Aaron Margosis

1.2K posts

Aaron Margosis

Aaron Margosis

@AaronMargosis

Windows cybersec nerd. Make cool tools, Sysinternals books, Windows baselines, AaronLocker. Go @Nationals & @WestHamUtd. Avoid Twitter, fucking cesspool.

Katılım Eylül 2015
52 Takip Edilen2.4K Takipçiler
Aaron Margosis
Aaron Margosis@AaronMargosis·
@ChuckCulpepper1 Hopefully something better is coming to you soon. I look forward to it. And: WAHOO-WA.
English
0
0
0
76
Chuck Culpepper
Chuck Culpepper@ChuckCulpepper1·
So on the 4,167th and final day of a job so exhilarating that I'd swear at least 4,000 of the days qualified as very good or better, the coffee came with whooshing thoughts of the 11 years and the four months and the 27 days. The brain tore through the datelines from 17 countries and 43 states, the three World Cups, the four Olympics, the 10 tennis majors, the 20 golf majors, the 11 men's Finals Four, the 28 College Football Playoff games, the 10 Kentucky Derbys, the tour of Jordan-Oman-Kuwait-United Arab Emirates, the 46 days in the peerless Australia -- I mean, come on, really? -- the depth of the beauty of South Koreans, and those times when I looked in the mirror (briefly) and saw a lunatic. Maybe the looniest would be covering a game in Seattle on a Friday night, then a game in Clemson on that Saturday night (with Lamar Jackson on the field looking even more dizzying than usual). Or was it the Boise on a Friday night, the students swimming into the frigid river for a goal-post chunk after midnight, then the one hour of sleep, then the Indianapolis on a Saturday night? No, wait, wait, it had to be this: Novak Djokovic winning the French Open in Paris on Sunday early evening, then U.S. Open golf preparations starting on Tuesday . . . . . . in Los Angeles. Non-deranged people might find such a sequence unfair; for whatever metabolic reason, I just kept giggling. Well, something surpassed all of that, somehow. To be part of the Washington Post Sports department was to be a part of an exemplary human experience, a rarefied collegiality, a beacon of collaboration and a near-bewildering scarcity of envy. For just one thing, I never, ever thought, way back last century, that I'd inhabit a world and a staff where everyone would treat my husband as one of the group, where a deputy sports editor would say, in a kitchen, near the end of a holiday party, "Alfonso! Come over here and hug me!" All of it reinforced that on the medal stand of life, human collaboration deserves a spot and maybe even the gold, for its curious capacity to bolster seemingly all 35 trillion of our cells. I love these forever teammates all so much it probably annoys them, and they call to mind a relic of a show always worth unearthing. It's Episode 168 of "The Mary Tyler Moore Show," the episode she titled, "The Last Show," when the WJM newsroom staff works a final news show and has a last group hug, and Mary wishes to emote, and Lou wishes not to emote, but then Mary gives a stirring speech and then the ever-gruff Lou relents and, in a quaking voice, says something resonant all the way clear into February 2026: "I treasure you people."
Chuck Culpepper tweet media
English
180
394
3.1K
874.6K
Aaron Margosis
Aaron Margosis@AaronMargosis·
@chelsea_janes Chelsea, I'm a long-time WaPo subscriber and am gutted to hear this - DEEPLY disappointed in WaPo ownership and leadership. I hope you'll be able to continue your Nats coverage for another org; I'll happily subscribe to get to continue reading your writings.
English
0
0
0
66
Chelsea Janes
Chelsea Janes@chelsea_janes·
I, like so many people I respect and love, was laid off today. What an incredible honor it was to spend 12 years there. I am so grateful for everyone who read and encouraged and lived seasons with us. I am so sad the Post sports family won’t be there to live it with you again.
English
224
134
2K
232.1K
Aaron Margosis
Aaron Margosis@AaronMargosis·
@CandaceDBuckner Candace, I'm gutted to hear this. I'm a very long-time WaPo subscriber and I've always enjoyed your intelligent and insightful writings. I hope some fortunate organization hires you soon; I'll subscribe.
English
1
0
0
51
Candace Buckner
Candace Buckner@CandaceDBuckner·
