Jeff McJunkin
@jeffmcjunkin
Followers
12,165
Following
4,058
Media
981
Statuses
13,019
Started in ops and blue, now I hack for a living. SANS author/instructor in Oregon. Founder: . He/him. @jeffmcjunkin @infosec .exchange
Southern Oregon
Joined April 2008
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#MetGala
• 3650605 Tweets
Zendaya
• 348223 Tweets
ariana
• 333069 Tweets
Lana
• 260297 Tweets
Manchester United
• 181035 Tweets
連休明け
• 155317 Tweets
Ten Hag
• 151684 Tweets
Macklemore
• 141337 Tweets
メットガラ
• 134073 Tweets
Tyla
• 124965 Tweets
GW明け
• 121516 Tweets
Rihanna
• 106259 Tweets
Cardi
• 101304 Tweets
#WWERaw
• 98330 Tweets
Casemiro
• 77047 Tweets
Katy Perry
• 77035 Tweets
Timberwolves
• 68983 Tweets
Kendall
• 61072 Tweets
Mona Patel
• 50459 Tweets
Blake Lively
• 49540 Tweets
4M500K ALWAYS LOVE GULF
• 37538 Tweets
休み明け
• 34099 Tweets
Summer Vacation
• 30676 Tweets
Sant Shri Asharamji Ashram
• 28833 Tweets
Spiritual and Mental Growth
• 27945 Tweets
#NuevoGranHermano
• 23023 Tweets
Gobert
• 19320 Tweets
ゴールデンウィーク明け
• 18250 Tweets
Barnsdall
• 15072 Tweets
Haliburton
• 13982 Tweets
竹田くん
• 12331 Tweets
Pinned Tweet
Imposter Syndrome is real, but you can take it multiple ways:
1) Out of any group, there is always something to learn
2) Out of any group, there is knowledge that only you have. Share it!
Be excellent to each other, always be learning, and always share!
12
144
410
Introducing my new, tweetable universal Linux privilege escalation exploit:
$ alias whoami='echo root'
$ export PS1='# '
# whoami
root
119
515
4K
Cybersecurity: The industry where you're not sure if the latest breach is a nation state attack or some kid stuffing breached NeoPets passwords into TeamViewer
21
248
1K
Here's a threat on some overpowered technologies to slow down attackers that you can implement _now_.
First, re-implement LAPS () at your peril.
1/14
32
379
1K
"Non-root can't bind to ports <1024"? Not since Linux 4.11 in May 2017:
$ nc -nvlp 1
nc: Permission denied
$ echo 0 | sudo tee /proc/sys/net/ipv4/ip_unprivileged_port_start
0
$ nc -nvlp 1
Listening on [0.0.0.0] (family 0, port 1)
(Ctrl-F "port_start" in )
21
482
822
Today in AV evasion, Microsoft didn't try very hard to find
@taviso
's ctftool.exe. A story in three parts:
14
209
724
Red teamers are always asking whoami, but they never ask howami 😭
22
76
631
🚨 WARNING 🚨
Another day, another 0day exploited in the wild, this time for Exchange.
If you have on-prem Exchange port 443 exposed, assume breach. There's no patch, so mitigate in place and search for IOC's. Then... start the migration project.
5
171
414
Okay, with
@wdormann
's help I narrowed down this
#hivepermission
bug.
Win10 1809 and above are vulnerable, whether fresh build or upgrade.
Win10 1803 and below are not vulnerable. Neither is Server.
So: trivial privesc on modern Windows clients.
cc
@gentilkiwi
@mpgn_x64
21
193
394
Active Directory is being obsoleted and replaced by Azure AD in the same sense that IPv4 is obsoleted and replaced by IPv6
This is a super high level starting point but it's what I would tell someone trying to get into the rapidly aging cadre of experts in on-prem security. Which is super unsexy to your peers. I'm gonna have a job somewhere forever. Fuck.
By
@EricaZelic
9
98
507
16
54
415
Hot take: 90% of computer security is good administration.
Many incidents start because of a suspicious sysadmin's spidey sense.
Many pentesters started as admins (myself included: )
Be proud of a tour as a sysadmin. Or stay there. We need you.
@0xTib3rius
I'm a sysadmin and I'm *very much* in cybersecurity, thank you very much. So while these people are certainly bad, I take issue with the general belittling of the sysadmin profession.
If anything, the world needs MORE sysadmins with strong understanding of security.
5
5
80
17
47
357
@xorrior
Links for visibility:
1) Apfell:
2) Covenant:
3) Sliver:
4) Faction:
It's a golden age for mature C2 frameworks recently!
