Nikos Vourdas
Senior Offensive Security Consultant
Chicago, Illinois, United States
Actions
Nikos Vourdas, also known as nickvourd or NCV, is a Senior Offensive Security Consultant based in the US. With over five years of professional experience, he has actively participated in various global Tiber-EU and iCAST Red Teaming engagements. Regardless of his young age, Nikos has conducted full Red Teaming operations to major clients across retail, banking, shipping, construction industries. He holds OSCE3, OSCP, OSWP, CRTL, CRTO and OASP certifications. Also, he has previously presented at DEF CON, DevSecCon, and various BSides events around the world. Nikos loves contributing to open-source projects and always starts his day at 05:00 AM with a refreshing jog while listening to French rap music.
Area of Expertise
Topics
COM Hijacking Voodoo: Tradecraft, Detection Blind Spots, and the COM-Hunter
Component Object Model (COM) is one of the most pervasive yet overlooked subsystems in Windows. Thousands of applications rely on COM objects for functionality, but the underlying registration mechanism creates opportunities for attackers to abuse the Windows registry to achieve stealthy persistence and code execution. Despite being used in real-world intrusions, COM hijacking remains under-documented and poorly understood by many defenders.
This talk explores the internals of COM registration and activation and demonstrates how attackers abuse registry-based class registrations, InprocServer32 entries, and per-user overrides to hijack legitimate COM objects. We will analyze common hijacking patterns, explain why many of them evade traditional detection logic, and highlight the operational advantages they offer during post-exploitation and persistence phases.
To help security professionals systematically identify these opportunities, this presentation introduces COM-Hunter, a research tool designed to enumerate and analyze hijackable COM objects across Windows systems. COM-Hunter maps CLSID registrations, identifies missing or user-overridable components, and highlights potential hijacking vectors that can be leveraged during red team engagements or security research.
Through practical demonstrations, we will show how COM-Hunter can be used to uncover previously overlooked hijack paths and how red teamers can turn these findings into reliable persistence mechanisms. The talk also discusses defensive considerations, including detection strategies, telemetry sources, and ways organizations can reduce the attack surface created by vulnerable COM registrations.
Attendees will leave with a deeper understanding of COM hijacking internals, practical offensive techniques, and a methodology for discovering new hijack opportunities in modern Windows environments.
Yet Another Walking Dead of Active Directory
Disabled Active Directory accounts are commonly treated as harmless remnants of the past. In reality, many of these “dead” objects still retain dangerous inbound permissions, historical privilege artifacts, inherited ACL relationships, and hidden attack paths that most organizations never investigate.
This talk demonstrates how disabled users, computers, and service accounts can still become active participants in privilege escalation chains through misconfigured DACLs, AdminSDHolder side effects, nested group inheritance, and delegated permissions. Through a real-world inspired case study, attendees will learn how a seemingly low-privileged user leveraged hidden rights over a disabled account to move toward Domain Admin in a mature enterprise environment.
The presentation also introduces LazarusWakeUp, a tool designed to identify and analyze disabled Active Directory principals with dangerous inbound relationships, helping operators uncover hidden privilege escalation paths involving forgotten identities that traditional enumeration techniques and BloodHound analysis may overlook.
Additionally, the talk presents a new perspective on Active Directory Recycle Bin abuse and object resurrection, showing how deleted identities may continue to create security risks even after organizations believe they have been removed entirely.
The Walking Dead of AD: Uncovering rare DACL-led escalation and a BloodHound-integrated tool
This talk explores a rare yet powerful Active Directory attack path that emerges from legacy DACL misconfigurations, recycled accounts, and residual object ownership. These overlooked conditions can silently reintroduce privileges even after apparent revocation, creating persistent escalation and access opportunities. We analyze how inherited permissions, transitive group memberships, and reanimated accounts from the AD Recycle Bin can combine to bypass conventional defenses. To address this, we developed a BloodHound integration that automatically detects, visualizes, and safely simulates these hidden paths, enabling defenders to identify and remediate dormant escalation routes before they can be abused.
I Need a C2 Infrastructure Immediately… As in, Yesterday!
When traditional redirectors like Edgio disappeared, red teamers needed a quick, reliable, and stealthy alternative for their C2 infrastructure. This talk presents a fast, cost-effective, and secure method using Cloudflare Workers to build redirectors in minutes. We'll cover how to hide your team server, stay OPSEC safe, and deploy infrastructure quickly, without spinning up VPS or relying on fragile domain fronting. Real-world examples and scripts will be shared, so you can walk away ready to deploy your own C2 redirector today.
May the Least Privilege Be With You: Exposing the Dark Side of Azure Service Principal Permissions
In every modern Azure environment, Service Principals drive automation and integration. Yet, to support enterprise solutions in identity governance, cloud security, and DevOps automation, these principals are often endowed with broad Microsoft Graph API permissions, such as RoleManagement.ReadWrite.Directory, Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and ServicePrincipalEndpoint.ReadWrite.All. Even Entra ID roles that are not typically classified as “privileged” can be exploited, enabling attackers to modify Service Principal configurations and escalate privileges in unexpected ways.
This session reveals groundbreaking research that uncovers how excessive Graph API permissions, and the abuse of non‑privileged Entra ID roles, create new exploitation pathways in Azure. We will detail common misconfigurations that, when left unmonitored, allow attackers to seize control of Service Principals and manipulate application configurations. In doing so, we introduce Azure AppHunter, a novel open‑source tool that scans Azure environments for Service Principals with dangerous permissions and maps out potential attack vectors.
Attendees will gain practical techniques for detecting and mitigating these vulnerabilities, enforce least privilege, and integrate continuous auditing into their security workflows, all essential for securing Azure deployments against emerging threats.
Local Admin in less than 60 seconds [My guilty pleasure]
Local Privilege Escalation, also known as LPE, refers to the process of elevating user privileges on a computing system or network beyond what is intended, granting unauthorized access to resources or capabilities typically restricted to higher privilege levels. Gaining local admin privileges during red teaming significantly enhances the potential for lateral movement and access to additional resources. Modern environments offer unprecedented opportunities to gain local admin privileges more easily than one might imagine. The days of relying solely on traditional techniques such as exploiting unquoted service paths, weak service permissions, misconfigured AlwaysInstallElevated policies etc. are long gone (still possible but rare). Thus, in this presentation, we will explore together some alternative and realistic methods for escalating privileges and moving laterally within an internal network, inspired by my recent engagements.
Introduction to COM Hijacking
During long term adversary simulations engagements, host persistence is an useful method of regaining access to a compromised workstation or server, without having to exploit the initial foothold all over again. COM object hijacking is an unique technique in which a default system-wide COM Object can be replaced by a malicious software and load in its place. In this presentation we will explore together ways to implement COM Hijacking via CLSID, ProgID, Task Scheduler, Missing Libraries and others.
Red Team Village at DEFCON 34 Sessionize Event Upcoming
Adversary Village at DEF CON 34 Sessionize Event Upcoming
BSides Buffalo 2026 Sessionize Event
BSides312 2026 Sessionize Event
BSidesChicago 2025 Sessionize Event
BSides Peoria 2025 Sessionize Event
Security BSides Athens 2024 Sessionize Event
BSides Tirana 2022 Sessionize Event
Nikos Vourdas
Senior Offensive Security Consultant
Chicago, Illinois, United States
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top