David Weston (DWIZZZLE)
@dwizzzleMSFT
Followers
24,749
Following
1,461
Media
1,165
Statuses
11,202
Vice President, OS Security and Enterprise @Microsoft || @CISAgov Technical Advisory Committee
/AppData/Roaming/SEA/LA
Joined April 2008
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Ireland
• 419884 Tweets
Norway
• 361652 Tweets
Spain
• 316130 Tweets
#MissUniversePhilippines2024
• 258796 Tweets
PondPhuwin WeAre EP8
• 178344 Tweets
Sunak
• 160218 Tweets
Apple Music
• 139049 Tweets
LOST TEASER
• 121429 Tweets
Blonde
• 98083 Tweets
KATY PERRY
• 78374 Tweets
KING KONG MV TEASER
• 77150 Tweets
Tories
• 72509 Tweets
#GeneralElection
• 71760 Tweets
#RCBvsRR
• 67939 Tweets
Atalanta
• 46277 Tweets
Keir Starmer
• 45536 Tweets
Thriller
• 43153 Tweets
Lauryn Hill
• 41080 Tweets
Maxwell
• 34653 Tweets
Things Can Only Get Better
• 29802 Tweets
Frank Ocean
• 29623 Tweets
ガッキー
• 22331 Tweets
Ahtisa
• 20641 Tweets
4th of July
• 19527 Tweets
TPAB
• 17029 Tweets
Downing Street
• 16476 Tweets
Taguig
• 15879 Tweets
Stacey
• 15665 Tweets
Cainta
• 15628 Tweets
MUPH
• 14923 Tweets
Nelly Furtado
• 13989 Tweets
Independence Day
• 13501 Tweets
#JUNON_HBD_26th
• 13428 Tweets
Bulacan
• 13356 Tweets
GOTTA WORK
• 12462 Tweets
Inside the NBA
• 12309 Tweets
Bruno Mars
• 11058 Tweets
Quezon Province
• 10956 Tweets
Valve
• 10166 Tweets
Pinned Tweet
I have an IG for infosec stuff. Follow me at
9
1
13
Just a reminder with Windows (Pro and up) there is a straightforward way to visit sites in a VM with WDAG. This means attackers need a Chrome RCE, Chrome LPE, Bypass of CI, and HV EOP.
41
399
1K
We just made updates to the Windows 11 PC Health Check App. It now provides more detailed info on requirements not met. This should help in cases where folks assumed CPU compat issues were TPM related
254
305
1K
Microsoft Offensive Security Team reported to Google a full RCE exploit for Chrome
21
646
989
If you are worried about LAZARUS targeting you on twitter here is a power tip. You can launch twitter in a Windows MDAG hypervisor container with a simple shortcut using this argument to MS Edge. This provides an additional layer of isolation even for a full chrome 0day chain.
21
163
858
Windows 11 Security Book Update!!! Along with yesterday's release we updated on 74-page white paper on Windows security with new features like Smart App Control, Pluton, and tons more. 👀 it out!!!!
42
256
753
New blog from my team: Killing NTLM in Windows 11 - This is BIG 🔥🔥🔥
9
184
567
Had a great time doing a keynote at
@ProssimoISRG
on Microsoft approach to memory safety.
Made a huge announcement -
@microsoft
is going big on Rust and spending $10 million to make it 1st class language in our engineering systems + $1 million
@rustlang
foundation.
HUGE move for security at Microsoft. Lets' go!!!!
4
13
80
24
176
541
My new blog: Windows 11 2022 and new security features - this is the most secure version of Windows we have ever produced. Proud of the work the entire team has done, Let's gooooo
26
164
529
New Wired article on Windows OSR team:
14
234
523
Windows security book has been converted to web doc form, check it out!
4
174
506
Posted my slides from my blackhat 2018 presentation evaluating the state of zero trust security. I was waaay behind on time so there is a ton of content attendees didn't see. Check it out:
8
202
504
New Windows security option: Enable more aggressive blocklist which includes vulnerable drivers
22
138
500
App Guard for Office has been released!!!!!!.
11
186
487
New blog from the Windows OS kernel and security team on how firmware, SMM, and boot protection works in Secured-core PCs with DRTM --- great stuff!!!
