In March 2024, I presented my research to Microsoft Security Response Center on a CLIXML deserialization attack, which was acknowledged and fixed in July. Although organizations need to take precautions, the attack is still possible. This article delves into the technical details of deserialization attacks, gadget chains, and PowerShell vulnerabilities. The serialization process converts data objects into a transmittable format, while deserialization reconstructs the data object. The article discusses PowerShell CLIXML serialization, PSSerializer, and the risks of deserialization attacks. Surprisingly, an attacker can trigger arbitrary DNS requests and potentially extract Net-NTLMv2 hash through PowerShell gadgets.
https://www.truesec.com/hub/blog/attacking-powershell-clixml-deserialization