moltenbit

Bypassing Wazuh's UNC Mitigation in Windows OSQuery via \\?\UNC\ (CVE-2025-30201 / GHSA-x697-jf34-gp5x)

Tue, 17 Mar 2026 12:00:00 +0100

Wazuh mitigated a NetNTLMv2 hash leakage (CVE-2025-30201 / GHSA-x697-jf34-gp5x) issue caused by allowing classic UNC paths (e.g., \\server\share) in centrally managed Windows agent configuration. The core risk is that when a attacker controlled domain-joined Windows agent accesses a remote SMB path, Windows may perform NTLM authentication to that server, allowing an attacker to capture the machine account’s NetNTLMv2 hash.

In follow-up testing on Wazuh 4.14.1, I found that the mitigation could still be bypassed in the OSQuery configuration: classic UNC paths were blocked, but extended-length UNC paths using the \\?\UNC\ prefix were accepted for OSQuery’s log_path and config_path.

The CVE has seen bince been extended to cover the bypass.

Privacy

Sat, 07 Feb 2026 00:00:00 +0000

This site does not use cookies, tracking scripts, or third-party resources. No data is shared with third parties.

The web server automatically collects access logs (IP address, timestamp, requested URL, referrer, user agent) for security and operational purposes. Logs are automatically deleted after 14 days.

Detecting the Notepad++ Supply Chain Attack: A PowerShell Triage Script

Wed, 04 Feb 2026 12:00:00 +0100

A PowerShell-based triage script to check systems for indicators of compromise related to the Notepad++ supply chain attack attributed to Lotus Blossom APT.

Contact

Wed, 10 Dec 2025 19:05:55 +0200

You can communicate with me via PGP encrypted mail.

Email: moltenbit [AT] protonmail.com
PGP fingerprint: 3FE5 6A85 DF1B C97C C570 276B B02E 49E4 AE1D EB00
Download PGP key

You can also find me on these platforms:

Combating Misinformation Through Geolocation: Colombian Trucker vs. Wind Energy

Mon, 26 May 2025 20:47:17 +0200

Recently colombian journalist Alexander Campos submitted a request on the Bellingcat Discord server to identify the location of a convoy of trucks carrying wind turbine blades shown in a Facebook video, which can be seen here:
https://web.archive.org/web/20250526164607/https://www.facebook.com/100064060326287/videos/1227863822389050/
The person recording stated the convoy is driving to “Alta Guajira”, the northest point in Colombian geography. Rightfully so there were doubts about this statement.

Custom Admin Notifications for New Intune Enrollments

Sun, 25 May 2025 10:05:55 +0200

Intune lacks native admin alerts for new enrollments. This script fixes that – using Entra, Microsoft Graph API, and a simple Linux setup.

Gralhix OSINT exercise 005 walkthrough

Wed, 21 May 2025 19:23:09 +0200

This is a walkthrough of the OSINT exercise 005 by Gralhix.

Starting off this OSINT challenge I did a reverse image search which led to nothing, unsurprisingly, since the image is taken from a livestream.

moltenbit.net

Mon, 01 Jan 0001 00:00:00 +0000

moltenbit.net