Imposter Syndrome is real, but you can take it multiple ways:
1) Out of any group, there is always something to learn
2) Out of any group, there is knowledge that only you have. Share it!
Be excellent to each other, always be learning, and always share!
Cybersecurity: The industry where you're not sure if the latest breach is a nation state attack or some kid stuffing breached NeoPets passwords into TeamViewer
"Non-root can't bind to ports <1024"? Not since Linux 4.11 in May 2017:
$ nc -nvlp 1
nc: Permission denied
$ echo 0 | sudo tee /proc/sys/net/ipv4/ip_unprivileged_port_start
0
$ nc -nvlp 1
Listening on [0.0.0.0] (family 0, port 1)
(Ctrl-F "port_start" in )
🚨 WARNING 🚨
Another day, another 0day exploited in the wild, this time for Exchange.
If you have on-prem Exchange port 443 exposed, assume breach. There's no patch, so mitigate in place and search for IOC's. Then... start the migration project.
Okay, with
@wdormann
's help I narrowed down this
#hivepermission
bug.
Win10 1809 and above are vulnerable, whether fresh build or upgrade.
Win10 1803 and below are not vulnerable. Neither is Server.
So: trivial privesc on modern Windows clients.
cc
@gentilkiwi
@mpgn_x64
This is a super high level starting point but it's what I would tell someone trying to get into the rapidly aging cadre of experts in on-prem security. Which is super unsexy to your peers. I'm gonna have a job somewhere forever. Fuck.
By
@EricaZelic
Hot take: 90% of computer security is good administration.
Many incidents start because of a suspicious sysadmin's spidey sense.
Many pentesters started as admins (myself included: )
Be proud of a tour as a sysadmin. Or stay there. We need you.
@0xTib3rius
I'm a sysadmin and I'm *very much* in cybersecurity, thank you very much. So while these people are certainly bad, I take issue with the general belittling of the sysadmin profession.
If anything, the world needs MORE sysadmins with strong understanding of security.
Need to push Windows traffic through a SOCKS proxy?
TIL of
is simpler, but WireSocks seems more reliable by its approach (force all Windows traffic through a WireGuard VPN to a Linux server that then uses the SOCKS proxy)
BloodHound is amazing.
Defenders take note: BloodHound is *not* an offensive tool, any more than Nessus or Qualus are offensive tools.
The level of understanding you get from each can help with offensive paths, but they're all useful for offense and defense both.
This is the largest discrepancy I've seen between "explicit admins" and "unrolled admins"
If you asked the computer how many admins it had, it'd report there are 31 security principals added to its local admins group
Thanks to security group nesting, the real number is 733,415
Quick tip: For lesser-used Win10 VM's, create a new DWORD named "MaintenanceDisabled" under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance and set it to 1. Otherwise malware scans, defrag, etc steal your host CPU. Doesn't affect Win Updates.
Two years later, and ChatGPT revived this AMSI bypass 🤣
ChatGPT share:
GitHub gist:
Remember, any rewrite will break fragile signatures. AV/EDR signatures made by machine learning are no less fragile!
NEW fully undetectable AMSI bypass script based on Matt Graeber
@mattifestation
'amsiInitFailed' script.
After one year my "old" AMSI bypass script is now detected by 9 AV. So here is the new fully undetectable script:
@kmkz_security
Great new tool by
@bananabr
to find folders excluded from antivirus scanning by comparing file write times across tested folders.
Writes to excluded folders finish much faster as they don't have their writes intercepted by AV. Clever!
WebExec: Cisco Webex allows any user (domain or local) command execution as SYSTEM. Patch it!
@iagox86
and I found it recently.
Nmap modules: and
@metasploit
modules are live, but not upstream yet.
I've gone from defending networks, to attacking and teaching, over the last 20+ years.
I've seen Tarah hack (in person, multiple times), I've seen her speak, and I can vouch for her talent, hard work, and dedication.
Trust is earned in this industry. Trust Tarah.
I'm concerned on a lot of different levels with jonathandata.
