NTLM reflection is dead, long live NTLM reflection: Story of an accidental Windows RCE
Wilfried Bécard
Hexacon 2025 · Day 2 · Main Stage
This talk, presented by Wilfried Bécard of Synacktiv, delves into the accidental discovery and intricate mechanics of a novel Windows remote code execution (RCE) vulnerability, initially misclassified by Microsoft as an elevation of privilege (EoP). The research, co-authored with his colleague Gum, uncovers a critical flaw in how Windows handles NTLM and Kerberos authentication reflection, leading to **NT AUTHORITY\SYSTEM** compromise on vulnerable machines. Bécard meticulously details how a specific crafted DNS record, leveraging a technique previously discovered by James Forshaw, bypasses long-standing mitigations against reflection attacks, enabling an attacker to coerce a machine into authenticating to itself with elevated privileges.
AI review
Bécard delivers a technically rigorous account of an accidental but high-impact Windows RCE rooted in a logical bypass of NTLM/Kerberos reflection mitigations. The research is original, well-scoped, and demonstrates genuine depth in Windows authentication internals — the kind of work that requires actually sitting in a debugger and reading LSASS memory structures, not skimming documentation. The 'accidental discovery' framing is honest rather than performative, and the mechanistic explanation of why the Marshall Credential Target Information structure triggers the local NTLM hinting path is…