LeHack is one of the oldest and most well-known security conventions in France. It took place from June 26th to June 29th, 2025. The technical presentations held throughout the convention provided an opportunity to explore some of the current cybersecurity challenges. This article reviews four notable conferences that provided practical insights into contemporary attack vectors and defensive strategies: Synacktiv’s GPO parser research, the evolution of DCOM-based threats, emerging browser cache smuggling techniques, and the focus of APTs on vital environmental industrial infrastructures.
The event also featured a CTF competition running from Saturday night to Sunday morning, where our team YoloSw4g secured 6th place among 120 participating teams.

The following technical analyses focus on the key takeaways from each presentation, emphasizing practical implications for security professionals.
GPO parser (Synacktiv)
Speaker: Wilfried Bécard
Synacktiv’s offensive security team introduced a new open-source tool designed to simplify a task that’s both important and often frustrating when dealing with Active Directory compromises: analyzing Group Policy Objects (GPOs).
GPOs are a key mechanism used by organizations to manage configurations across their Windows environments. They can enforce security policies, run scripts, install software, and more, often without users even realizing it. From an attacker’s perspective, understanding how these policies are set up can provide valuable insight into where to escalate privileges or how to move laterally. But going through GPOs manually to spot those opportunities is time-consuming and not always straightforward.
Synacktiv’s tool takes things a step further than what’s currently out there for parsing GPOs. While many tools focus on who can apply which policies (by looking at access control lists (ACLs) and linked objects) this one digs into what the policies actually do. It pulls out useful details like which users or groups are being added, what scripts are being run, or which software gets pushed to machines. That deeper look can uncover more complex paths an attacker might take to move through a network, especially ones that aren’t visible when you’re just looking at ACLs.
The tool also integrates smoothly with BloodHound. By feeding it richer GPO data, BloodHound can show privilege escalation routes that might not show up with simpler analysis. That means defenders, red teamers, and anyone working in AD environments get a clearer picture of how an attacker might chain together GPO behavior to gain access or move around.
Synacktiv plans to release the tool soon on their GitHub. Whether you’re securing a domain or testing one, it’s definitely worth keeping an eye on.
DCOM Turns 20: Revisiting a Legacy Interface in the Modern Threatscape
Speaker: Julien Bedel
DCOM Architecture
The “DCOM Turns 20” conference presented a technical analysis of the evolving threats related to Component Object Model (COM) and its distributed version (DCOM). Throughout the years, COM has established itself as a central element of the Windows ecosystem by enabling interoperability between applications through unique identifiers (GUID and ProgID). This design facilitates interactions between programs of different languages (i.e. C++, VBS, PowerShell …) but now represents a considerable attack surface with over 30,000 interfaces available on a single Windows 11 workstation.
This functional richness offers attackers multiple initial access possibilities, ranging from command execution to file downloading, making restriction of access to COM classes technically impossible without compromising system stability.
Organizations must therefore rely on compensating controls such as AppLocker policies to restrict executable paths and EDR solutions to detect suspicious COM-based activities.
Persistence Techniques and Lateral Movement
Attackers can inject specific registry keys into HKCU (taking priority over HKLM) to redirect COM calls to malicious DLLs. This method requires a sophisticated approach: proxying legitimate functions of the original DLL and targeting specific processes (office applications, browsers, VPN clients, EDR solutions) that remain active during the session and communicate regularly with external networks. For lateral movement, DCOM uses AppIDs to identify groups of COM classes accessible remotely.
The accessibility of port 135 (RPC) signals DCOM availability, enabling the use of tools like DcomExec for remote command execution, particularly through Excel and Office suite interfaces.
Defense against these lateral movement techniques requires implementing network firewalls to restrict RPC traffic, deploying IDS/IPS solutions to monitor suspicious DCOM communications, and establishing proper network segmentation to limit attackers’ ability to pivot across systems.
Privilege Escalation and Bypasses
The conference demonstrated how DCOM serves as the underlying foundation for many widely used privilege escalation techniques. A significant portion of these exploits are commonly known as “Potato” attacks. These techniques have proliferated because Microsoft does not consider them as constituting a breach of security boundaries, leading to the development of multiple variants over time, despite occasional patches being released to address specific implementations.
The presentation further illustrated how DCOM interfaces serve as a versatile exploitation platform, enabling attackers to achieve diverse objectives through various Windows-specific techniques, from NTLM relay attacks against RDP users to UAC bypass mechanisms, highlighting the breadth of attack vectors available within Microsoft’s DCOM architecture.
