This new book has finally arrived. Thank's to @nostarch as well as @billpollock for making it happen as well as @Lee_Holmes as my tech reviewer.

RT @itswillis: Two new posts from @tiraniddo today: on reviving a memory trapping primitive from his 2021 post.…

RT @__sethJenkins: My blog post is now live alongside @amnesty 's joint release, providing remarkable insight into an ITW exploitation camp…

RT @itswillis: If you've ever wondered if one can determine a vuln from just the kernel panic logs, @__sethJenkins (feat. @tehjh & @benoits…

RT @itswillis: Finding 0day is not the most impactful thing that Project Zero does 😲 — it's sharing knowledge 🧠. One part of that sharing i…

RT @hakril: In our search for new forensic artifacts at @ExaTrack, we sometimes deep dive into Windows Internals. This one is about COM and…

RT @itswillis: Project Zero Blogpost recap for the month: — @j00ru doing another deep dive into the Windows Regis…

RT @nostarch: BOO! Our Halloween flash sale is haunting for 24 hours only. Load up on books and merch, then use cod…

Put up the slides for my @MSFTBlueHat 2024 presentation on improvements to You can also grab v1.15 of from the PS Gallery which has the new features to generate proxy clients on the fly.

@DrAzureAD @MSFTBlueHat @ManuelBerrueta Not my greatest photo :D

RT @spoofyroot: The new account type for services finally landed in WIP. Now when running Windows Protected Print (WPP) the service will ru…

@spoofyroot @decoder_it @bopin2020 @splinter_code That's fair IMO sudo should have been a PowerTool. It's unfortunate as I think admin protection would benefit greatly for a sysop controlled mechanism to limit what can and can't be elevated, like sudo is able to do. Perhaps it's just not the right model for the way Windows works

@spoofyroot @decoder_it @bopin2020 @splinter_code Ironically there was a perfect opportunity to remodel the concept of elevation in Windows, by introducing something like sudo. Unfortunately, something "like" sudo was introduced which was just a fancy wrapper around UAC :(

@cnotin @DaniLJ94 @decoder_it @0x64616e Me and Nick mentioned this in our Kerberos presentation at Blackhat 2022. In fact we also mentioned how to "fix" the Kerberos UAC bypass through ticket renewal :)

@bopin2020 @decoder_it I think MS should fix these, but whether they decide they're not security boundaries or not remains to be seen.

@bopin2020 @decoder_it I guess this is the basic question, what is an UAC bypass with Admin Protection? ICMLuaUtil would presumably require a prompt, is that a bypass, or just working as designed? The Kerberos and NTLM attacks are truly promptless, so it's easier to see them as real bypasses.

@decoder_it

@spoofyroot Can I get the cash as a massive novelty check at Bluehat this year, for old time's sake? :D

@BoreanJordan Well I assume the network behavior, while related to UAC, is really separate in what it's trying to protect against. The purpose of this new feature is to make it harder to bypass UAC on the desktop, but I'm not even sure how useful that is in practice.

RT @nostarch: A big thank you to everyone who visited us at @defcon! It's also not too late to shop our #DEFCON32 website sale. Get 32% off…