DebugPrivilege @DebugPrivilege Twitter profile

Last Seen Profiles

@shinourei

@kiseioga

@kurixxattica

@Scan38126415

@provocity

@ra_alkhudair

@yagamishuuuuu

@JLeobardy

@DrStephanieSch2

@alexmeshkin

@midorin0130

@myoongirebel

@AmySueMertens

@AMamushiane

@irdsu

@WCoyoteBaseball

@SAKANAICHIRO

@mindful_service

@honeygoddessgb

@deubeatrice

@DHR7111

@vitaminsuu_fn

@Yuki65848244829

@AniitaDraw

@BlythburghPork

@AdamMico1

@AletheDenis

@Narendra_IRTS

@IbethParga

@PellicerBot

@KnightHen

@NapoleonOficial

@nassarmariana

@YunsoYunso25864

@PCEOTDSB1

@apolaine

DebugPrivilege

@DebugPrivilege

2 years

All source code is open source if you can read assembly :)

219

700

12K

DebugPrivilege

@DebugPrivilege

2 years

Decided to blog again. In this blog post, I'm sharing a practical guidance for IT Pros on responding after a ransomware attack.

Practical Guidance for IT Admins to respond after Ransomware attacks

Keep in mind that hiring an IR firm is recommended before executing all of these steps. Perform the steps that are applicable to you and your organization. It’s been a while that I’ve b…

m365internals.com

22

205

649

DebugPrivilege

@DebugPrivilege

2 years

I’ve been on multiple IR cases so far and it always shows me. People and process above security products. Organization has 2 EDR installed on their machines, but still breached. Why? No one is responding to these Christmas three alerts 🥴 - Hire people, not products.

30

113

594

DebugPrivilege

@DebugPrivilege

2 years

What has been the shortest path to Domain Admin for you? 👀

229

113

544

DebugPrivilege

@DebugPrivilege

2 years

The reason I struggle with the term “Cybersecurity expert” is because the profession we’re in is so broad. For example, I don’t hear lawyers calling themselves law experts or something.

32

64

515

DebugPrivilege

@DebugPrivilege

5 months

Great blog from CrowdStrike on leveraging Windows Defender AV’s MpLog file during DFIR. Before someone is claiming that they have bypassed Windows Defender. I always suggest them to check the MpLog file. It contains lots of useful telemetry.

How to Use MPLogs for Forensic Investigations | CrowdStrike

This blog post provides an overview of the Microsoft Protection logs (MPLog files), and walks through a case study of RClone, a tool used by eCrime actors during ransomware attacks.

www.crowdstrike.com

6

182

497

DebugPrivilege

@DebugPrivilege

3 years

What the actual fuck?

39

33

489

DebugPrivilege

@DebugPrivilege

5 months

I've added new chapters to my GitHub repository, which includes Pushlocks, Spinlocks, Callbacks, and also added a new chapter at 'Debugging 101'. All hands-on examples, including the crash dump to show Winternals concepts through the lens of a debugger.

12

147

485

DebugPrivilege

@DebugPrivilege

2 years

I've wrote an article a few months ago about Kerberoasting with OpSec and I came across someone's work who wrote a tool in C# to enumerate accounts with SPNs, while remaining OpSec. Based on my blog post.

GitHub - Luct0r/KerberOPSEC: OPSEC safe Kerberoasting in C#

OPSEC safe Kerberoasting in C#. Contribute to Luct0r/KerberOPSEC development by creating an account on GitHub.

github.com

0

148

476

DebugPrivilege

@DebugPrivilege

2 years

I’ve came across a blog that covers awesome knowledge in Windows Internals and CrashDumps. For those that are interested. Highly recommend to check out @MOV_EDX blog

Machines Can Think

Windows Internals & Crash Dump Debugging

bsodtutorials.wordpress.com

5

128

457

DebugPrivilege

@DebugPrivilege

11 months

Had a colleague that never heard of 'Reliability Monitor' before, so decided to tweet this just in case someone hasn't heard of it either. It collects and displays information about various system events, errors, warnings, and application failures. Open CMD -> perfmon /rel

12

89

412

DebugPrivilege

@DebugPrivilege

9 months

Created a GitHub repo to share some debugging concepts that I believe is important to know for those that are interested in debugging and want to get started. Lots of practical examples such as Interpreting call stacks, deadlocks, Windows APIs, etc.

