Rohan

@Decode141 and I will be sharing ideas for engaging in cyber deception in Active Directory at BlackHat USA next Thursday between 11:25 and 12:35 PST in the Business Hall - Arsenal Station 5. If you are around, please visit us in-person or virtually using a free on-demand business pass. For more information, please visit #active-directory-cyber-deception-using-huginn-39602" target="_blank" rel="nofollow noopener">blackhat.com/us-24/arsenal/…

mandiant.com/resources/blog… by @APTeeb0w

1) We are finally propagating MotW to Virtual Disk containers! For example, when you download and mount an ISO from the Internet, applications that query the zone of files inside of that ISO will receive the zone of the ISO itself. 3/7

Microsoft fixed my Kerberos PAC verification bypass issue this month in HTTP.sys which me and Nick presented at Blackhat. Sadly no more details for 30 days, but it might be easy to work out how to do it :) msrc.microsoft.com/update-guide/v…

@swat_cyber Enjoy your time in London!

In a fascinating turn of events, I'm in Heathrow during the Queen's funeral.....

Google completed its acquisition of Mandiant today. We’re excited to get started on our shared mission to create a comprehensive and best-in-class cyber security solution for customers and partners. Read more here: mandiant.com/company/press-…

my biggest financial mistake was being in 8th grade in 2009 when I should’ve been buying foreclosed real estate

44CON 2022 Talk announce : @sadreck "Codecepticon – Building an obfuscator to bypass Modern EDR and AV" here's a hint "no, this one isn’t a python script that runs “replace” a bunch of times." 44con.com/get-ticket #44CON

Excited to announce that I will be leading an on-demand session at #BlackhatUSA that’ll cover core #GraphQL concepts and how to exploit the most common #security issues. Join the session virtually from Aug 10. blackhat.com/us-22/ #BHUSA

@Pl0xP 😂

this is a mere bugbounty effort. no harm done. report will be released.

@brainthee @sadreck It’s just attack surface reduction. Remove those side channels.

@sadreck Ouch!

@brainthee dis u?

Starting our list of Saturday AM workshops, we have @Decode141 and @am0nsec teaching "Windows Defence Evasion and Fortification Primitives" DC Forum link: forum.defcon.org/node/241784 EventBrite link: eventbrite.com/e/rohan-durve-…

Excited to announce "Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling" is coming to @defcon! Can't wait to share it! Check out the abstract here #DEFCON30 portswigger.net/research/talks…

Finally finished my code for parsing Virtual Address Descriptors (VADs) tree in order to extract all the different information and PTEs

@SteveSyfuhs @tiraniddo Ah. That’s right. Thank you.

@Decode141 @tiraniddo Code injection is the holy grail of attacks. By that point you are the user and the app, so there is nothing to defend. We've considered preventing export of service tickets, but it doesn't change a whole lot because you can always legitimately ask for an AP.

Consider the limitations of Windows Credential Guard (such as writing your own SSP) is it actually a defended security boundary by Microsoft? Would be good to know before I start actually looking for bugs 😁

@SteveSyfuhs @tiraniddo Any thoughts on if TGSs will be non-exportable in the future? Atm, the limit is at TGTs, but privileged attackers that steal an access token or use code injection into a victim user process can request arbitrary TGSs and export them?

@tiraniddo Yes. To be clear though the guarantee we provide is that we prevent leaking of the primary or derived credential post logon. CG does not provide any guarantees about the credential pipeline leading up to logon because it's out of scope (e.g. it can't control winlogon).

@djcater @ajxchapman The contract should define IP ownership associated with vulnerabilities, their confidentiality and any credit for vendor products. In case of bug bounties, clients that enforce this may suffer from unreported vulnerabilities entirely if the crowdsourced reward is more.

@ajxchapman That's an even more complex problem in my experience, because of the debate over who owns the intellectual property of a 0-day found on the client's time / dime.

If you find an 0day in a 3rd party service on a pentest are you going to report it to your customer? What if you find the same 0day on your very next job, will you report it to that customer too?

@djcater Not again!

sudo chown -R user1:user1 . /*

@tiraniddo Nice one. For pen testers, Kekeo exported “service/target.FQDN” TGSs can be reliable used for lateral movement. CIFS particularly has worked for me with even native sc.

Written a quick blog post about abusing Kerberos to locally bypass UAC. Unclear if this technique has been documented before, but at the very least I describe why it works :) tiraniddo.dev/2022/03/bypass…