おかえりなさい (Welcome back!) The third annual Pwn2Own Automotive competition has returned to Automotive World in Tokyo, and the excitement is building. This year marks a major milestone for Pwn2Own, with...

The schedule is out! 🗓️ We’re hitting the stage on January 21st at 12:30 JST (4:30 CET) and at 14:00 JST (6:00 CET). Time to see if all the work in the lab pays off. Wish us luck! #Pwn2Own

www.zerodayinitiative.com/blog/2026/1/...

20.01.2026 12:46 — 👍 2 🔁 1 💬 0 📌 0

🤞 fingers crossed you guys get drawn for the pole position and get away without collisions.

🇨🇭#BringEnHei

19.01.2026 17:28 — 👍 1 🔁 0 💬 0 📌 0

There will be… Switzerland's highest max. bounty EVER

18.12.2025 12:59 — 👍 0 🔁 0 💬 0 📌 0

YouTube video by Compass Security Fuzzing and AFL++

In a new video, Nicolò @rationalpsyche.bsky.social walks through how to fuzz with AFL++, how to pick targets, avoid common pitfalls, and boost effectiveness. Find performance tips, fuzzing theory, and AFL++ internals.

Watch here: youtu.be/L5Tin7m5sbE?...

#security #fuzzing #AFLplusplus #appsec

16.12.2025 08:38 — 👍 3 🔁 2 💬 0 📌 0

NTLM relay works against HTTPS if channel binding is missing. Our new blog post explains why, shows how tooling evolved, and highlights defensive measures.

blog.compass-security.com/2025/11/ntlm...

26.11.2025 09:53 — 👍 3 🔁 3 💬 0 📌 0

🧭 Navigation complete! The team from Compass Security just charted a course straight into @home_assistant Green at #Pwn2Own. They head off to the disclosure room to spill how they did it. #P2OIreland

21.10.2025 15:28 — 👍 5 🔁 3 💬 0 📌 0

#Pentest of gRPC-Web apps is tricky due to the binary format. We are releasing bRPC-Web, a @portswigger.net @burpsuite.bsky.social extension developed by our @muukong.bsky.social that helps manipulate #gRPC-Web traffic, even in absence of #protobuf schemas. blog.compass-security.com/2025/10/brpc...

21.10.2025 11:38 — 👍 7 🔁 3 💬 0 📌 0

Zero Day Initiative — Pwn2Own Ireland 2025: The Full Schedule Welcome to Pwn2Own Ireland 2025! We have some amazing spooky entries for this year’s contest, and a potential of up to $2,000,000 - including our largest ever single prize for a 0-click in WhatsApp fo...

@thezdi.bsky.social #Pwn2own schedule is out. Compass folks have been drawn 3rd to exploit the @home-assistant.io Green for $40,000. 🤞for a #bounty today Tuesday Oct 21st, 5pm (Swiss time). #ethicalhacking

Schedule www.zerodayinitiative.com/blog/2025/20...

21.10.2025 06:13 — 👍 2 🔁 1 💬 0 📌 0

YouTube video by Compass Security Kerberos Deep Dive Part 6 - Resource-Based Constrained Delegation

The final episode of our Kerberos deep dive is live!

RBCD opens new attack paths in Kerberos. Learn how misconfigs enable privilege escalation and how to defend.

youtu.be/l97RDnzdrXY?...

#Kerberos #ActiveDirectory

18.09.2025 05:19 — 👍 4 🔁 3 💬 0 📌 0

YouTube video by Compass Security Kerberos Deep Dive Part 5 - Constrained Delegation

Episode 5 of our Kerberos deep dive is live. Constrained delegation isn’t bulletproof. See how attackers exploit it, and how to defend with monitoring & best practices.

youtu.be/rnhr02eKU0I?...

#Kerberos #ActiveDirectory

16.09.2025 06:55 — 👍 3 🔁 2 💬 0 📌 0

YouTube video by Compass Security Kerberos Deep Dive Part 4 - Unconstrained Delegation

Episode 4 of our Kerberos deep dive is live. Unconstrained delegation can expose critical credentials. Learn how attackers abuse it. And how to lock down your systems.

youtu.be/_6FYZRTJQ-s?...

#Kerberos #ActiveDirectory

11.09.2025 17:52 — 👍 3 🔁 1 💬 0 📌 0

YouTube video by Compass Security Kerberos Deep Dive Part 3 - AS-REP Roasting

Episode 3 of our Kerberos deep dive is live. AS-REP Roasting abuses accounts without pre-auth. Learn the risks, how attackers exploit it, and how to defend.

youtu.be/56BjmyOTN5o?...

#Kerberos #ActiveDirectory

09.09.2025 13:22 — 👍 3 🔁 3 💬 0 📌 0

We use @jameskettle.com Burp extension Collaborator Everywhere daily. Now our upgrades are in v2: customizable payloads, storage, visibility. Perfect for OOB bugs like SSRF.

Find out more here: blog.compass-security.com/2025/09/coll...

#AppSec #BurpSuite #Pentesting

09.09.2025 11:54 — 👍 8 🔁 6 💬 0 📌 0

YouTube video by Compass Security Kerberos Deep Dive Part 2 - Kerberoasting

Episode 2 of our Kerberos deep dive is live.

