polair

https://pol4ir.github.io/polairOccasional deep dives into pentesting, red team and ethical hacking, with a focus on Windows security and vulnerability chains. 2026-06-25T14:37:56+00:00 polair https://pol4ir.github.io/ Jekyll © 2026 polair /assets/img/favicons/favicon.ico /assets/img/favicons/favicon-96x96.png MovementHound - You might be missing something, move it!2026-06-14T10:00:00+00:00 2026-06-25T14:31:52+00:00 https://pol4ir.github.io/posts/MovementHound-You-might-be-missing-something,-move-it!/ polair

During my deep dive into the minimal rights required for various lateral movement techniques, I realized that many of these requirements could be streamlined. To address them properly, I initially wrote several standalone PowerShell scripts (Find‑SCMAccess, Find‑DCOMLocalAdminAccess, Invoke‑GhostTaskScan, and others). Eventually, I decided to consolidate all of them, including the ones that alr...

Windows Lateral Movement - What You Really Need Part 22026-06-14T10:00:00+00:00 2026-06-25T14:31:52+00:00 https://pol4ir.github.io/posts/LateralMovement-WhatYouReallyNeed-P2/ polair

In the previous post, we explored various techniques for lateral movement on Windows systems, including WMI, CIM, WinRM, and more. We also discussed the minimum requirements for each method and how to bypass certain restrictions. In this follow-up post, we will delve into additional techniques. We will also examine the specific requirements for each method and how to effectively utilize them in...

NTLM reflection2026-02-21T10:00:00+00:00 2026-06-25T14:08:53+00:00 https://pol4ir.github.io/posts/NTLM-reflection-recon/ polair

It has been roughly eight months since Synacktiv published their blog post on NTLM reflection, yet this technique remains a consistent finding in my assessments. Since then, additional CVEs related to NTLM reflection have surfaced, and some confusion still exists around the conditions under which they are exploitable, particularly regarding signing, CBT, and similar mitigations. This makes it a...

Windows Lateral Movement - What You Really Need2025-10-10T10:00:00+00:00 2026-06-25T14:28:22+00:00 https://pol4ir.github.io/posts/LateralMovement-WhatYouReallyNeed/ polair

Last year, I conducted a security assessment for a company and was able to perform lateral movement on a target machine without having local administrator rights, by leveraging remote service creation. Throughout my experience as a red teamer, I often heard that local admin rights are required for certain lateral movement techniques. I knew this wasn’t entirely true, but until that moment, I h...