James Forshaw
@tiraniddo
Followers
48,909
Following
364
Media
237
Statuses
6,618
Security researcher in Google Project Zero. Author of Attacking Network Protocols. Tweets are my own etc. Mastodon: @tiraniddo @infosec .exchange
United Kingdom
Joined July 2009
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
梅雨明け
• 196735 Tweets
BRANDS AI TALK x FOURTH
• 131411 Tweets
Raila
• 122601 Tweets
黒人奴隷
• 100733 Tweets
Halal
• 42781 Tweets
パワプロ
• 42607 Tweets
カルストンライトオ
• 34846 Tweets
#EnflasyonMuhasebesi
• 34716 Tweets
#TheBoys
• 31648 Tweets
Yunan
• 29115 Tweets
Harmony
• 23794 Tweets
Haas
• 20657 Tweets
Colabo
• 19263 Tweets
暇空敗訴
• 16039 Tweets
BarengPRABOWO MakinOPTIMIS
• 15420 Tweets
SEMANGATbaru EKONOMItumbuh
• 14850 Tweets
#WeMakeSKZStay
• 13235 Tweets
悪魔の証明
• 11817 Tweets
全員再契約
• 11268 Tweets
CROWN PRINCE SUNG HANBIN
• 11209 Tweets
Pinned Tweet
This new book has finally arrived. Thank's to
@nostarch
as well as
@billpollock
for making it happen as well as
@Lee_Holmes
as my tech reviewer.
55
183
1K
My book's finally here, just in time for Xmas. Thanks to
@billpollock
and
@nostarch
for all their time and effort as well as my friend
@k8em0
for doing the forward. Hope anyone who's bought it are seeing final copies arriving. And it's a dog on the cover BTW 🙂
76
306
1K
My next book is finally in early-access at
@nostarch
, with the goal for release at the end of 2023. More details are available at
21
213
943
"Can you still relay authentication in a Windows domain if NTLM is disabled?", I asked myself. "Perhaps I should research that" I said. Here's a blog post about what I found out.
12
430
942
Opened a fun bug (or is it backdoor?) in a "hidden" COM server which adds a certain Mr DeYoung as an Administrator to your computer with no password. .
14
330
741
Finally I can release details about my most serious RCG bug. RCE/EoP in LSASS via CredSSP. Reachable through RDP or WinRM if configured correctly. Will try and put together a blog about it at some point😁
5
222
566
Published part 1 of a short series on AppLocker internals, no bypasses, just how the technology actually works on Windows 10 1909 and maybe some silly tricks along the way.
4
267
558
This only took me 4 years to write :-) Abusing default Windows Kernel Debugging settings to bypass the login screen.
8
331
549
Written a quick blog post about abusing Kerberos to locally bypass UAC. Unclear if this technique has been documented before, but at the very least I describe why it works :)
6
211
529
Written a new blog in my Windows Exploitation Tricks series, how to spoof the named pipe client PID.
3
254
511
Just because you get access denied accessing a folder, it doesn't mean you can't get access. A quick look at bypassing the security on the WindowsApps folder.
5
181
515
I try an avoid this hellsite, but I did a quick dive into sudo in Windows and here are my initial findings.
The main take away is, writing Rust won't save you from logical bugs :)
18
214
498
I said I'd write up how you could exploit RBCD using a normal user account if you know the password. So here it is
6
238
499
Published a new blog post about becoming TrustedInstaller on Windows with the minimum of effort.
5
324
479
Quick, everyone disable SMBv3, and re-enable SMBv1, it's the only way to be safe!
22
67
482
Having discovered various issues with Windows mini-filter drivers lately I found public information about how to analyze such drivers for security issues somewhat lacking. Therefore today I've put out a blog post to try and fix that glitch :-)
5
232
478
Finally got around to writing a blog about the Kerberos RC4-MD4 downgrade attack, how it works, and how you can exploit it.
8
209
471
New P0 blog post up. How a one line change in the Windows kernel broke the Windows Chromium sandbox (and thus Edge and Firefox at the same time).
9
236
469
Updated my tool to exploit .NET remoting services to use a new (unpatched) technique to bypass Low Type Filter to get full serialization exploitation. Abuses the lease feature present on all MBR objects. . Don't use .NET remoting in production code!
