ITSEC Newsletter 2025-08-28

TL;DR When operating out of a ceded access or phishing payload with no credential material, you can use low-privilege HTTP authentication from the current user context to perform a proxied relay to LDAP, then execute tooling through the SOCKS5 proxy to complete LDAP- related objectives completely off-host.

In this blog post, I’ll share a new, simple approach I developed that successfully bypasses almost all EDRs I’ve tested. First, I’ll provide a quick overview of how Windows stores secrets and credentials. Then, I’ll discuss common techniques used today to extract these secrets. After that, I’ll explain how EDRs detect such activities through kernel callbacks routines monitoring. Finally, I’ll reveal the method I discovered to evade EDR detection and how it can enhance red team operations.

When someone misinterprets an IETF RFC, it can have devastating security implications. So, in recent years, RFC authors have demonstrated a tendency to err on the side of overcommunicating security risks. However, this is a delicate balance to strike: If you go too far, you risk confusing or scaring the reader. This is especially risky since RFCs are often read by non-engineers, making the specter of science communication difficulty continue to haunt us. With all that in mind, several people have asked me in recent weeks for my thoughts on a blog post published earlier this month titled, MLS: The Naked King of End-to-End Encryption. So let’s get into that.