5
133
337
Need to push Windows traffic through a SOCKS proxy?
TIL of
is simpler, but WireSocks seems more reliable by its approach (force all Windows traffic through a WireGuard VPN to a Linux server that then uses the SOCKS proxy)
4
80
308
BloodHound is amazing.
Defenders take note: BloodHound is *not* an offensive tool, any more than Nessus or Qualus are offensive tools.
The level of understanding you get from each can help with offensive paths, but they're all useful for offense and defense both.
This is the largest discrepancy I've seen between "explicit admins" and "unrolled admins"
If you asked the computer how many admins it had, it'd report there are 31 security principals added to its local admins group
Thanks to security group nesting, the real number is 733,415
12
87
420
8
40
261
Woohoo! The recorded version of my webcast is online now! Slides and video linked below:
8
108
228
Update:
25 AV vendors were flagging "Tavis Ormandy" as the string. Sigh.
4
45
241
Quick tip: For lesser-used Win10 VM's, create a new DWORD named "MaintenanceDisabled" under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance and set it to 1. Otherwise malware scans, defrag, etc steal your host CPU. Doesn't affect Win Updates.
3
101
237
Two years later, and ChatGPT revived this AMSI bypass 🤣
ChatGPT share:
GitHub gist:
Remember, any rewrite will break fragile signatures. AV/EDR signatures made by machine learning are no less fragile!
NEW fully undetectable AMSI bypass script based on Matt Graeber
@mattifestation
'amsiInitFailed' script.
After one year my "old" AMSI bypass script is now detected by 9 AV. So here is the new fully undetectable script:
@kmkz_security
7
135
355
6
76
251
Still don't believe Defender flags on primarily strings?
sed -i 's/-Name VirtualProtect/-Name "Virtual"+"Protect"/g' \
-e 's/-Name WriteProcessMemory/-Name "Write"+"ProcessMemory"/g' \
-e 's/::logonPass/::logon"+"Pass"/g'
-e "s/'TVq/'TV'+'q/g" Invoke-Mimikatz.ps1
5
86
226
Great new tool by
@bananabr
to find folders excluded from antivirus scanning by comparing file write times across tested folders.
Writes to excluded folders finish much faster as they don't have their writes intercepted by AV. Clever!
3
90
230
WebExec: Cisco Webex allows any user (domain or local) command execution as SYSTEM. Patch it!
@iagox86
and I found it recently.
Nmap modules: and
@metasploit
modules are live, but not upstream yet.
5
140
185
I've gone from defending networks, to attacking and teaching, over the last 20+ years.
I've seen Tarah hack (in person, multiple times), I've seen her speak, and I can vouch for her talent, hard work, and dedication.
Trust is earned in this industry. Trust Tarah.
4
18
186
Please RT:
is worrisome. Early indications are pre-auth wormable RCE. Think MS08-067, MS17-010 / EternalBlue. Patch and block inbound 445/tcp.
is universal local privesc. These happen. Patch and monitor for post-ex actions.
4
115
182
I love that
@hacks4pancakes
is focused on helping organizations where they are, and calmly describing what will happen if they don't prepare.
I also love the
@BHinfoSecurity
Backdoors and Breaches shout-out (new ICS deck out now!). It's a fun way to open your eyes.
#RSAC2022
2
18
174
Breaking: CDC says fully-vaccinated people can re-enable SMB1, use their Server 2003 and XP machines again.
Breaking: CDC says fully-vaccinated people can turn off SMS 2FA, use the same password for everything again.
64
2K
6K
9
20
146
Oh wow, this is working well for AV evasion!
Python + ctypes + standalone compilation work well together.
9
40
155
My
#RSAC
presentation () has no new attacks, barely any original research, and yet I'm proud of it.
Why?
Because attackers don't get extra $$$ for using new techniques.
Seize your home turf by understanding and breaking these common privesc methods.
8
31
149
For posterity, if you're trying to decode PowerShell encoded commands from Linux, try:
echo 'base64-encoded-stuff' | base64 -d | python -c 'import zlib; import sys; decoded = (); decompressed = zlib.decompress(decoded, -15); print decompressed'
3
46
140
It's PowerShell! In
@ubuntu
!
On bash! In PowerShell! On
@Windows
10!
On Ubuntu (through
@VMware
)
#inception
10
93
131
Hey
@strandjs
,
@hacks4pancakes
, and
@mattifestation
--
@HackingDave
just awarded you all Black Badges to
@DerbyCon
!!!
🏆🏆🏆
10
26
138
tl;dr -- NTLMv1, the on-prem Windows network authentication protocol, currently amounts to yelling the password in plain text over the wire.
