@splinter_code profile picture
Antonio Cocomazzi @splinter_code

offensive security - windows internals | BlueSky: bsky.app/profile/splintercod… | Mastodon: infosec.exchange/@splinter_c…

Joined August 2016
  • Tweets 1,818
  • Following 324
  • Followers 9,375
150 Photos and videos
Pinned Tweet
Antonio Cocomazzi@splinter_code
3 Nov 2023
The slides of our joint research talk “10 Years of Windows Privilege Escalation with Potatoes” at #POC2023 are out! 👉 github.com/antonioCoco/infos… cc @decoder_it
4
148
375
47,833
Antonio Cocomazzi retweeted
diversenok@diversenok_zero
Mar 6
> A new Project Zero blog post by James Forshaw projectzero.google/2026/02/g… Me: Oh hey, I recognize this function! UIAccess GetProcessHandleFromHwnd / NtUserGetWindowProcessHandle were the core of my CVE-2021-31951 EoP 😋 So some fixes leading to v3 actually date a bit earlier

A Deep Dive into the GetProcessHandleFromHwnd API

In my previous blog post I mentioned the GetProcessHandleFromHwnd API. This was an API I didn’t k...

projectzero.google
1
11
75
4,258
Antonio Cocomazzi retweeted
Insomni'hack@1ns0mn1h4ck
Feb 27
Replying to @decoder_it
@decoder_it breaks down reflection attacks and their impact on enterprise security in this new talk at #INSO26. Are you interested in how modern authentication flow works? So this talk is for you! Save your spot: ow.ly/cCr450Ykak4 #Infosec #INSO26 #CyberConference
4
7
1,208
Antonio Cocomazzi retweeted
Andrea P@decoder_it
Feb 25
Just dropped a short post on why some classic NTLM relay tricks seems to be dead on Server 2025. decoder.cloud/2026/02/25/wha…

What Windows Server 2025 Quietly Did to Your NTLM Relay

TL;DR This post is super short, nevertheless: The classic cross-DC coerce relay to LDAPS technique, abusing a misconfigured LmCompatibilityLevel (0/1/2) to generate NTLMv1 ESS and strip the MIC…

decoder.cloud
2
64
201
13,954
Antonio Cocomazzi retweeted
Andrea P@decoder_it
24 Nov 2025
Just published a summary of "modern" Windows authentication reflection attacks. Turns out reflection never really died. 😅decoder.cloud/2025/11/24/ref…

Reflecting Your Authentication: When Windows Ends Up Talking to Itself

Authentication reflection has been around for more than 20 years, but its implications in modern Windows networks are far from obsolete. Even after all the patches Microsoft has rolled out over the…

decoder.cloud
3
81
232
20,678
Antonio Cocomazzi retweeted
Andrea P@decoder_it
29 Oct 2025
Blog post about my recent CVE-2025-58726, aka “The Ghost Reflection” is out, read it here: semperis.com/blog/exploiting… 🙃

Exploiting Ghost SPNs and Kerberos Reflection for SMB Privilege Elevation

Understanding how attackers use Ghost Service Principal Names to initiate authentication reflection can help you avoid similar vulnerabilities.

semperis.com
3
90
181
16,805
Antonio Cocomazzi retweeted
Andrea P@decoder_it
24 Oct 2025
Remember the CredMarshalInfo trick? If you hadn’t applied the June 2025 patch, CVE-2025-33073 would have been critical. We know that in NTLM local auth, msg 3 is empty:You can drop sign/seal -> from Domain User to DomainAdmin escalation. 😅
5
62
222
18,695
Antonio Cocomazzi retweeted
Andrea P@decoder_it
21 Oct 2025
my simple poc: github.com/decoder-it/printe…
11
31
3,391
Antonio Cocomazzi retweeted
Andrea P@decoder_it
21 Oct 2025
Coercing machine authentication on Windows 11 /2025 using the MS-PRN/PrinterBug DCERPC edition, since named pipes are no longer used. Kerberos fails in this case due to a bad SPN from the spooler, forcing NTLM fallback.
4
81
280
19,125
Antonio Cocomazzi retweeted
diversenok@diversenok_zero
25 Mar 2025
Better socket handle visibility coming soon to @SystemInformer 🔥 When viewing a process handle table, SI will recognize files under \Device\Afd and retrieve information about their state, protocol, addresses, and more. Also works on Bluetooth and Hyper-V sockets 🤩
2
21
116
12,436
I’m hiring Staff Windows Security Researchers to join my XAT (eXploits and Anti-Tampering) team at @SentinelOne! 🔥 👉 sentinelone.com/jobs/?gh_jid… More details 👇

