Yehuda Smirnov
@yudasm_
Security Researcher @Microsoft, opinions are my own.
What if you skipped VirtualAlloc, skipped WriteProcessMemory and still got code execution? We explored process injection using nothing but thread context. Full write-up + PoCs: blog.fndsec.net/2025/05/16/the…
Just a heads-up, attackers found a way to leak information, including keys entirely from memory. Checking for "the file" is not enough to assess compromise and warrant key rotation anymore. Just rotate your keys if you were exposed, period.
sharepoint.pwned.json gist.github.com/gboddin/bf6ff3…
🔥 Security researchers! Microsoft Entra ID’s new linkable token identifiers are a game-changer for tracking identity threats! 🕵️♂️ Correlate auth events across logs (Entra, Exchange, Teams, SharePoint) to hunt attackers. Dive in: techcommunity.microsoft.com/blog/microsoft…
Interesting bug in CimFS driver. More importantly, it still lives in the kernel, as "admin to kernel is not a security boundary"... A post by Chen Le Qi (@cplearns2h4ck). Great work! #redteam #maldev #malwaredevelopment starlabs.sg/blog/2025/03-c…
I'm very excited to share that Thomas Elling and I will be presenting "We Know What You Did (in Azure) Last Summer" at the DEF CON @cloudvillage_dc this year (Friday - 10 AM). We will go over some techniques that can be used to find the owners of multiple types of Azure resources
We have reproduced "ToolShell", the unauthenticated exploit chain for CVE-2025-49706 + CVE-2025-49704 used by @_l0gg to pop SharePoint at #Pwn2Own Berlin 2025, it's really just one request! Kudos to @mwulftange
It's here. The latest iteration of our Top 10 includes the most important developments in initial access tradecraft; from macOS targeting of ClickFix, to Zip Smuggling, to QRLJacking. 📚 Blog: blog.delivr.to/delivr-tos-top…
Happy Friday! We're ending the week by publishing our analysis of Fortinet's FortiWeb CVE-2025-25257.... labs.watchtowr.com/pre-auth-sql-i…
Locate dll base addresses without PEB Walk: github.com/Teach2Breach/m…
VEH² technique to bypass ETW-based detection. Hardware breakpoints abuse can be detected with Microsoft-Windows-Kernel-Audit-API-Calls provider by looking into NtSetContextThread() calls. VEH² uses two vector exception handlers to change the thread's context without calling…
While researching in Azure with my partner @IdanLerman we found some cool misconfiguration in Azure role condition that can lead to full subscription compromise. medium.com/@matanb707/own… #RBAC #RoleCondition #Azure #ConditionByPass
I have a new post out on the @NetSPI blog today. This one is on extracting sensitive information from the Azure Load Testing service. netspi.com/blog/technical…
Modern lateral movement techniques detection (mainly DCOM/DCE/RPC/RDP) with examples. Some assumptions worth mentioning: visibility into source IP/port/hostname, logon activity, remote process metadata. A blog post by @HuntressLabs team. Awesome read, guys!…
Part 3 of the Buffer Overflows in Modern Era series has been posted! In this lengthy yet detailed walkthrough, we'll start to link ROP gadgets together, set register values, and execute VirtualAlloc() ! g3tsyst3m.github.io/binary%20explo…
Credentials access via Shadow Snapshots, WMI and SMB, all done remotely. Technique implemented inside impacket framework accompanied with detection automation utilizing ETW providers: Microsoft-Windows-WMI-Activity + Microsoft-Windows-SMBServer. A technique developed by Peter…
#bugbountytip Quick tip and script : ✅️ If you are hunting or scanning a WordPress instance, don't forget to look for exposed plugins' or WP core REST endpoints, under /wp-json.. many plugins like payments gateways are exposing the webhooks or callback plugins in order to…
In the year since Misconfiguration Manager's release, the security community has been actively researching new tradecraft & identifying new attack paths. @subat0mik & @unsigned_sh0rt dive into the research & its impact on the state of SCCM security. ⬇️ ghst.ly/460vI9d
This is my research project in creating read, write and allocate primitives that can be turned into an injection in order to evade certain telemetry which I presented last year in RedTreat. I hope everyone likes it \m/. trickster0.github.io/posts/Primitiv…
Last two weeks I talked about BYO Identity Providers in Entra ID and backdoors to External Auth Methods to bypass MFA. Only possible because MSFT doesn't implement the mandatory OIDC security measures. Slides with optional dark mode on: dirkjanm.io/talks/
I publish two blog posts today! 📝🐫 The first dives into how we're improving the way BloodHound models attack paths through AD trusts: specterops.io/blog/2025/06/2… The second covers an attack technique I came across while exploring AD trust abuse: specterops.io/blog/2025/06/2…