DeepSec 2025 Talk: Man-In-The-Service: Truly OpSec Safe Relay Techniques – Tobia Righi
Recently, due to EDRs, it has become harder and harder to abuse credential access by dumping LSASS after compromising a Windows server and gaining local administrator on it. So, many red-teamers, pentesters and APTs have moved towards a stealthier way of abusing credentials access by relaying such credentials in real-time to other mis-configured servers in the network. Gaining administrative access to a server can be quite helpful in this; however, all current techniques are not very effective and/or require complete or partial disruption of existing Windows services, making them not very opsec safe. Introducing RelayBox, a new technique to perform a Man-In-The-Service attack. Using RelayBox, an attacker is able to place themselves in between a legitimate Windows service, relay valid authentication attempts, without any disruption to the service’s usability. This creates a transparent proxy