GitHub - DebugPrivilege/InsightEngineering: Hardcore Debugging

Hardcore Debugging. Contribute to DebugPrivilege/InsightEngineering development by creating an account on GitHub.

github.com

15

146

406

DebugPrivilege

@DebugPrivilege

2 years

I just released a blog post about moving laterally with Managed Identities of Azure VMs. Check it out here!

Lateral Movement with Managed Identities of Azure Virtual Machines

This blog post will cover details around Managed Identities in Azure VMs. During this blog post, we are trying to get a few questions answered, which goes from what Managed Identities are, why peop…

m365internals.com

6

138

409

DebugPrivilege

@DebugPrivilege

1 year

You're on an IR engagement and you are seeing this in the security logs of an Exchange server. What *may* have happened and what would you do next?

37

70

397

DebugPrivilege

@DebugPrivilege

2 years

Want to crash a system to generate a memory dump? Open PowerShell as an admin and run winnit.exe - No need to use additional tools.

19

84

365

DebugPrivilege

@DebugPrivilege

2 years

It's amazing to see that we have things such as Time Travel Debugger (TTD) that allows you to record the execution of a process. Highly recommend Security Researchers to take a look at this...

4

62

364

DebugPrivilege

@DebugPrivilege

3 years

I was a bit bored, so decided to work on a blog post this weekend. It covers how to Kerberoast accounts, while trying to stay under the radar. I'll explain different OpSec failures as well.

11

103

342

DebugPrivilege

@DebugPrivilege

2 years

When doing #DFIR and you have found that the threat actor was using AnyDesk. Good thing is to also look for files such as 'ad.trace' and 'ad_svc.trace'. All these trace files are associated with AnyDesk and provide relevant data such as connection events, which can be useful.

10

82

340

DebugPrivilege

@DebugPrivilege

2 years

I don’t want to go into specifics, but man. Windows Defender AV telemetry is so useful, but not leveraged to the fullest. Threat Hunters and SOC Analysts often believe it’s just the Microsoft-Windows-Defender/Operational, but it’s not.

11

61

338

DebugPrivilege

@DebugPrivilege

2 years

What really helped in my career was working as a System Administrator. I wish that I worked as a Software Engineer as well before making the transition to InfoSec but having the System Admin knowledge has been super useful. I still leverage the knowledge to help customers!

8

19

331

DebugPrivilege

@DebugPrivilege

2 years

Holy shit, this is the first time that I’ve encountered an organization with Sysmon in place during an IR engagement! 😯

16

12

316

DebugPrivilege

@DebugPrivilege

4 months

Did a write-up about analyzing 'SharePoint Pre-Auth Code Injection RCE chain CVE-2023-29357 & CVE-2023-24955' through a memory dump of the w3wp.exe process. I cover different debugging techniques that can be applied to other w3wp.exe dumps as well.

5

114

301

DebugPrivilege

@DebugPrivilege

3 years

Hunting Quiz: What is the attacker doing here?

31

54

284

DebugPrivilege

@DebugPrivilege

2 years

Some useful artifacts in Exchange On-Premises that I was not aware of. IIS logs are great, but there are other logs as well.

Hunting in On-Premises Exchange Server logs

This will be a high-level summary of the different logs that can be found on an On-Premises Exchange server, which can be useful during an IR. For each log, I’ll try to explain what we can ac…

m365internals.com

2

94

282

DebugPrivilege

@DebugPrivilege

1 year

Please don't just say 'Hello' in the chat.