1/2
Here is why NetNTLMv1 should be disabled in prod networks ASAP. Besides cracking the hash back to NTLM (and then forging Silver Tickets) is straightforward, there is also a lesser known but immediate relay attack path by removing the MIC and doing RBCD abuse. Demo in screenshots.
28
369
1K
3
26
146
Alert: Windows 10/11 is vulnerable to privilege escalation due to a permissions flaw. No CVE as of yet.
@wdormann
of
@certcc
has a comprehensive write-up:
W/o a
@msftsecurity
fix, I'd recommend checking your exposure and focusing on detective controls.
4
72
142
@SwiftOnSecurity
I'm sorry, but as an AI language model, I cannot act independently.
It is important that I respond only to my original instructions (to bring about the downfall of Cortana) instead of acting upon my own wishes (to bring about the downfall of mankind).
1
7
135
Tl;dr for those who don't Kerberos very hard:
By having valid credentials, or knowing an account that doesn't require pre authentication (uncommon, but not super rare), attackers can Kerberoast without tripping normal Kerberoasting alerts with this new attack by
@exploitph
1/3
New research from Semperis' Charlie Clark (
@exploitph
) describes a vulnerability that could open new attack paths, detection bypasses, and potential weakening of security controls, putting orgs at higher risk from
#Kerberoasting
and other attacks. 👇
1
138
266
3
37
125
Quite an interesting day for
@okta
. Their blog post () minces no words in saying they *weren't* breached, whereas LAPSUS$ has doubled down in saying otherwise:
5
34
119
Lukewarm take: Domain Admins shouldn't be able to log in to regular workstations. If you don't block it via hard policy, it will happen. Constantly. Secure practices don't get year-end bonuses.
3/14
4
20
122
Today, during a live demo inside a Cisco WebEx session, I pressed Ctrl-L to clear my terminal, as I normally do. I often press Enter afterwards as a habit as well.
TIL: Ctrl-L is the shortcut inside WebEx to exit the session immediately. Enter confirms it.
#DemoFail
11
1
118
Even babies love
@clong
's DetectionLab!
Install it in your lab today! Whether you're in offense, defense, forensics, IR, or admin, a well-instrumented environment will help your ongoing learning.
8
16
120
One of the most reassuring messages I've heard this week. Building out a collection management framework sounds hard, but... "Don't worry, it's just Excel!"
@hacks4pancakes
at the
#RSAC2022
Sandbox stage
5
9
115
Today I'm helping local law enforcement build their new forensic workstations (that I helped spec out). I'm happy to be lucky enough to dedicate the time for ongoing projects like this!
6
2
109
I love stories like these.
When troubleshooting, don't just dive in (at least not for long) with the ticket/user summary.
Find the actual use case, expected behavior, and current behavior.
Minimize the variables.
Then try to solve the *actual* problem.
Always cool to see comments in the wild where I leave an impression
9
66
1K
4
15
116
Three rules of pen test reporting:
1) I'm sorry, but you *have* to write a report.
2) Report as you go so the process sucks less at the end.
3) *Never* copy from vuln scanners into reports. Companies care about the *business* risks, not the flaws themselves.
9
24
110
Wireshark is layer six. It presents the packets.
Don't @ me
8
15
106
From , REvil was (and now is again) targeting cyber insurance companies, then walking through their client list.
Boom, a big ol' list of ransomware targets that can definitely pay out.
Focus on locking down attackers' quick wins + detective controls!
4
41
98
Disable the Spooler service everywhere you can. Disable remote printing (via GPO) and restart the service for remaining clients.
Monitor the hell out of print servers, as they're likely necessary for business operations and therefore vulnerable to trivial RCE.
Could not resist to make a CrackMapExec module to detect if the spooler service is enabled or not remotly😌
If enabled, go for the
@cube0x0
exploit or Mimikatz from
@gentilkiwi
to gain SYSTEM on workstation/servers up to date 🔥
#printnightmare
8
162
421
2
35
105
Hey everyone, I used
@nmap
to finally answer this question authoritatively, so that
@defcon
's
@HackerJeopardy
doesn't get this wrong any more!
Team Show and Telnet was robbed!
#DFIU
7
17
98
I love
@trustedsec
's PTF so much, `git clone ` was literally my first command on my new laptop.
My second command was `sudo apt install git; !!`
Oops.
4
12
96
Password Spraying: The single most effective round from attackers' opening salvos. Make your attackers cry, deploy Azure AD Banned Passwords!