5
225
417
As I didn't see anyone publishing something similar I thought I'd do a quick write up of why
#PetitPotam
works unauthenticated and in turn how Windows RPC servers are supposed to be secured, or not in Microsoft's case. h/t to
@topotam77
2
185
403
I decided to write a companion piece to
@sandboxescaper
's recent blog on reverse engineering Windows RPC servers. Specifically finding an existing RPC client implement using NtObjectManager to avoid having to write any native code for your PoC.
3
194
367
Released to go with my
#POC2019
talk, a project which contains a C# client for almost every ALPC RPC server on Windows 7 through Windows 10 1909. Could be useful for EoP research, fuzzing etc.
3
197
365
New blog post outlining how to use my .NET RPC Client tooling from PowerShell and C# to test and exploit local RPC security vulnerabilities. Also an early xmas present for those who enjoy long standing design flaws in UAC :-)
1
208
364
Just opened 8 bugs I found in Windows Credential Guard. Ranged from arbitrary code exec in VSM to Kerberos key disclosure attacks. Probably my favorite was abusing the NTLMv1 API to leak an AES128 key which is what I was cracking in the quoted tweet😁
I must say, is pretty impressive. 45 seconds for a NTLMv1 hash :) Of course if anyone can tell me what the password was I'd appreciate it, seems I've forgotten😂
7
38
256
6
109
369
I wasn't going to release this, but considering it's a combination of public techniques to get TrustedInstaller and use that to disable PPL Services here you go. Now we wait to see how long until it's detected as malware 😄
#BoycottWindowsDefender
.
5
164
358
New blog post on an interesting feature added recently to Windows 10, DLL Import Redirection.
2
174
355
So it turns out that Recall is indeed using the conditional access trick I blogged about to "secure" the database files. You can therefore bypass it by getting the token for AIXHost.exe, impersonating and then go wild. Or as you own the files just rewrite the DACL using icacls 😂
9
108
354
Finally got around to releasing my sandbox attack surface tools for Windows. have fun.
6
287
345
So the final part 3 of my UAC journey has been posted. How to exploit the UAC issue on Windows 10.
4
228
346
Opened up my Exchange bug, it's not in Exchange directly but an issue with the AD schema added during installation which allows any computer account (which is any user effectively) to create any AD object type by creating a msExchStorageGroup object.
8
141
346
I don't understand why people say ASN.1 is complex. Looks at RFC2631...
15
58
338
New blog on the background and methodology of some research I did into escaping Windows Server containers, why the bugs were eventually fixed, and why you still shouldn't use them :-)
4
180
330
I don't post that much personal stuff. But happy to have finally dragged my ass around 26.2 miles.
33
0
325
Release of slides, demo videos and some source code from my
#ZeroNights
presentation on bypassing UAC with access tokens
1
225
321
While I like sharing my work I think I'll never release a tool like DotNet2JScript again. Or at least I won't leave my name in the version info which the "baddies" are too lazy to change. I've already have various "Next-Gen Security Companies" try to attribute attacks to me.
10
64
306
I didn't think this was true as I've looked at it before and setting the short name requires SeRestorePrivilege. However checking this now it's a clear and dangerous regression. As shown Win 8.1 fails as a normal user, latest Win10/11 works. Slow hand clap
@Microsoft
.
4
111
300
Just released a new blog post in my exploitation tricks series about research I did to implement a virtual memory access trap on Windows to make exploitation of certainly classes of vulnerabilities deterministic
1
137
301
Another blog post off my list, this time an overview of the brave new world of NTFS Case Sensitivity and some security implications thereof.
4
129
293
After 8.5 years Microsoft fixed the bug class where services impersonating a user can have their system drive hijacked through symlinks. Maybe it helped that I said this bug class would never get 90 days again 😆 RE:
8
89
295
To bring in the new year here's a new blog post about empirically testing Windows Service Hardening to see if it is really not a security boundary even on Windows 10. h/t
@cesarcer
5
141
275
Kicking off the Xmas food coma to post a new blog post. A present for the red-teamers amongst you, and something for the blue-teams to try and spot, abusing NTFS mount points over SMB.
0
172
271
As I couldn't find anyone else who'd documented it, thought I'd look at SeTrustedCredmanAccessPrivilege.
2
131
268
I must be avoiding doing something, here's another blog post about getting an interactive shell for low privileged service accounts.