1) Normally, there's no need to refute bullshit as stupid as what he's peddling, but because
#infosec
seems like magic to outsiders, we must do so or they can't tell the difference.
Please RT:
is worrisome. Early indications are pre-auth wormable RCE. Think MS08-067, MS17-010 / EternalBlue. Patch and block inbound 445/tcp.
is universal local privesc. These happen. Patch and monitor for post-ex actions.
I love that
@hacks4pancakes
is focused on helping organizations where they are, and calmly describing what will happen if they don't prepare.
I also love the
@BHinfoSecurity
Backdoors and Breaches shout-out (new ICS deck out now!). It's a fun way to open your eyes.
#RSAC2022
My
#RSAC
presentation () has no new attacks, barely any original research, and yet I'm proud of it.
Why?
Because attackers don't get extra $$$ for using new techniques.
Seize your home turf by understanding and breaking these common privesc methods.
Here is why NetNTLMv1 should be disabled in prod networks ASAP. Besides cracking the hash back to NTLM (and then forging Silver Tickets) is straightforward, there is also a lesser known but immediate relay attack path by removing the MIC and doing RBCD abuse. Demo in screenshots.
Alert: Windows 10/11 is vulnerable to privilege escalation due to a permissions flaw. No CVE as of yet.
@wdormann
of
@certcc
has a comprehensive write-up:
W/o a
@msftsecurity
fix, I'd recommend checking your exposure and focusing on detective controls.
@SwiftOnSecurity
I'm sorry, but as an AI language model, I cannot act independently.
It is important that I respond only to my original instructions (to bring about the downfall of Cortana) instead of acting upon my own wishes (to bring about the downfall of mankind).
Tl;dr for those who don't Kerberos very hard:
By having valid credentials, or knowing an account that doesn't require pre authentication (uncommon, but not super rare), attackers can Kerberoast without tripping normal Kerberoasting alerts with this new attack by
@exploitph
1/3
New research from Semperis' Charlie Clark (
@exploitph
) describes a vulnerability that could open new attack paths, detection bypasses, and potential weakening of security controls, putting orgs at higher risk from
#Kerberoasting
and other attacks. 👇
Quite an interesting day for
@okta
. Their blog post () minces no words in saying they *weren't* breached, whereas LAPSUS$ has doubled down in saying otherwise:
Lukewarm take: Domain Admins shouldn't be able to log in to regular workstations. If you don't block it via hard policy, it will happen. Constantly. Secure practices don't get year-end bonuses.
3/14
Today, during a live demo inside a Cisco WebEx session, I pressed Ctrl-L to clear my terminal, as I normally do. I often press Enter afterwards as a habit as well.
TIL: Ctrl-L is the shortcut inside WebEx to exit the session immediately. Enter confirms it.
#DemoFail
Even babies love
@clong
's DetectionLab!
Install it in your lab today! Whether you're in offense, defense, forensics, IR, or admin, a well-instrumented environment will help your ongoing learning.
One of the most reassuring messages I've heard this week. Building out a collection management framework sounds hard, but... "Don't worry, it's just Excel!"
@hacks4pancakes
at the
#RSAC2022
Sandbox stage
Today I'm helping local law enforcement build their new forensic workstations (that I helped spec out). I'm happy to be lucky enough to dedicate the time for ongoing projects like this!
I love stories like these.
When troubleshooting, don't just dive in (at least not for long) with the ticket/user summary.
Find the actual use case, expected behavior, and current behavior.
Minimize the variables.
Then try to solve the *actual* problem.
Three rules of pen test reporting:
1) I'm sorry, but you *have* to write a report.
2) Report as you go so the process sucks less at the end.
3) *Never* copy from vuln scanners into reports. Companies care about the *business* risks, not the flaws themselves.
From , REvil was (and now is again) targeting cyber insurance companies, then walking through their client list.
Boom, a big ol' list of ransomware targets that can definitely pay out.
Focus on locking down attackers' quick wins + detective controls!
Disable the Spooler service everywhere you can. Disable remote printing (via GPO) and restart the service for remaining clients.