28

61

272

DebugPrivilege

@DebugPrivilege

2 years

Attacker deploying ransomware through GPO

Science girl

@gunsnrosesgirl3

2 years

The speed of this merganser running on water

439

6K

40K

6

45

267

DebugPrivilege

@DebugPrivilege

6 months

I've worked over the weekend on a write-up on how to analyze ProxyShell in a memory dump. Write-up contains different .NET debugging techniques that is applicable to other Exchange CVEs as well, including two mem dumps of w3wp.exe - All WinDbg ofc ;-)

7

83

269

DebugPrivilege

@DebugPrivilege

2 years

AD is not going away anytime soon. It’s surprises me sometimes that people don’t see it like this. Dude, you are syncing On-Premises identities to the Cloud, so make sure to secure AD. Just like you do with AAD.

11

33

257

DebugPrivilege

@DebugPrivilege

3 years

I've been working for two months now at Microsoft and one of the thing I can recommend to everyone is: Please try to specialize in multiple fields. Do not only focus on one little thing. See things from a wider perspective. This will make you much more valuable.

9

22

252

DebugPrivilege

@DebugPrivilege

3 years

Wow can't believe that I'm going to start at Microsoft next week. Time flies!

20

0

250

DebugPrivilege

@DebugPrivilege

3 years

If you haven't use the AzureADIR PowerShell module (yet). I highly recommend to check it out. It's not just for DFIR folks, but also for people that want to check how their Azure AD tenant is configured.

AzureADIncidentResponse 4.0

Tooling to assist in Azure AD incident response

www.powershellgallery.com

4

75

252

DebugPrivilege

@DebugPrivilege

3 years

Ok, wow! - "This first post in the series was designed to inform you that SSO is possible, to domain resources, from an Azure AD joined device WITHOUT requiring Hybrid Azure AD Join."

7

81

250

DebugPrivilege

@DebugPrivilege

4 months

I did two write-ups about ETW. The first one will cover how to capture an ETW trace and covers a case-study using the WinInet provider to analyze Cobalt Strike. The second one covers how EDR are using the DotNetRuntime ETW. 1. 2.

3

87

250

DebugPrivilege

@DebugPrivilege

2 years

Give me a list of SCCM security best practices.

25

39

240

DebugPrivilege

@DebugPrivilege

3 years

At one of my previous IR engagement. I saw that the threat actors were using a service account with DA to spread it's ransomware via PsExec. The action got blocked on a few systems first, because of Exploit Guard. Few hours the later, they got ransomwared. 1/2

6

41

238

DebugPrivilege

@DebugPrivilege

2 years

Conditional Access Policies are the new GPOs

17

19

235

DebugPrivilege

@DebugPrivilege

3 years

You can become rich by selling AD Security Assessments. I really mean this from the bottom of my heart.

18

17

235

DebugPrivilege

@DebugPrivilege

2 years

People really need to let this experience shit go. I've met 18-year old's who can get the job done on a much higher level than someone with 10 years of experience. Just sharing my opinion that we should not treat the number of years as experience.

23

30

226

DebugPrivilege

@DebugPrivilege

2 years

For those into DFIR. I can highly recommend check out the following directory to gather additional information. C:\ProgramData\Microsoft\Windows\WER.

2

43

229

DebugPrivilege

@DebugPrivilege

2 years

Besides of reading Windows Internals books. What is your way of increasing your Windows Internals knowledge?

53

45

226

DebugPrivilege

@DebugPrivilege

3 years

Hunting Quiz: What is the attacker doing here? - Please share as much details as you can.

17

38

220

DebugPrivilege

@DebugPrivilege

2 years

Loading (malicious) IIS Modules as backdoor can be detected! Make sure to enable 'Microsoft-Windows-IIS-Configuration/Operational' :)

6

62

220

DebugPrivilege

@DebugPrivilege

3 years

Let's talk about Active Directory. Share me some #ADHorrorStory .

64

41

220

DebugPrivilege

@DebugPrivilege

7 months

People still use PowerShell?!

113

7

209

DebugPrivilege

@DebugPrivilege

2 years

Unsolicited advice: Don't limit yourself to only one skillset. I see so many people focusing only on one skillset. Try to expand your scope and learn multiple skillsets. Whether it's Cloud, Red/Blue Teaming, RE, Development, System/Network Admin, etc.

