Antonio Cocomazzi (@splinter

Antonio Cocomazzi

1,816 posts

Antonio Cocomazzi

@splinter_code

offensive security - windows internals | BlueSky: bsky.app/profile/splint… | Mastodon: infosec.exchange/@splinter_code

Italy

splintercod3.blogspot.com

Joined August 2016

Pinned
Antonio Cocomazzi
@splinter_code
Nov 3, 2023
The slides of our joint research talk “10 Years of Windows Privilege Escalation with Potatoes” at #POC2023 are out! 👉 github.com/antonioCoco/in… cc @decoder_it
48K
Antonio Cocomazzi
@splinter_code
Jan 12, 2022
Windows Defender AV allows Everyone to read the configured exclusions on the system 🤦 reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions" /s
Antonio Cocomazzi
@splinter_code
Oct 21, 2023
Do you want to start the RemoteRegistry service without Admin privileges? Just write into the "winreg" named pipe 👇
259K
Antonio Cocomazzi
@splinter_code
Sep 14, 2023
Excited to share my hardest research about UAC 🤯 "Bypassing UAC with SSPI Datagram Contexts" 🔥 Enjoy the read! 👇
Bypassing UAC with SSPI Datagram Contexts
From splintercod3.blogspot.com
62K
Antonio Cocomazzi
@splinter_code
Aug 6, 2021
#RemotePotato0 new release! Now you can also grab and steal the NTLMv2 hashes of every user logged on a machine from an unprivileged user! ✅ works fully local - no network interaction (except win 2019) ✅ ntlm related ✅ won't fix Windows in 2k21 cc @decoder_it
GIF
Antonio Cocomazzi
@splinter_code
Sep 10, 2022
We are releasing an alternative way for elevating to SYSTEM when you have SeTcbPrivilege How? Leveraging AcquireCredentialsHandle through an SSPI hook that allows authenticating as SYSTEM to SCM Should be "lighter" than the classic S4U cc @decoder_it gist.github.com/antonioCoco/19…
Antonio Cocomazzi
@splinter_code
Dec 7, 2021
My last blog post for 2021 is out! 🔥 The hidden side of Seclogon part 2: Abusing leaked handles to dump LSASS memory Enjoy the read :D
The hidden side of Seclogon part 2: Abusing leaked handles to dump LSASS memory
From splintercod3.blogspot.com
Antonio Cocomazzi
@splinter_code
May 11, 2020
No more JuicyPotato? Old story, welcome RoguePotato! Checkout our blog post by @decoder_it and me.
No more JuicyPotato? Old story, welcome RoguePotato!
From decoder.cloud
Antonio Cocomazzi
@splinter_code
Apr 14, 2022
Finally! I have found the right conditions to hit the vulnerable function for CVE-2022-26809! No panic, this is a custom RPC server i wrote, not a default Windows service It seems it's required a specific RPC configuration and AFAIK it shouldn't be common, need to deepen more...
Antonio Cocomazzi
@splinter_code
May 7, 2020
We made #JuicyPotato great again! Get the NT AUTHORITY\@decoder_it privs again :D
Antonio Cocomazzi
@splinter_code
Feb 10, 2023
🔥 Brace yourself #LocalPotato is out 🥔 Our new NTLM reflection attack in local authentication allows for arbitrary file read/write & elevation of privilege. Patched by Microsoft, but other protocols may still be vulnerable. cc @decoder_it Enjoy! 👇
localpotato.com
LocalPotato - When Swapping The Context Leads You To SYSTEM
Here we are again with our new *potato flavor, the LocalPotato! This was a cool finding so we decided to create this dedicated website ;)
42K
Antonio Cocomazzi
@splinter_code
Sep 21, 2022
#JuicyPotato is back! 🔥 Get instant SYSTEM access if you have SeImpersonate or SeAssignPrimaryToken privs! Checkout our new #JuicyPotatoNG 👇 decoder.cloud/2022/09/21/giv… cc @decoder_it
Antonio Cocomazzi
@splinter_code
May 11, 2021
The slides of my talk “The Rise of Potatoes: Privilege Escalations in Windows Services” for Black Hat Asia 2021 are out! 👇🏽 i.blackhat.com/asia-21/Thursd…
Antonio Cocomazzi
@splinter_code
Jun 28, 2022
My blog series "The hidden side of Seclogon" continues with part 3: Racing for LSASS dumps 🔥 Enjoy the read :D splintercod3.blogspot.com/p/the-hidden-s…