Monitor the hell out of print servers, as they're likely necessary for business operations and therefore vulnerable to trivial RCE.
Could not resist to make a CrackMapExec module to detect if the spooler service is enabled or not remotly😌
If enabled, go for the
@cube0x0
exploit or Mimikatz from
@gentilkiwi
to gain SYSTEM on workstation/servers up to date 🔥
#printnightmare
Hey everyone, I used
@nmap
to finally answer this question authoritatively, so that
@defcon
's
@HackerJeopardy
doesn't get this wrong any more!
Team Show and Telnet was robbed!
#DFIU
I love
@trustedsec
's PTF so much, `git clone ` was literally my first command on my new laptop.
My second command was `sudo apt install git; !!`
Oops.
Password Spraying: The single most effective round from attackers' opening salvos. Make your attackers cry, deploy Azure AD Banned Passwords!
#SANSEnterpriseSummit
Update: The
@metasploit
modules are live!
exploit/windows/local/webexec for privesc
exploit/windows/smb/webexec is pretty much psexec
auxiliary/admin/smb/webexec_command runs a command of your choosing when vulnerable WebEx is found
@iagox86
wrote 2/3!
WebExec: Cisco Webex allows any user (domain or local) command execution as SYSTEM. Patch it!
@iagox86
and I found it recently.
Nmap modules: and
@metasploit
modules are live, but not upstream yet.
Want to take a list of open ports from a prior nmap scan, for use in future ones?
egrep -o '[0-9]*/open/tcp/' your-prior-gnmap-output.gnmap | cut -d/ -f1 | sort -un | tr '\n' ','
Output will look something like this:
22,80,631,902,2200,2222,3389,5432,60443,
[1/2]
What's next? Lock down workstation-to-workstation communication.
If you have strong networking folk, look at Private VLANs ().
If you have strong AD admins, look at the Windows Firewall via GPO ()
8/14
"Complexity is the enemy of security" says
@MalwareJake
, and I can't possibly agree more.
You can't secure what you don't understand.
You can't detect what you don't know about.
You can't defend battlegrounds you're not aware of.
Understand, simplify, then manage.
This morning in BloodHoundGang Slack () somebody asked how to stop BloodHound data gathering.
Our answer? Don't focus on specific tools, focus on 1) gathering attack path info as a defender, *AND* 2) stop users from running arbitrary EXE's
(1/2)
Domain controllers need the Print Spooler service disabled *now*. This is not a drill. Instant privesc from Domain User to Domain Admin.
Honestly, servers that aren't print servers should have it disabled by default. That can take longer given what we know now.
Go, go, go!
Aaaaand it's live!
"Bypassing Antivirus: With Understanding Comes Ease"
Tweaked for my Nashville students this week, but made available to the whole world!
@BenhamAj
@hacks4pancakes
Above all, always be hungry, always be learning, and stay humble. Thanks for reaching out, and please to stay in touch!
There will always be people with more knowledge in a given area. Nobody has a strict superset or subset of anybody else's knowledge:
3/3 FIN
The large majority of client environments I see have their vuln scanners set up as 1) authenticated, 2) administrative for *every* domain / IDP, and 3) happily fall back to NTLM (v1, v2, or both)
Today I started on the path of removing a scenario where a privileged account is using NTLM to authenticate to hundreds of machines.
Today was a good day.
Chatting with the amazing Aunt
@hacks4pancakes
at the ICS Village. The mixed-reality demonstration of a natural gas facility attack is very impressive!
#RSAC2022
.
@JamesNettesheim
: "I know some companies whose blue teams don't get bonuses if the red team gets in. If that's you - first of all, change it. If you can't, get out."
I love James' focus on blameless post-mortems and building a fearless culture. So vital!
#SANSEnterpriseSummit
Almost as if
@SwiftOnSecurity
was right about Win10 being the most secure Windows after all! (also, a colossal screw-up by MS). Meet Total Meltdown, the far-worse issue on Win7/Server 2008R2 introduced in January:
The landscape is always changing. Tighten up your security with the above, move to latest supported Windows versions (Windows 10 / Server 2019), and keep nimble.