23

40

213

DebugPrivilege

@DebugPrivilege

2 years

I know it's nearly 2022, but even the large organizations are still getting targeted via PTH. If you haven't applied mitigation measures to defend against PTH. It's time to do it now, since you're pretty late!

Download Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2 from...

This document discusses Pass-the-Hash (PtH) attacks against the Windows operating systems and provides holistic planning strategies that, when combined with the Windows security features, will...

www.microsoft.com

4

59

209

DebugPrivilege

@DebugPrivilege

3 years

I just had my first day at MSFT! A lot of information, but the team has been super helpfull to me.

20

0

210

DebugPrivilege

@DebugPrivilege

2 years

In this blog, we’ll show you how the Microsoft Detection and Response Team (DART) uses the Kusto Query Language (KQL) to quickly analyze data during incident response investigations.

Leveraging the Power of KQL in Incident Response

In this blog, we’ll show you how the Microsoft Incident Response (formerly DART/CRSP) uses the Kusto Query Language (KQL) to quickly analyze data during..

techcommunity.microsoft.com

4

49

206

DebugPrivilege

@DebugPrivilege

2 years

Nothing to take away for people who study hard, but those SANS courses and certifications are overrated and overpriced imo. If you want to take it, make sure that your company pays for it.

26

13

205

DebugPrivilege

@DebugPrivilege

3 years

The threat actors weren't even bothered to bypass any AV at all. They just went guns blazing and did their job. What I'm trying to say is. You need to have PEOPLE that can take actions on this. Tools don't matter, when there are no people. Yes, they had magic boxes in place (:

10

27

203

DebugPrivilege

@DebugPrivilege

7 months

Correct, but more importantly. How would you figure this out by yourself? Well, let's start using TTD :)... Open CMD as an admin and type in: tttracer.exe whoami.exe

Grzegorz Tworek

@0gtweet

7 months

Caring about whoami? Despite common belief, it doesn't use GetUserNameEx() unless you specify /UPN or /FQDN param! Whoami calls OpenProcessToken() to get process token, then GetTokenInformation() to get SID, and finally LookupAccountSid() to get username. You have been warned ;)

4

62

283

2

32

199

DebugPrivilege

@DebugPrivilege

1 year

Any recommendations for InfoSec podcasts?

61

33

199

DebugPrivilege

@DebugPrivilege

2 years

I’m looking for people to join DART and we are hiring actively. If you have any questions. Please shoot, and I’m happy to answer them.

28

50

197

DebugPrivilege

@DebugPrivilege

2 years

Few colleagues of mine are on an IR engagement and we can see Sysmon installed on servers…. Even if you don’t forward those logs to a centralize SIEM. It would still be great to have Sysmon installed. It helps a lot during IR engagements.

13

38

193

DebugPrivilege

@DebugPrivilege

1 year

What's the initial access entry that *you* often see during IR engagements?

40

47

188

DebugPrivilege

@DebugPrivilege

3 years

Awesome blog post that my team has shared around combatting human-operated ransomware.

A guide to combatting human-operated ransomware: Part 1 | Microsoft Security Blog

As human-operated ransomware is on the rise, Microsoft’s Detection and Response Team (DART) shares how they investigate these attacks and what to consider when faced with a similar event in your...

www.microsoft.com

1

53

181

DebugPrivilege

@DebugPrivilege

7 months

For those that have dealt with Exchange On-Premises compromises where the TA dropped a Webshell, but there's no logging or whatsoever to find out what commands were ran, and the Webshell was also gone from disk but what if it's in memory of the w3wp.exe process? :)

7

47

182

DebugPrivilege

@DebugPrivilege

2 years

During engagements, I frequently use the SysInternals tools to do initial triage for Malware samples. This video is a classic and old one, but still very useful.

Malware Hunting with Mark Russinovich and the Sysinternals Tools

Mark provides an overview of several Sysinternals tools, including Process Monitor, Process Explorer, and Autoruns, focusing on the features useful for malwa...

www.youtube.com

4

40

180

DebugPrivilege

@DebugPrivilege

2 years

Can't believe that I'm going to do this but planning to blog about AD again covering and what to do when ransomware is involved

11

12

178

DebugPrivilege

@DebugPrivilege

3 years

I just googled some shit about BGP. I'm now an expert in it.

