@decoder_it profile picture
Andrea P @decoder_it

Security Consultant @semperistech . Independent Security Researcher. Cyclist & Scubadiver. MSRC MVR 2022. "So di non sapere"

Joined May 2009
  • Tweets 1,821
  • Following 319
  • Followers 9,315
249 Photos and videos
Andrea P retweeted
Robin Granberg@ipcdollar1
Jun 3
Regarding Active Directory permissions, most people assume that a Deny ACE always wins. It doesn't! Windows stops the access check the moment enough rights are granted — any ACE after that point is never evaluated. New post: managedpriv.com/blog/acl-can…

The Deny ACE That Never Fires: Non-Canonical ACL Order in Active Directory

What canonical ACL order is, how Windows evaluates ACEs top-to-bottom, and what happens when you write a non-canonical ACL — including a proof-of-concept where Allow overrides Deny.

managedpriv.com
1
7
18
1,551
MSRC stories? I have several. One of the funniest: I submitted a vuln and was told it didn't meet the bar. Blogged about this finding. A few months later, someone else submitted the exact same vuln and suddenly it was confirmed, awarded a bounty, and assigned a CVE. 🤦‍♂️
4
29
324
18,724
I think a lot of people publishing 0-days for childish reasons are mostly chasing visibility.
19
1,836
Turns out that the fix for the CVE-2020-17103 , the Cloud Filter HsmOsBlockPlaceholderAccess driver bug reported by @tiraniddo was never ported to Windows 11 / Server 2025 and still not fixed. LPE from user to SYSTEM 🤦‍♂️
2
37
112
12,552
Server 2019 before patch (CVE-2020-17103 , december 8th 2020) is vulnerable, after patch not. The patch was ported on 2022 too
3
830
I published a new "security research" post, and for once, it’s not about Windows 😅 This time I took a look at the myAudi connected vehicle platform and its APIs..🤓 Curiosity drives security research, no matter the target Read it here 👇 decoder.cloud/2026/05/08/oh-…

Oh MyAudi!

This is quite a different post as it is not related as usual to Windows vulnerabilities 😉. In the past period, I have been looking into the myAudi connected vehicle platform “Audi Connect and…

decoder.cloud
2
11
29
4,043
decoder.cloud/2026/05/08/oh-…

Oh MyAudi!

This is quite a different post as it is not related as usual to Windows vulnerabilities 😉. In the past period, I have been looking into the myAudi connected vehicle platform “Audi Connect and…

decoder.cloud
1
295
Andrea P retweeted
Yuval Gordon@YuG0rd
May 4
Replying to @4ndr3w6S
@4ndr3w6S pulled me into this rabbit hole, and it was a fun one.
Andrew
@4ndr3w6S
May 4
Took a break from LDAP, fell down the dMSA rabbit hole with @YuG0rd, and watched the snake eat its own tail. dMSA Ouroboros: self-sustaining credential extraction on patched Server 2025. Six commands. Survives attacker account deletion. huntress.com/blog/dmsa-ourob…
2
3
1,292
Andrea P retweeted
Synacktiv
@Synacktiv
Apr 30
This second blogpost concludes @yaumn_'s research on #Windows authentication reflection. He discloses the new Kerberos authentication coercion technique he discovered to remotely compromise Windows systems 💥 A little bonus is even included at the end 👀👇 synacktiv.com/en/publication…

Bypassing Windows authentication reflection mitigations for SYSTEM

Bypassing Windows authentication reflection mitigations for SYSTEM

synacktiv.com
2
56
125
11,753
Andrea P retweeted
okapi™
@ilciccio67
Apr 16
Questo è bellissimo. Ma, e se fosse vero?
3:04
32
164
1,242
59,038
LmCompatibilityLevel=5 on your DCs but still seeing NTLMv1 auth succeed? The PDC's level is the only one that counts for the whole domain. Yeah, NTLM is deprecated… Link to post👇 decoder.cloud/2026/04/15/lmc…
27
89
6,812
Andrea P retweeted
Lukáš Ronald Lukács
@lucxsronald
Apr 12
DREAMS DO COME TRUE ❤️
15
349
5,044
53,260
Microsoft just updated the cve msrc.microsoft.com/update-gu… after I told them that is it not related to the printspooler but a vulnerability in the endpoint mapper protocol (epmap) in rpcrt4.dll 😅
3
14
1,250
Post about Windows Admin Center remote privilege escalation (CVE-2026-26119) has been published, check it out here👇 semperis.com/blog/what-you-n…

What You Need to Know: CVE-2026-26119 | Semperis Guides

Learn how authentication reflection in Windows Admin Center led to this vulnerability and how to protect against similar threats.

semperis.com
36
57
6,642
Insomni’hack was a truly great event. First time attending, and I really appreciated the high quality of the talks and the flawless organization. Also really glad I had the chance to give my talk and be part of such a great lineup! #inso26 @1ns0mn1h4ck
1
5
1,934
Gave some extra work to MSRC 😅
3
35
4,194
Andrea P retweeted
klez
@KlezVirus
Mar 16
[RELEASE] Better late than never! Part 3 is out! Fantastic unwind information and where to find them. We went digging through .pdata, RTF Lookups, and a few ntdll internals that probably weren't meant to be touched. BYOUD dropping alongside. Enjoy 😉 klezvirus.github.io/posts/By…

Fantastic unwind information and where to find them

Foreword

klezvirus.github.io
2
54
167
13,335
I know, I know well-known stuff everyone knows. Then why do I still keep finding these misconfigs so often? Maybe it’s still worth ? semperis.com/blog/missing-pr…
2
16
1,527
With yesterday’s CVE I realized that I reached 20 CVEs. Nothing huge, but an honest number considering this isn’t even my job.🤷‍♂️
2
54
4,503
When you try to harden Windows PrintNotify callbacks, you end up exposing vulnerabilities in other protocols like EPMAP that have been sitting around (or even more) for 20 years msrc.microsoft.com/update-gu…
14
64
5,625
Load more