added main detection artifact for EfsPotato (privesc via SeImpersonate to System with rogue named pipe) (same trick used for fake Spoolss privesc) - for #sysmon users add this to your config (Pipe Events)
<PipeName condition="contains" name="Rogue Named Pipe">\pipe\</PipeName>
So yes, Zerologon (CVE-2020-1472) is quite easy to exploit. Unauthenticated user to Domain Admin. This is really scary. Run exploit, DCSync with DC account and empty NT hash: you have Domain Admin and a broken DC.
Awesome find by Tom Tervoort 🙂. Patch patch patch!
My talk "Exploiting Windows Exploit Mitigation for ROP Exploits" was accepted for @Defcon 2019! DC101 track on Thursday, your time will be exploited well there :)
Caspar David Friedrich, The wanderer above the sea of fog, 1818
New blog! Abusing Exchange: One API call away from Domain Admin. From any user with a mailbox to Domain Admin. Probably affects the majority of orgs using AD and Exchange. https://t.co/rcW1RHJDuf
On the upcoming @DerbyCon I'll be talking about Invisi-Shell and Babel-Shellfish, two new tools we developed at @JavelinNetworks. Join me on Friday (first day) at 7:00 PM Track 3
https://t.co/yfZ7tzDcNO
Maybe one day I'll see more usage by security teams of #mimikatz or #kekeo for other functions than cleartext passwords, certificates export (or cheating at minesweeper).
Especially on Kerberos and/or SmartCards.
And our brand new side of the "Find Evil" poster is the "Hunt Evil: Lateral Movement" which steps you through the main artifacts on windows hosts (SRC -> TARGET) for Remote Access/Execution (2/2) #DFIR
If you do #DFIR and collect network connections - We found a way to extract a connection's timestamp in usermode. Check out our blog.
https://t.co/MAyNUj8EbB
@ferrix Sure, PM me!
There was a missing piece of my puzzle when I looked into how your NTLM hash is changing when using 2FA accounts, I'd love to know what's behind it.