1
113
266
Here's the final, 4th part in my AppLocker series (for now at least) on DLL blocking. I can see why Microsoft don't consider AL a security boundary ;-)
4
115
255
I must say, is pretty impressive. 45 seconds for a NTLMv1 hash :) Of course if anyone can tell me what the password was I'd appreciate it, seems I've forgotten😂
7
38
256
Sandbox Tools v1.0.9 now on Github/NuGet. Last release with Check* tools, use the PowerShell cmdlets instead :-)
0
158
250
New blog post about messing with AMSI in WSH to get my DotNetToJScript to not be detected without needing to be admin/modify registry.
11
148
255
Part 2 of my Win10S DG series. Getting arbitrary code execution on Win10S without Office.
3
186
248
Part 1 of 3 of a blog post series on the high security of UAC. Try not to spoil the ending ;-)
5
160
244
A new short blog post about the misunderstood SeRelabelPrivilege.
4
94
249
Silly windows trick of the day. Find service PID without using the SCM by querying which PIDs have locked the service DLL file.
3
78
248
Released a big update to my sandbox tools . Removed un-managed code, generic NT API library,
#powershell
module etc.
0
158
240
New blog post on how Microsoft Edge circumvents network isolation features in place since Windows 8 to access localhost from an AppContainer. Is it a reasonable feature, or a backdoor? You decide! . Paging
@ericlaw
for comment :-)
5
160
244
On to part 2 in my series on AppLocker internals. This time I go into how AppLocker blocks process creation (or does it?), and some of the ways that you can opt-out of AppLocker if you're special enough.
3
122
234
A new blog post, bypassing an anti-debug check on Windows without hooking, digging into some internals and musing on where everything has gone wrong :-)
1
100
230
Released a short write up about the FF sandbox escape from last month. Includes details of how I was able to add a new feature to the Chromium sandbox to allow Mozilla to fix the issue without losing performance.
0
88
232
I wrote a challenge for the recent Google CTF 2020 qualifiers, which used a .NET CAS sandbox that the teams had to escape. Here's a really good writeup of how one team completed the challenge. it's a good demo of how broken CAS can be :-) /cc
@blowdart
3
71
232
New blog post a lament on the uselessness of the LSASS SACL added in Windows 10 for auditing credential scraping.
3
138
225
It must always be galling for conspiracy theorists when governments and powerful people are outed as working towards a common, yet deeply secret goal, only to find out it's just tax fraud.
3
58
221
Today, GPZ and Google Cloud are releasing a technical report on a security research project in collaboration with AMD on their Secure Processor and the Secure Encrypted Virtualization feature. It includes some interesting bugs we found. Read the blog at
2
79
223
A quick blog post for Saturday evening, the unexpected consequence of LSA overloading one Logon Session ID for all service account tokens.
4
125
222
Finding a copy of my book in an actual book store in the UK. Makes it just that little bit more real 🙂
13
12
220
set a=hkcu\Environment /v windir /
reg add %a%d "cmd /K reg delete %a%f||"
schtasks/Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
5
113
211
I realize now that all those questions on the US visa application about whether you've taken part in sedition or were in the Nazi party were just to assign you to the priority queue.
6
39
213
Released a new blog post describing how AppContainer network restrictions are implementing using the Windows Filtering Platform and an overview of how to use NtObjectManager to analyze the current low-level firewall configuration for issues. (fixed link)
1
88
210
Short blog post as a follow up to my two year old one on becoming TrustedInstaller using a poorly documented trick with the Task Scheduler.
0
105
209
I've released a new blog post about adding a CommandLine property to
#PowerShell
's Get-Process cmdlet. Just for fun of course. I had a little help from a 12 year old blog post from
@Lee_Holmes
:-)
5
108
204
After ~8 months I decided to revisit this issue to see if it was fixed in vNext of Windows (2004). Unfortunately it wasn't so I decided it was time to put together a working user to SYSTEM POC. Turns out it was a valid issue.