6
180
464
3 simple things that impact most mainstream Windows attacks on Windows:
1) Enable app control with AI and VBS (malware)
2) Enable app guard for Office/Browser (exploits)
3) Enable passwordless/hello/fido keys (phishing)
8
128
459
New blog with technical details of Chrome exploitation research from Windows OSR team
8
327
425
Summarizing Windows 11 Security Announcements:
✅Pluton SHIPPING
✅HVCI/VBS on default ALL CPUs
✅Credguard default ON
✅LSASS Protection default ON
✅EXE signed or rep REQUIRED
✅Script Blocking from Internet ON
✅Enhanced Phishing ON
✅File Layer Encryption with Hello ON
25
116
431
This is HUGE. Kernel Control Flow Guard, HVCI, Hyper Guard and bunch of other goodness are now available on non-Enterprise Windows SKUs. Turn it on, now.
Any Windows 10 device that includes Hyper-V hypervisor can now turn on HVCI, a powerful mitigation against kernel exploits. This method uses a WDAC/config CI audit policy to enable HVCI.
10
183
374
6
240
405
Everything you ever wanted to know about TPM. What's the diff between 1.2/2.0?
Also lists the MASSIVE number of features that either require TPMs or are more secure with a TPM.
*Hint* its WAY more that just Bitlocker or Secure Boot:
29
145
409
Just posted my talk "Keeping Windows Secure" touching on security assurance process and vuln research in Windows from
@BlueHatIL
2019:
11
158
403
Very proud to announce Microsoft’s secured-core PCs. These devices have virtualization-based security and Firmware/SMM hardware protection right out of the box.
17
167
401
My new blog -- Microsoft is collaborating with AMD, Intel, and Qualcomm to bring the Microsoft Pluton security processor to all future Windows PCs
29
119
396
Twitter: “exploit mitigations are so easy to bypass”
Walking by office of someone who actually writes exploits: “damn, I’m still stuck trying to work around all this annoying shit”
11
62
373
@windowsinsider
Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors. This technique is very commonly used in Human Operated Ransomware and other attacks - this control will make brute forcing much harder which is awesome!
20
141
367
security is just basic fundamentals. You don’t need to spend a bunch on magic Products. You need a organized process for ensuring the basics are put in place and stay in place. Patch, good auth, restricted priv, app control. There are no shortcuts, it’s not as hard as you think
This is a huge deal. Legacy hacking tools on legacy auth are responsible for the vast majority of attacks. Data point: account compromise rates in tenants who have disabled legacy auth are 67% lower than overall rates!
3
66
178
9
80
357
Token binding is a "game changer" for zero trust. Bearer token exportation is something I identified as a major impediment to ZT in my Blackhat talk in 2018. In 2023 we finally have tokens bound to the hardware in Windows (using a TPM and VBS of course)
6
79
358
New blog from MSFT offensive security research. Windows 10 Kernel mitigations vs recent kernel exploits
2
252
325
If you are buying PCs take a look at this security hardware standard my team put together. Silicon matters
13
157
328
Macro you can pop all the UI you want but you can’t touch my filez. You are in a VM yo
13
95
312
My presentation slides for "Windows 11: security by-default" from
@BlueHatIL
covering:
Rust in win32k, Adminless Windows, Token Binding, Sandboxing win32, and more!
posted here:
10
92
308
My team just released the public preview of Azure firmware scanning!! Scan all your IOT devices, routers, SSD firmware and anything else running embedded Linux. I suggest trying your home router for fun :)
7
91
299
Defenders, if you enable HVCI you can simply block mimikatz drivers certs. In conjunction with lsa ppl this will prevent dumping secrets from lsass without a pol bypass. Blog coming soon
Because I had question about "Protected Process" and LSA (RunAsPPL), don't forget that
#mimikatz
driver (mimidriver) can remove the Flags without any reboot or UEFI program😘
And yes, this is also for Windows 10 1903 x64 & x86 😉
>
4
206
503
3
94
300
Microsoft open source UEFI project with lots of cool security features and a reduced attack surface. Hope to see OEMs pick this up and more community PRs
5
149
294
The video from my
#Bluehat
talk "Advancing Windows Security" was posted. Details on XFG, Firmware Protection, and other new stuff:
1
119
295
UPDATE: If you clean install RS4+ and have compatible hardware VBS/HVCI is now automatically enabled!! This means the Windows kernel now enforces by default: Kernel code integrity, runtime ACG, and control flow integrity via VBS. Huge for Windows security. Checkout WIP builds!
This is HUGE. Kernel Control Flow Guard, HVCI, Hyper Guard and bunch of other goodness are now available on non-Enterprise Windows SKUs. Turn it on, now.