I guess democracy has died, y’all Well at least, the greatest sports section in all the land has… Like so many of my amazingly talented friends & colleagues, my time at the washington post is over. Inconceivable that this was the decision for our section. But onward.
English
198
180
1.3K
215.8K
Aaron Margosis
Aaron Margosis@AaronMargosis·
@Sebocat @Harvesterify @miketerrill That is an admin operation, executed at installation time. It doesn’t say anything as clearly about what the app must do when it’s being executed by a user. And for what it is worth, Microsoft drops a lot of its DLLs into the programdata directory (which sucks for app control)
English
1
0
2
33
Sebocat
Sebocat@Sebocat·
@Harvesterify @AaronMargosis @miketerrill Yes, also see-> "10.1 Your app must be installed in the Program Files folder by default For native 32-bit and 64-bit apps in %ProgramFiles%, and %ProgramFiles(x86)% for 32-bit apps running on x64."
English
1
0
0
43
Aaron Margosis
Aaron Margosis@AaronMargosis·
@Sebocat @Harvesterify @miketerrill It's generally not a good idea for an app to create or use a custom directory under the system drive root directory, but AFAICT not even that document you linked says anything specifically on that topic.
English
1
0
1
39
Aaron Margosis
Aaron Margosis@AaronMargosis·
@Harvesterify @miketerrill Yes. But the default permissions on the system drive root directory have been that way since WinXP and WS2003. There are no doubt many line of business and other apps that assume that a non-admin can create a new subdirectory there. This fix is unlikely to break anything.
English
1
0
2
56
Harvester
Harvester@Harvesterify·
@AaronMargosis @miketerrill They could have killed the whole class of vulns by modifying the permissions of C:\ directly. I understand it would break some legacy apps (which one by the way ?), but they already introduced breaking changes before, it's not unprecedented.
English
1
0
1
56
Aaron Margosis
Aaron Margosis@AaronMargosis·
@SwiftOnSecurity @samilaiho Actually, this looks like a good idea. What it appears to be doing is to prevent squatting attacks. If the inetpub subdir didn't exist, any non-admin could create it, and if IIS were installed later, that user could retain control of it. It's now present, with perms locked down.
English
0
0
0
74
Sami Laiho
Sami Laiho@samilaiho·
April update adds an empty C:\Inetpub
Sami Laiho tweet media
English
43
52
932
191.6K
Aaron Margosis
Aaron Margosis@AaronMargosis·
@samilaiho Actually, this looks like a good idea. What it appears to be doing is to prevent squatting attacks. If the inetpub subdir didn't exist, any non-admin could create it, and if IIS were installed later, that user could retain control of it. It's now present, with perms locked down.
English
1
0
2
213
Aaron Margosis
Aaron Margosis@AaronMargosis·
@sixtyvividtails I see what you're saying now, and you're right. It acts like this: DWORD dwData = 0, dwDataLen = sizeof(dwData); if (0 == RegQueryValueExW(hKey, L"EnableCertPaddingCheck", NULL, NULL, &dwData, &dwDataLen) && 0 != dwData) { //Implement the improved verification behavior }
English
0
0
2
43
sixtyvividtails
sixtyvividtails@sixtyvividtails·
@AaronMargosis But w/o "&& dwData" logic is contrary to your own article 🫥 On the other hand, if you add "&& dwData" right before the last ")" in the "if" condition, it'll align with the article perfectly (and will in fact match the logic in the actual mitti checker, imagehlp!NeedCheckEndGap).
English
1
0
0
91
Aaron Margosis
Aaron Margosis@AaronMargosis·
To mitigate CVE-2013–3900, one must configure one or two EnableCertPaddingCheck registry values. Should the value type be REG_SZ or REG_DWORD? Answer: either will work, but REG_DWORD is the more manageable, intuitive, and preferable choice. aaron-margosis.medium.com/enable-certifi…
English
2
7
26
3.3K
sixtyvividtails
sixtyvividtails@sixtyvividtails·
@AaronMargosis I think you meant to add "&& dwData" in condition. Yes, in that case exactly, imagehlp!NeedCheckEndGap returns !!dwData. I've noticed wintrust.dll indeed ignores reg type here and there (like for "$DLL" reg val b4 LoadLibrary) when checked it a while ago: x.com/sixtyvividtail…
sixtyvividtails@sixtyvividtails

