Michael Schneider

@[email protected]
166 Followers
164 Following
181 Posts
infosec, working at scip ag, classic car rally driver for teampaddymurphy.ie
Twitterhttps://twitter.com/0x6d69636b
GitHubhttps://github.com/0x6d69636b
LocationWinterthur, Switzerland
Companyhttps://www.scip.ch/en/?team.misc
Michael Schneider16h ago
Kevin Beaumont17h ago
I’ve had a bunch of people ask my thoughts on Anthropic’s Mythos. I’ve read the research paper they released and the numbers, and basically I agree with @malwaretech’s take. It’s marketing. The cybersecurity industry is historically very good at marketing cyber pearl harbour and the need to buy magic boxes.
Michael Schneider5d ago
Show threadWill Dormann5d ago

@tiraniddo
Yeah, the gist is:

  • Proc42_ServerMpUpdateEngineSignature triggers a Defender update, using a user-specified directory.
  • Download and unpack a real Defender update
  • Force Defender to scan a file (EICAR)
  • Use an oplock to freeze Defender
  • Swap out the directory with a junction to \BaseNamedObjects\Restricted

Because of the swap, Defender (running with privileges) operates on <updatepath>\mpasbase.vdm, which actually is \BaseNamedObjects\Restricted\mpasbase.vdm, which actually is \Device\HarddiskVolumeShadowCopyX\Windows\System32\config\SAM

Because Defender opens said file with a "Read" share mode, and it (the target) is in the object manager namespace, as opposed to NTFS, the unprivileged PoC process can read the file. Which is the SAM.

So basically a TOCTOU, with a bit of directory/junction shenanigans thrown in.

At least, that's my take on it.

Michael SchneiderApr 2
Clément LabroApr 2

🆕 New blog post!

"BitLocker's Little Secrets: The Undocumented FVE API"

A small Windows RE adventure to figure out how to get the status and configuration of a BitLocker protected drive programmatically and without admin privileges.

Now also implemented in PrivescCheck! 🔥

👉 https://itm4n.github.io/bitlocker-little-secrets-the-undocumented-fve-api/

Michael SchneiderApr 1
Clément LabroApr 1

Yet another abuse of the missing "CrossDevice.Streaming.Source.dll" DLL!

After CVE-2025-24076 / CVE-2025-24076 found by Compass Security, Researcher Oscar Zanotti Campo found another vulnerability that he could exploit using the built-in misconfigured COM class referencing this DLL. This is CVE-2026-21508. 🔥

👉 https://0xc4r.github.io/posts/CVE-2026-21508/
👉 https://github.com/0xc4r/CVE-2026-21508_POC/
👉 https://blog.0patch.com/2026/03/micropatches-released-for-windows.html

#Windows #cve #cve_2026_21508 #vulnerability

CVE-2026-21508 - Windows Local Privilege Escalation via arbitrary COM object initialization

Windows Storage Elevation of Privilege Vulnerability

0xc4r
Michael SchneiderMar 27
Sandro GauciMar 27

RE: https://infosec.exchange/@enablesecurity/116300709031150946

VoIP/WebRTC security has needed a DVWA equivalent for a long time. We built DVRTC: full dockerized VoIP stack, intentionally vulnerable, 7 guided exercises.

Live instance at pbx1.dvrtc.net — try it now.

https://www.enablesecurity.com/blog/introducing-dvrtc-damn-vulnerable-real-time-communications/

#infosec #webrtc #voipsecurity #penetrationtesting #training

Michael SchneiderMar 23
ς๏гєɭคภς0๔3г Mar 23
New Post: Debugging - WinDBG & WinDBGX Fundamentals https://www.corelan.be/index.php/2026/03/23/debugging-windbg-windbgx-fundamentals/
Michael SchneiderFeb 26
Mathy VanhoefFeb 26

We found that Wi-Fi client isolation can often be bypassed. This allows an attacker who can connect to a network, either as a malicious insider or by connecting to a co-located open network, to attack others.

NDSS'26 paper: https://www.ndss-symposium.org/wp-content/uploads/2026-f1282-paper.pdf
GitHub: https://github.com/vanhoefm/airsnitch

High-level article on the work by Dan Goodin: https://arstechnica.com/security/2026/02/new-airsnitch-attack-breaks-wi-fi-encryption-in-homes-offices-and-enterprises/ I'd say we bypass Wi-Fi encryption though, in the sense that we can bypass client isolation. We don't break Wi-Fi authentication or encryption. Crypto is often bypassed instead of broken. And we bypass it ;) If you don't rely on client/network isolation, you are safe: we can't just break any Wi-Fi network.

Michael SchneiderFeb 26
HD MooreFeb 26

New AirSnitch attack breaks Wi-Fi encryption in homes, offices, and enterprises: https://arstechnica.com/security/2026/02/new-airsnitch-attack-breaks-wi-fi-encryption-in-homes-offices-and-enterprises/

AirSnitch resets WiFi security back to the bad-old-days of ARP spoofing and trivial MITM.

Michael SchneiderJan 30
floyd aka floyd_chJan 30
This is wild, there have been changes on the Cain&Able repository lately (yes that tool you used in your first IT security hands-on class 20 years ago) https://github.com/xchwarze/Cain #itsecurity #hacking
GitHub - xchwarze/Cain: Password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks and more!

Password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and ...

GitHub
Michael SchneiderJan 27
James Forshaw Jan 26
My first blog post on Windows Administrator Protection is out. https://projectzero.google/2026/26/windows-administrator-protection.html probably the most interesting and complex bug out of the 9 I found, but that doesn't mean the rest weren't interesting as well, stay tuned :D
Bypassing Windows Administrator Protection - Project Zero

A headline feature introduced in the latest release of Windows 11, 25H2 is Administrator Protection. The goal of this feature is to replace User Account Cont...