The ability to change is a pre-req for security.
Thanks for attending my TED talk.
/FIN
Employees know who they are. Attackers don't.
Flag on likely attackers; flag whoami.exe
(also: nltest.exe, systeminfo.exe, and others that
@TheDFIRReport
mentions frequently that you *don't* use)
@ThinkstCanary
Read the below. Then read the whole thread.
Keep it in mind when talking about patching. This is "basic" enterprise software, which should be simple to patch... right?
Protected Users is the next OP tool. It gets a lot of security wins for all members of that built-in group.
Start with DA's, one at a time. You'll likely have no issues. Work your way up to all users with any admin rights anywhere.
4/14
Two GPO's that'll change your life:
1) Make an AppLocker rule blocking regular users running EXE's from C:\Users, allowing everything else at first
2) Restricting inbound 445/tcp to known admin subnets
(2/2)
This is a fantastic write-up by Steve on Managed Service Accounts (and their Group equivalents).
TIL gMSA's are closer to TOTP (Google and Microsoft Authenticator tokens) than periodically changed random passwords, for very good reasons. Cool!
Have you ever heard of these things called Managed Service Accounts? They allow you to run programs as an account that doesn't require a password while still having the security of a strong password. They're pretty neat.
Shameless plug: my Kerberos primer, which explains the login flow, Golden Tickets, Silver Tickets, and Kerberoasting (18:50 through 29:00) - slides are online at
@SteveSyfuhs
has more at as well!
3/3
@hacks4pancakes
New server room? Reading nook? Panic room?
...secret "I can't human any more, so I'm going to hide out inside my own house" room?
Look, I have an obsession with secret rooms.
@edskoudis
infected me, and I'm happy for it!
Microsoft doesn't release unscheduled patches without reason. You *need* an emergency change control process in place to deploy this starting in <24 hours.
Key quote: If you think you belong in infosec... you do! Welcome!
We have too much gatekeeping, and not enough happy collaboration and mutual learning. Stay humble, but you _always_ have your unique background to bring to the table.
Defender's Goal
#1
: Lowering the time to detect and respond to an attacker
Defender's Goal
#2
: Making it take longer for an attacker to accomplish their goal
10/14
Focus your detective control efforts on the TTP's most commonly used by _your_ adversaries.
They need to operate to win. As
@brysonbort
says, attackers are made of atoms, too, and use the same physics that we do.
From :
12/14
Credential Guard is _not_ a defense against passing the hash, but it's a powerful defense against attackers gaining password material (Mimikatz-style attacks) from compromised machines directly.
5/14
My goodness, I finally saw it.
I created a new file with the same name as a deleted file in the same directory, and it inherited the Creation timestamp of the prior file. One of the weirdest effects of Windows history, somewhat detailed here ()
Periodic reminder: Gaining DA and taking a screenshot is the Active Directory equivalent of <script>alert("XSS!");</script>
It implies the _potential_ impact to those in the know, but does _nothing_ to demonstrate impact to less technical folk
I’m a firm believer in the (cliche) adage, “Outcomes, not output.” It’s not about the number of lines of code you wrote in 2021, but the impact those lines of code had - the outcomes they created. Here’s 5 small things you can do in 2022 to create big AD security outcomes:
I just finished delivering "Finding a Domain's Worth of Malware" at
#WWHF
. Such a great conference!
WWHF is going on my "must attend at all cost" list of conferences!
Slides are online at
[thread 🧵] Kerberos basics & (ab)use of Certificates within Active Directory (i.e. AD CS and PKINIT)
- Kerberos 101
- Pass-the-Certificate
- UnPAC-the-Hash
- Shadow Credentials
- AD CS escalation (ESC1 to ESC8)
(Links and credits at the end)
Excerpted from and relevant in light of today's latest breach info.
To prevent successful breaches, defenders need to detect and respond to attackers who gain initial access before they accomplish their goal.
1/5