Christoph Falta 🇺🇦

Ping on mastodon -> @cfalta@infosec.exchange

Mandiant released CAPA Explorer, a UI to explore CAPA results! This is pretty cool, well done @williballenthin and all! 👏 👉 #capa" target="_blank" rel="nofollow noopener">mandiant.github.io/capa/explorer#… #malware #infosec #malware

Red Teaming in the age of EDR: Evasion of Endpoint Detection Through Malware Virtualisation blog.fox-it.com/2024/09/25/red…

What is an IT admin's worst enemy? Their PowerShell history 😁 Thanks to 357384n NetExec now has a module to easily extract and parse the PowerShell history of all users, Looking for interesting keywords, such as "password" or "credential 🔑

Why am I only finding out about RemoteSessionNamedPipeServer.CreateCustomNamedPipeServer() now? Any .NET process can suddenly become a PowerShell Host *server* that you can connect to via named pipe from a regular PowerShell terminal: learn.microsoft.com/en-us/dotnet/a…

Please share this far and wide. As far and wide as you can. NIST Password Guidelines for 2024 are in the process of being updated. This is a HUGE pet-peeve of mine (when vendors in particular are still operating like its 2017 and keep changing passwords every 60 days, STOP DOING THIS, it's outdated and has been shown to put you MORE at risk than less -- NIST explains why it does in this document, meticulously outlining user behavior**) so I'm sharing this in the hopes all of you will pass it along to your bosses. The Special Publication series governing passwords is SP 800-63 "Digital Identity Guidelines". The 2024 version is 800-63-4. Here: pages.nist.gov/800-63-4/ The companion docs are also on that link. They are 800-63A, 800-63B and 800-63C. These are different documents for different scenarios in play at your org. The previous update was in2020. The changes in the 2020 version from the 2017 version were numerous but one of them was that the password verification method should NO LONGER require passwords be changed at specific intervals (i.e. every 60 days) but in the following circumstances instead: 1. After a breach/compromise 2. User request 2024 repeats this and adds a bunch more guidlines but here is a screenshot of page 13 of the new 800-63-4 (note the # 4 after it) which outlines how your systems should now and moving forward, be handling passwords. This goes for Active Directory, too. All your systems which have passwords should align with these guidelines provided there isn't another standard or framework you must adhere to which overrules this. Most frameworks, however, have moved away from arbitrary password resets and complexity rules. **We cybersec researchers and hackers use wordlists from breaches in a variety of different ways. Hackers use them in tooling to crack passwords whereas researchers use breach dumps to see the kinds of passwords users are creating and the psychology behind them. Using complexity rules gets you the user psychology of: Password1 Password2 and so on Use phrasing instead and allow for spaces, which is important. Humans type phrases with spaces. They also mention phish-resistant methods and most vendors are on-board with MS going to be turning off all Legacy Auth next month, across all free accounts and tenancies. I'm so excited for the new changes! Ok I'm off my soapbox. Share the love! Thank you!

Love that 🙌

I just posted a script I use for managing RDP certs yesterday but it seems I got some things wrong 😅 Recommend you read this post from Microsoft 👇 techcommunity.microsoft.com/t5/ask-the-dir…

XKCD on point as always

Active Directory Hardening Series - Part 5 – Enforcing LDAP Channel Binding - Microsoft Community Hub techcommunity.microsoft.com/t5/core-infras…

Starting a new repo with some basics on securing MS related stuff. First thing: RDP github.com/cfalta/msbits/…

Every. Damn. Time. Why, 𝕏? Why???

Listing all processes keeping particular file open is not a trivial task but since Vista we have a special syscall parameter for such purpose. Microsoft says "reserved for system use" but I was brave enough to wrap it into PowerShell function. Enjoy! github.com/gtworek/PSBits…

👇👇👇

Finally releasing the tool! The Offline SAM Editor is here for IT pros, researchers, and security enthusiasts who want to access and edit SAM databases from offline OS disks. Source code included. Get your access: payments.gtworek.com/buy/54d82b09-4…

@EricaZelic @ChadWst Get a partition you two 😉

@ChadWst @cfalta 😆 🤣 😆 🤣 I ❤️ nerd talk

Do you want to always be needed? Do email security.

Can someone skilled please do a comic on this for the next sysadmins day 😂 perfect love story

@ChadWst @EricaZelic Made my day 😂 the most perfect nerdy love story of all time

@EricaZelic Find yourself someone the way Exchange needs Active Directory :D

Great read if you’re into Kerberos. Its interesting how you can find the ideas behind things like FAST or Cred Guard in this paper.

@DebugPrivilege Nothing can compete with a great cup of coffee in the morning :) enjoy!