Kerberoasting lets attackers steal AD service account credentials. See how it works and how to protect your systems: youtu.be/PhNspeJ0r-4?...

#Kerberos #ActiveDirectory

04.09.2025 07:39 — 👍 5 🔁 4 💬 0 📌 0

Kerberos powers auth in Windows and hides big security risks. We’re launching a 6-part deep dive: from protocol basics to attacks plus how to stop them.

Starts today → blog.compass-security.com/2025/09/tami... → Subscribe to our channel!

#Kerberos #ActiveDirectory

03.09.2025 06:39 — 👍 5 🔁 2 💬 1 📌 1

Calling all bug hunters! schulNetz by Centerboard AG is now in scope! Help protect over 100k users in schools. Are you ready to make the grade and earn bounties? Program: bugbounty.compass-security.com/bug-bounties... #bugbounty #cybersecurity #ethicalhacking

01.09.2025 07:47 — 👍 3 🔁 2 💬 0 📌 0

Passwords are dead, long live passkeys! 🔑

In our latest blog, we go hands-on: real-life setups, plus tips for recovery and avoiding pitfalls.

blog.compass-security.com/2025/08/into...

#Passkeys #CyberSecurity #Authentication

26.08.2025 09:48 — 👍 4 🔁 3 💬 0 📌 0

Burp collaborator just got a bunch a new features. Credits go to our @compass-security.com Basel team member, Andreas 🙏

15.07.2025 06:29 — 👍 6 🔁 1 💬 0 📌 0

LLM-based vuln hunting just leveled up with xvulnhuntr - a fork of vulnhuntr with support for: C#, Java, Go. Read @rationalpsyche.bsky.social's blog post and go grab the project on GitHub.
blog.compass-security.com/2025/07/xvul...

08.07.2025 08:41 — 👍 3 🔁 2 💬 0 📌 0

Excited to talk today at @reconmtl.bsky.social with @droethlisberger.bsky.social about a 2017 iOS persistence exploit used by NSO's Pegasus (and, interestingly, other threat actors too)! 10:00AM in the Grand Salon cfp.recon.cx/recon-2025/t...

29.06.2025 13:45 — 👍 11 🔁 5 💬 0 📌 0

Exploiting the @ubiquiti.bsky.social AI Bullet camera for #Pwn2Own made us sweat more than once.
But persistence paid off. Our detailed blog post is now live: blog.compass-security.com/2025/06/pwn2...

#penetrationtest #pentest #iot #embedded #cybersecurity
www.compass-security.com/en/services/...

26.06.2025 14:38 — 👍 5 🔁 2 💬 1 📌 0

High-resolution photo of Compass Security’s IoT and industrial penetration-testing workspace: on a light wooden workbench a large-lens, black surveillance camera sits half-disassembled beside its white Synology® housing, revealing the internal printed-circuit board, image sensor and ribbon connectors targeted during firmware extraction and vulnerability analysis. A chaotic web of multicolored diagnostic leads, Ethernet patch cables, alligator clips, UART/serial breakout wires and power adapters snakes across the table, illustrating real-world hardware hacking, fault-injection and secure-boot bypass techniques used in red-team assessments of networked CCTV, smart-factory and critical OT devices. The blue pentagonal TROOPERS25 shield logo occupies the upper-right corner, signalling that this lab scene supports Compass Security’s conference presentation on Pwn2Own-grade research into surveillance-camera exploits, remote-code-execution vectors and zero-day discovery. The image underscores expert penetration-testing methodology—threat modeling, reverse engineering, embedded Linux analysis, secure-element probing and API fuzzing.

Thrilled for #TROOPERS25 Thursday! Emanuele & @yvesbieri.bsky.social share #Pwn2Own wins on #surveillance cams. Method, #exploit, lessons. Drop in, trade war-stories!

Talk: troopers.de/troopers25/t...
Compass pentest: www.compass-security.com/en/services/... #cybersecurity #iot #hw #fw #ot

25.06.2025 05:59 — 👍 8 🔁 5 💬 0 📌 0

Primate traits run deep at Teleboy smart, curious, and always evolving. If that sounds like you, challenge the boundaries of their infra and secure streaming, internet, and phone experience of 400'000+ users. #bugbounty #ethicalhacking #cybersecurity bugbounty.compass-security.com/bug-bounties...

02.06.2025 07:41 — 👍 2 🔁 1 💬 0 📌 0

Many CI/CD tools promise to keep your dependencies up to date - but if misconfigured, they can expose your organization. From token leaks to MR hijacks, Jan's latest blog post shows how bad configuration can turn a security tool into an attack vector. 🛠️💣

blog.compass-security.com/2025/05/reno...

27.05.2025 07:24 — 👍 6 🔁 3 💬 0 📌 0

Tired of sifting through Entra ID manually? EntraFalcon is a PowerShell tool that flags risky objects configs & privileged role assignments with ⚡ Scoring model 📊 HTML reports 🔒 No Graph API consent hassle. Get it now: blog.compass-security.com/2025/04/intr...
#EntraID #IAM

29.04.2025 11:08 — 👍 6 🔁 5 💬 0 📌 0

Posts by cybrz (@cybrz.bsky.social)