Luca

‼️ After the MSRC blog post about Nightmare-Eclipse, researchers are coming forward with their own MSRC horror stories. The response from the security community isn't going Microsoft's way. As they’re not backing Microsoft. Gabriel Landau, a well-known Windows security researcher, says he reported a Device Guard bypass with a 90-day window. MSRC told him it met their bar and they'd fix it, then asked him to hold disclosure for extra months. He agreed on the condition they issue a CVE. They patched it silently, decided after the fact it "didn't meet the bar," and never issued the CVE. In his words: "MSRC strung me along for a few extra months to keep me quiet, then broke their word." Another researcher, rootsecdev, says he responsibly disclosed a legacy-auth flaw that allowed password spraying while avoiding smart lockout. Five months later, MSRC replied that it "doesn't meet the bar for servicing," silently fixed it, and closed the case. Microsoft's post was meant to defend their coordinated disclosure policy. Instead it became a thread of researchers explaining why they've stopped trusting their process.

If I were a sysadmin these would be the first few deception assets I would setup: 1. Fake unattend.xml file on all hosts 2. Fake mRemote config file in an IT access only share 3. Fake server admin account with the password in the description field 4. Fake Kerberoastable admin account 5. JS on all login pages to detect cloning Super quick and easy to set all those up and all would be super high fidelity alerts.