To counter these threats, organizations must implement a defense in depth strategy encompassing protocol signing, NTLM disabling and the use of security solutions such as EDR, IDS or IPS.
Browser Cache Smuggling: the return of the dropper
Speaker : Aurélien Chalot
The “Browser Cache Smuggling: the return of the dropper” conference presented a different approach to malware delivery and execution during a Red Team assignment. Today, the analysis of attachments in mailboxes is increasingly monitored by security tools. This is an innovative way of delivering a payload to a victim’s machine. Two interesting ideas have been highlighted:
- Browsers are caching web files to reduce the bandwidth meaning that the files have to be downloaded into victim’s machine
- Well-known software’s such as Teams can still suffer from DLL Load Order hijacking
Basically, the attack path relies on the fact that a victim will be tricked into visiting a website controlled by an attacker and where an object with a malicious payload is set up into the HTML page. As browser’s only caches certain file based on the mime-type, the attackers must force the Content-Type of the delivered file to a cacheable value such as image/jpeg. The payload will be then silently downloaded into a temporary folder into the victim’s machine and this file is readable and writable by the current user on the system.
When the payload is delivered, the attacker needs a way to execute it. The second part of the conference explained how trusted software can be used to hide code and traffic. The example of a certain version of Microsoft Teams has been used to demonstrate how DLL proxying can be used to achieve such executions discreetly. When Teams is executed, the software will try to load multiple DLLs following the Windows Search Order. As some DLL are missing, it will finally search into the current folder where Team’s is installed. As this folder is readable and writable by the current user, then the attacker can force a user to move the malicious payload (i.e the malicious DLL) from the browser cache folder into the Teams folder.
Limits of this attack:
- The cache folder will be scanned by an EDR (and not only Microsoft Defender on the article) and the temporary file could be quarantined with alerts.
- The moving of the payload from the cache folder to the vulnerable software folder relies on social engineering and doesn’t provide a 0-click compromise path.
- Firefox is not the default browser used by companies nowadays and Google Chrome or Microsoft Edge use more advanced storage mechanisms for cached files.
Countermeasures:
- Set a purge a regular purge of the cached files into the browser configuration
- Ensure that EDR/AV scans temporary files
- Restrict the modification of the temporary folder of the browser by a normal user
Links to the articles:
When climate change benefits to APTs
Speaker: Cybelle Oliveira
Cybelle Oliveira presented a conference on the evolution of several APTs observed during the last few years: the specialization of a dozen APTs groups now engaged in an “environmental warfare”. These APTs now target vital environmental industrial infrastructures (water treatment, power grids, carbon capture labs, etc.), especially those protecting populations from climate change effects. To quote numbers given during the conference, a steep rise of 340% in malicious activity targeting climate infrastructure has been noted between 2022 and 2025. In 89% percents of these attacks, populations were physically impacted.
So why change targets from private companies to climate infrastructures? One of the main answers is climate change. Attackers seem to have perfectly understood its challenges and turned them into opportunities. Indeed, weaponization of extreme temperatures and availability of infrastructures helping populations to deal with changing climate become powerful extorsion arguments as the impacts may affect the population of whole regions. How would a state react if hundreds of thousands of its citizens were to be deprived of heat during winter or ventilation during ever hotter summers?
This growing trend is reinforced by the lack of preparation of said industries to face advanced cyber threats. It is well known that industrial information systems do not have the same lifecycles as classic IT: the need for availability results in heavy delays for updates and systems are often used for more than a decade. Consequently, the obsolescence of equipment and protocols used in OT environments makes them easy targets for attackers. In particular, Modbus protocol, a historical OT communication protocol without security features (authentication, integrity checks, etc.), is still widely spread across networks, even though new secure protocols such as OPC-UA have emerged since. Worse, thousands of these Modbus ports can easily be found open over the Internet, creating entry points right within industrial networks. This denotes the lack of inventory and cartography of vital climate infrastructures, preventing Blue Teams from efficiently identifying the attack surface and securing it.
In conclusion, climate change and its effects should now be accounted for in CTI to better anticipate risk periods and new menaces as attackers already plan their actions based on these criteria. In addition, helping industry securing climate infrastructures becomes a priority to protect populations as well as secure climate action globally.