1
3
9
3,100
more replies
The role is opened in multiple locations in Europe (we’re hiring across Italy, Spain, Poland, Czech Republic, Slovakia and France), with optional relocation support to Czechia if you'd prefer to move (must be eligible to work in the EU already at the time of applying).
1
588
Apply here → sentinelone.com/jobs/?gh_jid… Happy to chat if you want to learn more.
559
Antonio Cocomazzi retweeted
Andrea P@decoder_it
8 Sep 2025
In my long history of submissions, I think this is the first time one has been marked as critical😅
3
1
83
6,326
Another Monday. Another week of… endless emails, annoying meetings, and oh look, a three-headed monkey behind you! Now that we have your attention, we can unveil the agenda for #RomHack2025 romhack.io/romhack-conferenc… #infosec #securityconference
Romhack2025 agenda

ALT Romhack2025 agenda

11
34
11,034
Antonio Cocomazzi retweeted
Andrea P@decoder_it
24 Apr 2025
I just published a blog post where I try to explain and demystify Kerberos relay attacks. I hope it’s a good and comprehensive starting point for anyone looking to learn more about this topic. ➡️decoder.cloud/2025/04/24/fro…

From NTLM relay to Kerberos relay: Everything you need to know

While I was reading Elad Shamir recent excellent post about NTLM relay attacks, I decided to contribute a companion piece that dives into the mechanics of Kerberos relays, offering an analysis and …

decoder.cloud
2
150
352
19,640
Antonio Cocomazzi retweeted
Microsoft Threat Intelligence
@MsftSecIntel
8 Apr 2025
Microsoft has discovered post-compromise exploitation of CVE 2025-29824, a zero-day elevation of privilege vulnerability in Windows Common Log File System (CLFS), against a small number of targets. msft.it/6019qIVV9

Exploitation of CLFS zero-day leads to ransomware activity | Microsoft Security Blog

Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a newly discovered zero-day vulnerability in the Windows...

microsoft.com
8
118
300
71,386
Antonio Cocomazzi retweeted
Elad Shamir@elad_shamir
9 Apr 2025
NTLM relay is still a major threat and is now even easier to abuse. We just added new NTLM relay edges to BloodHound to help defenders fix and attackers think in graphs. Read my detailed post - the most comprehensive guide on NTLM relay & the new edges: ghst.ly/4lv3E31

6
111
256
21,455
Antonio Cocomazzi retweeted
Boris Larin@oct0xor
25 Mar 2025
We (me @2igosha) have discovered a new Google Chrome 0-day that is being used in targeted attacks to deliver sophisticated spyware 🔥🔥🔥. It was just fixed as CVE-2025-2783 and we are revealing the first details about it and “Operation ForumTroll” securelist.com/operation-for…

Operation ForumTroll: APT attack with Google Chrome zero-day exploit chain

Kaspersky GReAT experts discovered a complex APT attack on Russian organizations dubbed Operation ForumTroll, which exploits zero-day vulnerabilities in Google Chrome.

securelist.com
9
95
280
37,552
Antonio Cocomazzi retweeted
Raffaele Sabato@syrion89
25 Mar 2025
Check out our new blog post!
SentinelOne
@SentinelOne
25 Mar 2025
🍎🚨🕵️‍♂️ The notoriously elusive macOS malware, ReaderUpdate, is back — stealthier than ever. @philofishal and @syrion89 uncover how ReaderUpdate Reforged blends Go, Crystal, Nim, and Rust into a potent mix. 📄 This new research from SentinelOne exposes how these new variants are spreading and how you can protect your organization. Stay informed. Stay secure. Dive into the research: s1.ai/readup
1
5
12
1,657
Load more