Clik here to view.
Getting an Interactive Service Account Shell
Sometimes you want to manually interact with a shell running a service account. Getting a working interactive shell for SYSTEM is pretty easy. As an administrator, pick a process with an appropriate...
View ArticleSharing a Logon Session a Little Too Much
The Logon Session on Windows is tied to an single authenticated user with a single Token. However, for service accounts that's not really true. Once you factor in Service Hardening there could be...
View ArticleClik here to view.
Old .NET Vulnerability #5: Security Transparent Compiled Expressions...
It's been a long time since I wrote a blog post about my old .NET vulnerabilities. I was playing around with some .NET code and found an issue when serializing delegates inside a CAS sandbox, I got a...
View ArticleWriting Windows File System Drivers is Hard.
A tweet by @jonasLyk reminded me of a bug I found in NTFS a few months back, which I've verified still exists in Windows 10 2004. As far as I can tell it's not directly usable to circumvent security...
View ArticleSilent Exploit Mitigations for the 1%
With the accelerated release schedule of Windows 10 it's common for new features to be regularly introduced. This is especially true of features to mitigate some poorly designed APIs or easily misused...
View ArticleOBJ_DONT_REPARSE is (mostly) Useless.
Continuing a theme from the last blog post, I think it's great that the two additional OBJECT_ATTRIBUTE flags were documented as a way of mitigating symbolic link attacks. While...
View ArticleGenerating NDR Type Serializers for C#
As part of updating NtApiDotNet to v1.1.28 I added support for Kerberos authentication tokens. To support this I needed to write the parsing code for Tickets. The majority of the Kerberos protocol uses...
View ArticleTaking a joke a little too far.
Extract from “Rainbow Dash and the Open Plan Office”.This is an extract from my upcoming 29 chapter My Little Pony fanfic. Clearly I do not own the rights to the characters etc.Dash was tapping away on...
View ArticleUsing LsaManageSidNameMapping to add a name to a SID.
I was digging into exactly how service SIDs are mapped back to a name when I came across the API LsaLookupManageSidNameMapping. Unsurprisingly this API is not officially documented either on MSDN or in...
View ArticleCreating your own Virtual Service Accounts
Following on from the previous blog post, if you can't map arbitrary SIDs to names to make displaying capabilities nicer what is the purpose of LsaManageSidNameMapping? The primary purpose is to...
View ArticleStandard Activating Yourself to Greatness
This week @decoder_it and @splinter_codedisclosed a new way of abusing DCOM/RPC NTLM relay attacks to access remote servers. This relied on the fact that if you're in logged in as a user on session 0...
View ArticleClik here to view.
Dumping Stored Credentials with SeTrustedCredmanAccessPrivilege
I've been going through the various token privileges on Windows trying to find where they're used. One which looked interesting is SeTrustedCredmanAccessPrivilege which is documented as "Access...
View ArticleThe Much Misunderstood SeRelabelPrivilege
Based on my previous blog post I recently had a conversation with a friend and well-known Windows security researcher about token privileges. Specifically, I was musing on how...
View ArticleA Little More on the Task Scheduler's Service Account Usage
Recently I was playing around with a service which was running under a full virtual service account rather than LOCAL SERVICE or NETWORK SERVICE, but it had SeImpersonatePrivilege removed. Looking for...
View ArticleHow to secure a Windows RPC Server, and how not to.
The PetitPotam technique is still fresh in people's minds. While it's not directly an exploit it's a useful step to get unauthenticated NTLM from a privileged account to forward to something like the...
View ArticleHow the Windows Firewall RPC Filter Works
I did promise that I'd put out a blog post on how the Windows RPC filter works. Now that I released my more general blog post on the Windows firewall I thought I'd come back to a shorter post about the...
View ArticleLowBox Token Permissive Learning Mode
I was recently asked about this topic and so I thought it'd make sense to put it into a public blog post so that everyone can benefit. Windows 11 (and Windows Server 2022) has a new feature for tokens...
View ArticleBypassing UAC in the most Complex Way Possible!
While it's not something I spend much time on, finding a new way to bypass UAC is always amusing. When reading through some of the features of the Rubeus tool I realised that there was a possible way...
View ArticleExploiting RBCD Using a Normal User Account*
* Caveats apply.Resource Based Constrained Delegate (RBCD) privilege escalation, described by Elad Shamir in the "Wagging the Dog" blog post is a devious way of exploiting Kerberos to elevate...
View ArticleFinding Running RPC Server Information with NtObjectManager
When doing security research I regularly use my NtObjectManager PowerShell module to discover and call RPC servers on Windows. Typically I'll use the Get-RpcServer command, passing the name of a DLL or...
View ArticleAccess Checking Active Directory
Like many Windows related technologies Active Directory uses a security descriptor and the access check process to determine what access a user has to parts of the directory. Each object in the...
View ArticleClik here to view.
Sudo On Windows a Quick Rundown
BackgroundThe Windows Insider Preview build 26052 just shipped with a sudo command, I thought I'd just take a quick peek to see what it does and how it does it. This is only a short write up of my...
View ArticleIssues Resolving Symbols on Windows 11 on ARM64
This is a short blog post about an issue I encountered during some development work on my OleViewDotNet tool and how I resolved it. It might help others if they come across a similar problem, although...
View ArticleClik here to view.
Relaying Kerberos Authentication from DCOM OXID Resolving
Recently, there's been some good research into further exploiting DCOM authentication that I initially reported to Microsoft almost 10 years ago. By inducing authentication through DCOM it can be...
View ArticleClik here to view.
Working your way Around an ACL
There's been plenty of recent discussion about Windows 11's Recall feature and how much of it is a garbage fire. Especially a discussion around how secure the database storing all those juicy details...
View Article