Windows ③ crypto has overengineered cfg (& bad code). Let's break sign checker, wintrust!WinVerifyTrust: reg add HKLM\Software\Microsoft\Cryptography\Wintrust\Config /v MaxHashBytesToMap /d 9 /t REG_DWORD /f Try it on your DC. Will your EDR wither? ❓Why sigcheck.exe works?❓

English
1
0
1
117
Aaron Margosis
Aaron Margosis@AaronMargosis·
@sixtyvividtails I think it's simply something like this: DWORD dwData = 0, dwDataLen = sizeof(dwData); if (0 == RegQueryValueExW(hKey, L"EnableCertPaddingCheck", NULL, NULL, &dwData, &dwDataLen)) { //Implement the improved verification behavior }
English
1
1
0
155
sixtyvividtails
sixtyvividtails@sixtyvividtails·
@AaronMargosis I believe ignoring reg value type is somewhat common in Windows (and can be used to bypass 3rd-party stuff which expects particular types). Another behavior when int is expected is to check type, but do wcstoui(value) if type is REG_SZ - e.g. IFEO key is generally read that way.
English
1
1
1
264
Aaron Margosis
Aaron Margosis@AaronMargosis·
Announcing: in addition to the open-source SysNocturnals Tools, the SYSNOCTURNALS EXTRAS which bring back LUA Buglight, IEZoneAnalyzer, and the App Installer Recorder scripts (described in “Troubleshooting with the Windows #Sysinternals Tools”): github.com/AaronMargosis/…
Aaron Margosis@AaronMargosis

Announcing: the SysNocturnals Tools, a new set of signed executables (with source code) for troubleshooting, management, and informational purposes on Windows. ZombieFinder, AppLockerPolicyTool, RunAsUsers, SddlHelp, and more. github.com/AaronMargosis/…

English
1
14
47
7.8K
Aaron Margosis
Aaron Margosis@AaronMargosis·
@DebugPrivilege Lots of Sysinternals tools have -c and -ct options for comma- or tab-delimited output. Several of my newly-released SysNocturnals tools either have a -csv option or natively output tab-delimited output. E.g., ZombieFinder. github.com/AaronMargosis/…
English
0
0
13
670
Aaron Margosis
Aaron Margosis@AaronMargosis·
Announcing: the SysNocturnals Tools, a new set of signed executables (with source code) for troubleshooting, management, and informational purposes on Windows. ZombieFinder, AppLockerPolicyTool, RunAsUsers, SddlHelp, and more. github.com/AaronMargosis/…
English
1
35
95
18.1K
Aaron Margosis
Aaron Margosis@AaronMargosis·
@FrankLesniak @mniehaus @Sysinternals when a user logs on; and browser extensions that load when IE is started. Over 200 locations in the file system and registry allow autostarts to be configured on x64 versions of Windows. These locations are often referred to as Autostart Extensibility Points, or ASEPs"
English
0
0
2
23
Aaron Margosis
Aaron Margosis@AaronMargosis·
@FrankLesniak @mniehaus @Sysinternals From "Troubleshooting with the Windows Sysinternals Tools" (Russinovich/Margosis, 2016): Autostarts is the term I use to refer to software that runs automatically without being intentionally started by a user. This type of software includes drivers and services that start ...
English
1
0
2
21
Frank Lesniak
Frank Lesniak@FrankLesniak·
Hey @mniehaus, I have a Tanium question for you. On Windows, I have something that needs to be run in the currently logged-in user's context and the user context for any user who logs on in the future. What's the best way to do that?
English
1
0
0
382