6
240
405
5
174
287
If you like 7zip, care about security, and are not using NanaZip your messing up
15
35
296
My New Blog: Security Improvements in Windows 11
16
103
281
It works! Windows 11 running OPEN SOURCE firmware with
@coreboot_org
and
@9eSec
EDK2 UEFI. Supports Secureboot (my own PK) and discrete TPM2, VBS, Etc. System meets all hardware requirements. Thanks to
@nablahero
for the port and
@_miczyg_
for all the newb questions!!
Holiday project — first Windows 11
@coreboot_org
device? Courtesy of
@9eSec
@Supermicro_SMCI
x11sch-f coffeelake port. Plan is to get it booting W11 with all the trimmings (edk2 secureboot, etc)
3
6
70
12
79
275
Did you know you can report a vulnerable or malicious driver to the Windows and Defender teams? We use these submissions as part of HVCI, KMCI, and Defender block lists.
12
112
278
If you are a high value target and running Lockdown mode for you iPhone but running a router from your ISP or Best Buy your doing it all the way wrong.
35
29
279
Rust can’t and won’t be the only solution to increasing memory safety in Windows. This is an excellent paper evaluating a variety of CPU based memory tagging approaches and their ROI against vulnerabilities.
7
67
269
I have not seen any other OS vendors share data with this level of transparency. One of things that gives me hope (and pride) is that most of the mitigations are coming from tight integration between our internal exploit writers and engineering teams. This is my def of maturity
4
65
260
I built a WinUI3 Desktop app for system wide security configuration - including some obscure settings. It also supports JSON import/export so you can share you hardening configs with your friends.
15
43
256
Cool new blog from my team on proactively finding RCE bugs in the SMBv3 stack
9
80
244
The biggest anxiety driver in the modern workplace is the expectation of immediate response. Teams, email, text...
Neuroscience has proven our brains our single threaded no matter how badly we want to expand "productivity" and our work culture really needs to evolve.
14
35
245
If you are panicking about CPU bugs but allowed unsigned exes on your machines you are hustling backwards
5
55
240
Windows Defender Application Guard will support opening downloaded PDFs in a Hypervisor container in upcoming Insider Preview builds.
CVE-2018-4990 is one of two zero-day vulnerabilities exploited by a malformed PDF found by ESET, the other being CVE-2018-8120. Update your Adobe software and your Windows 7 and Server 2008 systems.
3
46
64
5
102
234
The energy to improve security
@Microsoft
rn is the best I have seen in my 10+ years deep down in the trenches.
No Cap.
If you *really* want to change things for the better you can do it here.
7
21
238
Vulnerable driver blocking is active the latest builds
10
60
232
@tomwarren
Almost every CPU in the last 5-7 years has a TPM. For Intel its called the "Intel PTT" which you set to enabled. For AMD it would be "AMD PSP fTPM". TPMs have been required for OEM certification since at least 2015 and was announced in 2013:
60
59
229
Cool blog on how Defender uses Virtualization-based attestation to find kernel attacks in-the-wild:
7
97
232
People talk about kernel developers with reverence for their ability to manage complexity - have you ever written modern UI code? - 17 file changes later my button and progress bar are event linked
12
15
230
I wrote a tool to take memory dumps of my machines and analyze them in azure using debug scripts I wrote. Memory dumps are the only detection method where source data is never the gap. You never have to “turn on more logs” and hope it happens again, it’s all there. Underrated.
17
24
226
Announced at
@BlueHatIL
the Windows 11 win32 sandboxing framework is now available on GitHub. Sandbox everything!
3
74
221
New Windows 11 Privacy Auditing features allow you to see history of sensitive device access like the Microphone
7
58
219
My 20 min
@Windows
11 security breakout session is LIVE. If you do ANYTHING with Windows security I highly recommendation watching. I demo and breakdown a laundry list of Windows 11 security improvements. Let’s Gooooooooo
10
54
221
The video from my talk “Keeping Windows Secure” is up on the youtubeZ:
2
48
211
I have this idea for a YouTube channel where
@SwiftOnSecurity
and I do tech make overs of infosec ppls horrible workspaces, security baselines, and monitoring. “Well team, we started by ripping out the Old AV and installing sysmon…”
19
10
212
Truth is all fancy EDRs and endpoint security can be disabled by an attack like this. With Driver control using HVCI on Windows 10 this attack is prevented. You don’t need to buy this, it’s included in Windows 10 pro and up. All Secured core PCs have it on by default.
Absolutely fantastic post by
@Sophos
. As a defender, highly detailed breakdowns of the precise operation of malware with annotated decompilations is greatly appreciated.
5
48
229
4
61
213
You should check out the MSFT Privileged Access Workstation architecture. Effective approach to endpoint hardening
1
109
209
New Google Chrome Blog:
Windows 11 VBS and TPM defaults are used by Chrome to prevent cookie theft.