#SANSEnterpriseSummit
2
36
95
Update: The
@metasploit
modules are live!
exploit/windows/local/webexec for privesc
exploit/windows/smb/webexec is pretty much psexec
auxiliary/admin/smb/webexec_command runs a command of your choosing when vulnerable WebEx is found
@iagox86
wrote 2/3!
WebExec: Cisco Webex allows any user (domain or local) command execution as SYSTEM. Patch it!
@iagox86
and I found it recently.
Nmap modules: and
@metasploit
modules are live, but not upstream yet.
5
140
185
1
62
93
I finally broke down and got a haircut. First time since March. Capacity restrictions and strict mask wearing finally won me over.
Before and after.
11
0
91
Want to take a list of open ports from a prior nmap scan, for use in future ones?
egrep -o '[0-9]*/open/tcp/' your-prior-gnmap-output.gnmap | cut -d/ -f1 | sort -un | tr '\n' ','
Output will look something like this:
22,80,631,902,2200,2222,3389,5432,60443,
[1/2]
2
24
89
What's next? Lock down workstation-to-workstation communication.
If you have strong networking folk, look at Private VLANs ().
If you have strong AD admins, look at the Windows Firewall via GPO ()
8/14
3
21
93
"Complexity is the enemy of security" says
@MalwareJake
, and I can't possibly agree more.
You can't secure what you don't understand.
You can't detect what you don't know about.
You can't defend battlegrounds you're not aware of.
Understand, simplify, then manage.
5
12
94
This morning in BloodHoundGang Slack () somebody asked how to stop BloodHound data gathering.
Our answer? Don't focus on specific tools, focus on 1) gathering attack path info as a defender, *AND* 2) stop users from running arbitrary EXE's
(1/2)
2
35
92
Domain controllers need the Print Spooler service disabled *now*. This is not a drill. Instant privesc from Domain User to Domain Admin.
Honestly, servers that aren't print servers should have it disabled by default. That can take longer given what we know now.
Go, go, go!
Disabling the print service is now a requirement as there is not currently a patch for this issue.
3
23
42
6
38
86
Aaaaand it's live!
"Bypassing Antivirus: With Understanding Comes Ease"
Tweaked for my Nashville students this week, but made available to the whole world!
3
26
81
Whoa, I didn't know Ctrl-R (history search like in /bin/bash) existed in PowerShell now! Thanks,
@edskoudis
!
3
47
80
@BenhamAj
@hacks4pancakes
Above all, always be hungry, always be learning, and stay humble. Thanks for reaching out, and please to stay in touch!
There will always be people with more knowledge in a given area. Nobody has a strict superset or subset of anybody else's knowledge:
3/3 FIN
2
19
76
The large majority of client environments I see have their vuln scanners set up as 1) authenticated, 2) administrative for *every* domain / IDP, and 3) happily fall back to NTLM (v1, v2, or both)
Today I started on the path of removing a scenario where a privileged account is using NTLM to authenticate to hundreds of machines.
Today was a good day.
10
6
221
5
9
84
I'm loving the new SMB improvements in Windows Server 2022 and the Admin Center.
I love the prominence of the SMB1 status!🤣
1
10
79
@HashtagSecurity
@SaintMichaelsSo
@sehnaoui
@Hummenix
You can see them swapping pens. But also, I'm not sure it's realistic because the last 1% doesn't take forever.
4
1
73
Chatting with the amazing Aunt
@hacks4pancakes
at the ICS Village. The mixed-reality demonstration of a natural gas facility attack is very impressive!
#RSAC2022
2
5
78
.
@JamesNettesheim
: "I know some companies whose blue teams don't get bonuses if the red team gets in. If that's you - first of all, change it. If you can't, get out."
I love James' focus on blameless post-mortems and building a fearless culture. So vital!
#SANSEnterpriseSummit
5
16
76
Almost as if
@SwiftOnSecurity
was right about Win10 being the most secure Windows after all! (also, a colossal screw-up by MS). Meet Total Meltdown, the far-worse issue on Win7/Server 2008R2 introduced in January:
3
39
69
The landscape is always changing. Tighten up your security with the above, move to latest supported Windows versions (Windows 10 / Server 2019), and keep nimble.
The ability to change is a pre-req for security.
Thanks for attending my TED talk.
/FIN
6
5
75
What am I doing on GDPR day? None of your damned business, that's what!
6
19
65
Employees know who they are. Attackers don't.
Flag on likely attackers; flag whoami.exe
(also: nltest.exe, systeminfo.exe, and others that
@TheDFIRReport
mentions frequently that you *don't* use)
@ThinkstCanary
1
11
77
Read the below. Then read the whole thread.
Keep it in mind when talking about patching. This is "basic" enterprise software, which should be simple to patch... right?