Just opened an interesting bug in the core of WinRT, a common pattern of misplaced trust between two COM servers when sharing section handles. That said, it's Won't Fix but I still think it's a valid issue
1
23
65
3
94
203
If you're attending grab the latest toolset and workbook for
@44con
EoP workshop contains all new PowerShell demos 🙂
1
101
202
A short blog post on abusing a Windows DRM feature to screw with the sysadmin/AV vendor in your life ;-)
2
129
192
Finally got around to updating my Sandbox Attack Surface Analysis Tooling. As the last release was February there's quite a few obvious and non-obvious changes, so here's a list of some interesting ones /1
2
97
196
Final LSA bug from last month is now open. An interesting one which breaks common assumptions of impersonation security over the LSA's RPC interface. Me and
@monoxgas
will describe a way of abusing the bug at BH next month to get SYSTEM privileges.
1
65
196
I got accepted at
@BSidesLV
to do a workshop on Windows Internals and Local Attack Surface Analysis using Powershell. If you want to know how I find interesting LPE attack surface using my tools or just want to better understand Windows internals this is for you 😃
5
47
195
For anyone interested in my presentation on Local RPC in .NET the HITB version is now up on YouTube.
1
88
190
Put up a blog on Windows Execution Aliases so everyone can better understand how it works. I'd have sworn I'd done the blog already but I guess not. Includes a bonus (security?) bug if you read that far :-) /cc
@BruceDawson0xB
0
116
190
I'm not a fan of bounties as a means to get bugs, but if you're going to have them you should be reliable and consistent. I don't know the exact circumstances here but it does feed into the narrative that vendors such as
@msftsecurity
and
@apple
are fickle when it comes to paying
As Microsoft have no intensions of ever paying me for all my submitted vulnerabilities I am forced to do this.
Countdown starts today- then I will post them all public.
Ms is just trying to get time to patch them then never pay me.
I have for over 100.000$ in submissions.
14
183
1K
4K
8
48
185
And I'm back... For those that didn't see it I wrote a blog post on Windows 10 Adminless mode while I was out in the social media wilderness.
0
87
190
New blog on VirtualBox process hardening on Windows published. The real reason I wrote DotNetToJScript :-)
3
158
187
I recommended to
@_dirkjan
to try my NtObjectManager PS module to do an AD access check, but of course I provided no guidance. Therefore, here's a quick blog post with an overview of the checking process and how to use the Get-AccessibleDsObject command.
1
55
189
Released a new version of OleViewDotNet (v1.14) on the PS gallery. A big change is better source code formatting for proxies and typelibs in IDL format rather than the old pseudo C# one. The video below also shows an example of dynamic parsing and display of source in the UI.
1
65
187
Inspired by
@decoder_it
and
@splinter_code
recent NTLM relay tricks I thought I'd check if it's possible to combine cross session and IStorage COM activation. The answer may surprise you! (not really)
3
90
178
Just released v1.5 of with now comes with a
#PowerShell
module 😃. To go with it I also put together a blog post which should act as a quick getting started tutorial.
4
100
180
A blog on virtual service accounts and the task scheduler along with a sneaky trick for use in certain circumstances. /cc
@decoder_it
@itm4n
2
85
178
Following on the from the last blog post, I've put together a simple example of forcing the Win32 SCM APIs to use Kerberos authentication to the local system so you can bypass UAC. You'll still need to do the Kerberos ticket dance yourself :-)
2
62
175
New blog about undocumented (AFAIK) named pipe prefixes, how to use and create them to block pipe squatting attacks.
4
120
175
I realise that many would miss the small link to the final PS script for the token capture UAC bypass so here it is
2
93
173
After
@clearbluejar
's post of using NtObjectManager for RPC I thought I should finish a post about how a few approaches to narrow down the enumeration to individual running processes rather than having to parse all executables on disk.
3
78
171
Opened up my bug in EFSRPC which was fixed last month. MS only fixed the authentication relay attack AFAIK but authenticated users might still be able to write arbitrary files to domain controllers :-)
3
59
169
Here's part 3 in my AppLocker series. This time dealing with access tokens and security descriptors. You'll find a tool to dump a policy's security descriptor as well as a trick which will make a file only editable in Notepad ;-)
2
73
166
Reading this I initially thought OneDrive was loading Quicktime which made no sense. Then I looked again and it was actually using QT the GUI library, which makes even less sense considering MS, have you know, one or two GUI libraries. Wonders never cease.
3
73
162
Simple type confusion bug in an Intel GPU COM service which is accessible from Edge LPAC + Chrome GPU. Shows how a type confused SAFEARRAY leads to arbitrary code execution.
1
118
162
You know what inspires confidence in a government website which handles personal data? This isn't it.
11
35
158