Johnathan Norman

still hiring hackers in the UK bsky.app/profile/spoofy…

@decoder_it @splinter_code you're right the fix didn't land. I will correct the post.

@decoder_it @splinter_code hrm... I reviewed a fix but perhaps they didn't roll it out yet or even pulled it back because it broke something.. give me a bit to dig.

Very interesting post by Microsoft about the internals of the new Admin Protection feature It seems they have patched my SSPI UAC bypass based on NTLM as well as the Kerberos UAC bypass in which both were able to bypass AP as well More details here 👇 techcommunity.microsoft.com/blog/microsoft…

@spoofy/113907570723541026" target="_blank" rel="nofollow noopener">infosec.exchange/@spoofy/113907…

We get lots of questions about about admin protection in Windows. So we decided to provide some context and details. Part 2 will be out shortly... techcommunity.microsoft.com/blog/microsoft…

until the day i die i will never understand how this wasn’t the end of it

WILD: actual photo of Musk-hired door knockers being driven around #Michigan. This group of mostly-black workers were driven in the back of a truck with no seats. They say they were flown in, given unrealistic goals, and threatened with their lodging being cut off & being forced to pay their own way home if they couldn't meet them. Some didn't even know which candidate they were working for. Article by @JakeLahut wired.com/story/elon-mus…

Put up the slides for my @MSFTBlueHat 2024 presentation on improvements to OleView.NET github.com/tyranid/infose… You can also grab v1.15 of OleView.NET from the PS Gallery which has the new features to generate proxy clients on the fly.

NEW: @X is pushing partisan content, most of it supporting Trump & sowing election doubt. @WSJ reporters created new accounts with interests in things like crafts, then observed what content the accounts got recommended. Their "for you" feeds showed pro-Trump content at double the rate of pro-Harris content. By @jackgillum @AlexaCorse & Adrienne Tong wsj.com/politics/elect…

@kryc_uk Yeah but I get a 3x performance increase by removing the check 🥴

Pro tip, check buffer length _before_ memmove

It’s wonderful to see what @XenoKovah and his collaborators have built for the community. I always recommend OST2 for my new hires and other juniors, or just anyone trying to get started on a new topic. The courses are excellent. It’s an honor to sponsor the Windows Security Path

Here's a time lapse video showing my 360 hypervisor exploit triggering in ~18.5 minutes. This is a pretty average time for the exploit with about 40% success rate. People asked if it works on winchester and I don't think there's any reason it won't but I don't have one to test on

@Harvesterify I hope so, it is really up to @mamyun

@spoofyroot Is it expected to be extended to other services in the future, or to be available to non-MSFT services ?

The new account type for services finally landed in WIP. Now when running Windows Protected Print (WPP) the service will run as "Restricted Service" and no longer SYSTEM. There will be a SYSTEM process, but it basically just launches the worker.

This update will land in non-WIP builds (GA) likely in January. Big thanks to @tiraniddo who gave us early feedback on the design... and shoutout to @Grimdoomer who did the prototype. It was really fun working with the Print team.

@tiraniddo @decoder_it @bopin2020 @splinter_code I wont publicly share my view on sudo. Other than to say i'm glad there's a warning about security risk when enabling it. When Admin protection is enabled, certain sudo configurations simply don't work and return an error. But i hope people just dont enable it.

@spoofyroot @decoder_it @bopin2020 @splinter_code Ironically there was a perfect opportunity to remodel the concept of elevation in Windows, by introducing something like sudo. Unfortunately, something "like" sudo was introduced which was just a fancy wrapper around UAC :(

Administrator Protection bypass using "Kerberos trick" by @tiraniddo

@decoder_it @tiraniddo @bopin2020 @splinter_code This is where things get difficult. We fully expect usability challenges and it will take time to really refine the user experience. We're trying to fix decades of decision making around UAC, it will take some time to get right. But this direction is better than the alternative.

@spoofyroot @tiraniddo @bopin2020 @splinter_code Agree, a prompt, especially generated from an GUI is not a realistic bypass. But what if you need to pass credentials without interacting with an access check?

its unfortunate people in Texas have to do this, in Washington we just mail our ballot. Took like 10 minutes , no lines and no problems.

@decoder_it @tiraniddo @bopin2020 @splinter_code We wouldn't consider it a bypass if a user must click through a security prompt. We reviewed a large (~100?) number of auto elevated com interfaces, pretty sure ICMLua was one. You should get a prompt, if not we missed something.

@tiraniddo @bopin2020 Agree 100%... "real" bypasses are up to now sspiuac @splinter_code and kerbuac @tiraniddo

Microsoft has open sourced its new cross-platform virtual machine layer written in Rust: github.com/microsoft/open… From many of the same team who created WSL, including @benhillis.