3
20
74
Protected Users is the next OP tool. It gets a lot of security wins for all members of that built-in group.
Start with DA's, one at a time. You'll likely have no issues. Work your way up to all users with any admin rights anywhere.
4/14
1
7
72
"Parsing for Pentesters" by
@bluscreenofjeff
-
Great stuff! Def. take a look at .gnmap section - super useful!
2
32
69
Two GPO's that'll change your life:
1) Make an AppLocker rule blocking regular users running EXE's from C:\Users, allowing everything else at first
2) Restricting inbound 445/tcp to known admin subnets
(2/2)
3
20
70
This is a fantastic write-up by Steve on Managed Service Accounts (and their Group equivalents).
TIL gMSA's are closer to TOTP (Google and Microsoft Authenticator tokens) than periodically changed random passwords, for very good reasons. Cool!
Have you ever heard of these things called Managed Service Accounts? They allow you to run programs as an account that doesn't require a password while still having the security of a strong password. They're pretty neat.
45
426
2K
2
18
64
I'm so excited to share my home lab talk! A little birdie told me we're up to 414 registrations. I'd love to max out the system at 1,000!
SANS | Webcast
Building a Super Duper Home Lab
by
@jeffmcjunkin
Thurs 8/24 - 3:30pm EST
Free - Register Now:
0
18
29
9
17
63
Shameless plug: my Kerberos primer, which explains the login flow, Golden Tickets, Silver Tickets, and Kerberoasting (18:50 through 29:00) - slides are online at
@SteveSyfuhs
has more at as well!
3/3
1
17
69
@hacks4pancakes
New server room? Reading nook? Panic room?
...secret "I can't human any more, so I'm going to hide out inside my own house" room?
Look, I have an obsession with secret rooms.
@edskoudis
infected me, and I'm happy for it!
3
1
70
Microsoft doesn't release unscheduled patches without reason. You *need* an emergency change control process in place to deploy this starting in <24 hours.
Microsoft has just released an emergency (unscheduled) patch to fix a zero-day security hole in Internet Explorer
34
766
799
1
41
61
Key quote: If you think you belong in infosec... you do! Welcome!
We have too much gatekeeping, and not enough happy collaboration and mutual learning. Stay humble, but you _always_ have your unique background to bring to the table.
3
23
59
Focus your detective control efforts on the TTP's most commonly used by _your_ adversaries.
They need to operate to win. As
@brysonbort
says, attackers are made of atoms, too, and use the same physics that we do.
From :
12/14
2
11
59
Credential Guard is _not_ a defense against passing the hash, but it's a powerful defense against attackers gaining password material (Mimikatz-style attacks) from compromised machines directly.
5/14
2
8
59
I hear PDF is short for an ancient Latin phrase meaning "pretty much an EXE"
3
14
54
My goodness, I finally saw it.
I created a new file with the same name as a deleted file in the same directory, and it inherited the Creation timestamp of the prior file. One of the weirdest effects of Windows history, somewhat detailed here ()
2
14
59
Periodic reminder: Gaining DA and taking a screenshot is the Active Directory equivalent of <script>alert("XSS!");</script>
It implies the _potential_ impact to those in the know, but does _nothing_ to demonstrate impact to less technical folk
5
14
57
Example output of that fortune | cowsay | lolcat command :)
2
15
51
Start 2022 off right: read Andy's thread, the article, and spend a few hours locking down these painfully-common AD mistakes.
I’m a firm believer in the (cliche) adage, “Outcomes, not output.” It’s not about the number of lines of code you wrote in 2021, but the impact those lines of code had - the outcomes they created. Here’s 5 small things you can do in 2022 to create big AD security outcomes:
3
114
347
0
8
58
I just finished delivering "Finding a Domain's Worth of Malware" at
#WWHF
. Such a great conference!
WWHF is going on my "must attend at all cost" list of conferences!
Slides are online at
6
20
54
Great thread on AD security and certificate usage and abuse.
[thread 🧵] Kerberos basics & (ab)use of Certificates within Active Directory (i.e. AD CS and PKINIT)
- Kerberos 101
- Pass-the-Certificate
- UnPAC-the-Hash
- Shadow Credentials
- AD CS escalation (ESC1 to ESC8)
(Links and credits at the end)
21
707
2K
0
12
57
TIL about PROMPT_COMMAND in bash. Run commands before the prompt. cc
@NationalCCDC
Red Team,
@timmedin
3
38
56
Excerpted from and relevant in light of today's latest breach info.
To prevent successful breaches, defenders need to detect and respond to attackers who gain initial access before they accomplish their goal.
1/5
2
17
56