"Chrome will use facilities such as Trusted Platform Modules (TPMs) for key protection, which are becoming more commonplace and are required for
7
62
211
Really cool paper on protecting kernel memory with a Hypervisor:
4
104
204
In case you missed it
@dispensa
announced PAM support from Intune for Windows 11 which is really cool. Standard user everything.
9
64
195
Windows 11 now has BY DEFAULT:
✅ TPM
✅ LSA PPL
✅ HVCI with block list updates
✅ credential guard
✅ enhanced sign in (Hello in VBS)
And there’s more…
Another blog on the Primary Refresh Token! Thx
@gentilkiwi
for figuring this out with me! Tl;Dr: PRT can be extracted from lsass with
#mimikatz
🥝. If with TPM, session key is protected. Still possible to extract derived keys and sign your own PRT cookies.
7
158
315
14
54
195
Xbox is x86 based and threat model assumes full physical access
6
27
198
Nope, nope, and nope. All CPUs on the compatible list already have an embedded TPM. TPMs have been required for Windows certified devices since 2015! A very small number (mostly DIY) will have to enable it. We have some instructions and an update to the tool to make it easier.
35
44
191
Creating a security feature is 1000x easier than turning on a security feature. Ask me how I know. Optional security nearly always means low volume. Evangelism doesn’t usually escape the tech people “bubble”
In our Infosec circle we hear people talk about multi-factor authentication as if it's obvious but the reality is very different. Twitter released their numbers -- only *2.3%* of Twitter users had any MFA method enabled during this reporting period.
51
303
859
11
38
192
Is this the moment we acknowledge that building the browser into a remotely programmable OS had some downsides?
9
36
191
Security person X says: "This product came from country Y, must have a backdoor" Same person has never reversed the code or even looked at the network traffic. If you don't know, say you don't know. Security research has always been about getting to the truth.
6
26
189
I wish Apple would list security advancements as part of product launch. The primary reason I buy new iPhones is for improved hardware security. I’m sure I’m not the only one.
13
21
187
Windows 11 in 2024 is major progress - just took a
@Lenovo
ThinkPad Z16 Gen 2 out of the box and installed latest build:
✅Standard USER DEFAULT!!! (Adminless)
✅Signed-only apps (Smart App Control SAC)
✅Win32 App Isolation (AppSilo)
✅Pluton default, DRTM firmware
16
34
185
ASAN for MSVC just droppppppedddddd
@metr0
@BlockHiet
and others did a bunch of work to make it happen!
3
60
180
Technical details on two different kernel 0days, includes how windows 10 mitigates them.
#strontium
#hankray
#wdatp
1
153
175
I used to find security vulnerabilities. I just spent the last hour approving expense reports.
15
11
174
Security definitely follows the: "10% inspiration, 90% perspiration" rule. Security people always want to build the cool 10% thing, then move on to the next research.
Getting it deployed, turned on, or into the scale process is the hardest and most important part. Do that.
11
23
175
New blog from my team: Windows 11 September updates remove passwords from login!!
4
50
171
New blog from my team that describes how SMM firmware is protected on Secured-core PCs
5
43
168
Oh look I made an SBOM for my Wireless AP just by uploading the current firmware to
@Azure
11
25
170
Today I'm very excited to announce that
@RefirmLabs
will be joining the Microsoft family to help improve firmware security capabilities in Azure Defender and across devices on the intelligent edge.
8
55
170
I think Atomic Red Team is one of the most important projects around. Understanding exposure through verifiable, deterministic prevention capabilities has positive cascading effects across your entire defense strategy. Hoping you can detect something is not enough.
7
36
165
@SwiftOnSecurity
1) Firmware is the MOST PRIVILEGED software on your device. Including hypervisor and kernel. Your EDR cannot effectively monitor it. You can't really see what,s going on there
3
25
159
Today I am running Microsoft Edge, Microsoft Teams, and Microsoft VS Code on a Microsoft Linux distro. That is all.
11
7
156
I am totally getting one of these Windows 11 Phones and trying project renegade:
6
13
155
I'll never ever ever ever understand why people setup these advanced hunting functions in their org BEFORE they do even basic systems hardening and attack surface reduction. Hustling backwards.
15
21
152
New blog on how to protect against DMA threats and Thunderspy with Windows 10 and Secured-core PCs:
11
66
153
UEFI/SMM requirements for Windows 10. Interesting mitigations documented. Time to get serious about firmware sec
2
84
150