ITSEC Newsletter 2025-11-27

Author

Henrik Falk
November 27, 2025

Reflecting Your Authentication: When Windows Ends Up Talking to Itself

This post walks through what authentication reflection actually is, why it remains dangerous today, and how the most recent discoveries prove that reflection keeps coming back in places where it really shouldn’t. We will explore how recent Windows behaviors introduced entirely new attack surfaces involving Kerberos, NTLM, SMB, HTTP and DCE/RPC. We’ll also look at Ghost SPNs, the CredMarshalTargetInfo (CMTI) trick, and multiple cases where a single reflected authentication was enough to compromise an entire domain. The goal is also to keep the explanations clear enough for readers who aren’t experts on these topics, without losing the important technical details.

decoder.cloud/2025/11/24/reflecting-your-authentication-when-windows-ends-up-talking-to-itself

Hide the threat - GPO lateral movement

Offensive security - TL;DR : The use of GPO to perform lateral movement has become more common during recent Red Team assessments. One key aspect of this process is the targeting. As a Red Teamer/Pentester, you don’t want to deploy your configuration on a high number of assets without control. Several methods exist : Security filtering, Item-level targeting and Script-based targeting. Several tools will be covered in this blogpost: SharpGPOAbuse, SharpGPO (Fork), GroupPolicyBackdoor.

www.intrinsec.com/hide-the-threat-gpo-lateral-movement

How NTLM is being abused in 2025 cyberattacks

Although Microsoft has announced its intention to retire NTLM, the protocol remains present, leaving an open door for attackers who keep exploiting both long-standing and newly discovered flaws. In this blog post, we take a closer look at the growing number of NTLM-related vulnerabilities uncovered over the past year, as well as the cybercriminal campaigns that have actively weaponized them across different regions of the world.

securelist.com/ntlm-abuse-in-2025/118132