Rémi GASCOU (Podalirius)
@podalirius_
Security Researcher & Speaker | Microsoft Security MVP | Developer of security tools 🎬 http://youtube.com/c/Podalirius
Ever wanted to trigger a #NTLM authentication to a machine using every possible RPC call ? You can do this using #Coercer 🥳🎉 This tool automatically detects available pipes and protocols and call every possible functions to trigger an #authentication. github.com/p0dalirius/Coe…
If only the docs were up to date
MICROSOFT JUST UNLOCKED THE DOCS MCP SERVER — THE GAME HAS CHANGED. 🔥 Instant, official answers streamed straight from Learn docs Zero scraping, zero stale content, pure Model Context Protocol power Plug it into Copilot Studio and watch your agents quote chapter-and-verse in…
My first @SpecterOps blog! Ever wanted to collect Active Directory information from LDAP for a Red Team? Using LDAP's more OPSEC-considerate cousin: ADWS can be used to improve upon the already present advantages of using smaller-scaling LDAP queries. specterops.io/blog/2025/07/2…
I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Hat USA 2017 talk! 🔥 The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇 gmsgadget.com 1/4
If you’re planning to promote your research with a website, better prepare for some quite hostile takes! (Yes, I am practicing responsible disclosure as always)
SCCM’s Management Points can leak more than you’d expect. @unsigned_sh0rt shows how Network Access Accounts, Task Sequences, and Collection Settings can be stolen by relaying a remote Management Point to the site database. Check it out ⬇️ ghst.ly/4eNLaHU
😈 Read the new article "Daemon Ex Plist: LPE via MacOS Daemons" by our researcher Egor Filatov. This research reveals a vulnerability affecting popular apps like Mozilla VPN, Tunnelblick & more. swarm.ptsecurity.com/daemon-ex-plis…
Golden dMSA: One key to rule them all Just found a new flaw in Windows Server 2025's dMSAs that lets attackers brute-force ALL managed service account passwords with 1024 attempts. This research builds on the awesome research Golden gMSA (@YuG0rd ). semperis.com/blog/golden-dm…
🚀Ever heard of ControlPlane, software to help you automate tasks on macOS? Turns out, it might also help you become root. Oops! 😱@coiffeur0x90 found a Local Privilege Escalation vulnerability. Read before someone automates your admin rights 👉blog.quarkslab.com/controlplane_l…
Bonjour le troupeau ! C'est l'heure de la newsletter de juillet sur les nouveautés ajoutées à Magic Regrowth pendant le mois de juin
The planners have confirmed a 14-July start for the next ARISS SSTV series. 12 images will start transmitting around 09:15 UTC | 05:15 AM ET next Monday. Event will run across parts of 7 days.
Opening a new chapter 📖 From tinkering with old systems to giving talks at @BlackHatEvents, it’s been a wild ride. I am thrilled to share that I’m joining @SpecterOps as a Senior Security Researcher! Time to go full-time into deep technical security research🥰
Well, there was someone playing with the WiFi 7h30th3r0n3.fr/how-i-hacked-h…
Today was my last day as a pentester at Bsecure, and it feels a bit surreal. After a three-year journey of hunting on the side, I’m finally ready to go all-in as a full-time bug bounty hunter. To celebrate this milestone, I've written an article sharing the full story. It’s a…
How to find the Entra ID sync server - A new NetExec module🔎 Inspired by the great Entra ID talks at #Troopers25, I looked into how to find the Entra ID sync server. Results: The description of the MSOL account, as well as the ADSyncMSA service account reference this server🚀
Last week we added ELEVATE-4 github.com/subat0mik/Misc… to Misconfiguration Manager. tl;dr If SCCM uses AD CS for PKI, client auth certs are "borrowed" by clients during OSD. This will typically be a distribution point but could be the site server in all-in-one deployments...
🔍 New tool in The Manticore Project: LDAPWordlistHarvester This tool allows you to create precise wordlists for finding passwords of users in an Active Directory domain using its LDAP data. ➡️ github.com/TheManticorePr…
Regarding #CVE-2025-33073 fixing NTLM/Kerberos reflection attacks via SMB: the patch only covers SMB clients. The "CredMarshal" trick still works on RPC and HTTP. But those protocols sets the unverified target flags, which block exploitation. So, is reflection dead? Let’s see…
Happy Friday! @tifkin_ and I are happy to announce that we have cut the release for Nemesis 2.0.0 - check out the CHANGELOG for a (brief) summary of changes, and dive into our new docs for more detail! We're extremely proud and excited for this release github.com/SpecterOps/Nem…
Lovely hack to pay less to OpenAI when transcribing. Just speed up the audio you send to them.
I publish two blog posts today! 📝🐫 The first dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06/2… The second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06/2…