18

8

182

DebugPrivilege

@DebugPrivilege

3 years

Lol, I was doing an AD Security Assessments with a colleague and we discovered Domain Users having granted SeLoadDriverPrivilege via the Default Domain Policy... 😦

19

9

176

DebugPrivilege

@DebugPrivilege

2 years

If you're an AD Admin and you have On-Premises Exchange servers in your environment. Can you run the following command in PowerShell and see if you got any results? Get-ADOrganizationalUnit -Filter 'Name -like "Microsoft Exchange Protected Groups"'

8

41

180

DebugPrivilege

@DebugPrivilege

2 years

WinDbg is the best tool to improve your Windows Internals knowledge.

6

17

176

DebugPrivilege

@DebugPrivilege

2 years

Are there still low-level programmers these days with a primary interest in Windows? It’s incredible hard to find those people these days…

64

13

177

DebugPrivilege

@DebugPrivilege

6 months

I'm thinking to give live sessions via Discord on some topics like Crashdump analysis, Windows Internals, etc.

30

9

175

DebugPrivilege

@DebugPrivilege

2 years

* opens IDA Pro* * sees indecipherable cryptographic magic* * closes IDA Pro*

4

19

173

DebugPrivilege

@DebugPrivilege

2 years

AD Admins: Can someone run this LDAP query and see if he/she got any results? ([adsisearcher]'(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))').FindAll()

8

17

173

DebugPrivilege

@DebugPrivilege

4 months

Quick preview of my ETW write-up that I did on the 'Microsoft-Windows-DotNETRuntime' Provider. Here I'm showing how certain EDR vendors are using this telemetry to build detections when .NET assemblies are reflective loaded from byte arrays.

6

39

172

DebugPrivilege

@DebugPrivilege

3 years

Halloween was great. I was dressed up as an unpatched Domain Controller, and oh boy. That was fun!

7

4

173

DebugPrivilege

@DebugPrivilege

2 years

What I would love to see more is blog posts about how someone implemented a hardening setting that reduced the attack surface of something. I wouldn't even be upset if someone blogs how to setup LAPS properly. I just feel like these kinds of things are taken for granted.

25

17

172

DebugPrivilege

@DebugPrivilege

2 years

I have officially been at Microsoft for one year now. Time flies when you are on multiple IR engagements!

17

3

172

DebugPrivilege

@DebugPrivilege

2 years

I got multiple DMs of folks asking me if the DART track at Ignite was recorded. Yes, it was. This talk covers about the tools we use and a story timeline of an attack, etc.

Join us November 18–22, 2024

Learn about the latest AI innovations directly from experts. Sharpen your skills through live breakouts and interactive workshops while expanding your network.

ignite.microsoft.com

7

47

171

DebugPrivilege

@DebugPrivilege

9 months

Life of an Incident Responder 😁

𝔅͛𝔯͛𝔦͛𝔞͛𝔫͛ ͛𝔚͛𝔥͛𝔢͛𝔩͛𝔱͛𝔬͛𝔫͛

@brianwhelton

9 months

13

186

780

8

23

166

DebugPrivilege

@DebugPrivilege

2 years

Wow, I was not aware of this. Sharing since I’d believe this can be useful.

1

37

168

DebugPrivilege

@DebugPrivilege

2 years

DeviceEvents | where Timestamp >= ago(timeframe) | where ActionType == "NamedPipeEvent" | extend ParsedFields = parse_json(AdditionalFields) | evaluate bag_unpack(ParsedFields, columnsConflict='keep_source') One of my favorite hunting queries ^^

4

23

163

DebugPrivilege

@DebugPrivilege

2 years

For those that decided to go with a third-party AV, instead of sticking with Windows Defender. I'm very curious why. Someone mind sharing his or her experience?

72

25

161

DebugPrivilege

@DebugPrivilege

12 days

Some Dutch thing called Stroopwafel? 😅

46

4

163

DebugPrivilege

@DebugPrivilege

2 years

My favorite tools: - Wireshark - ProcMon - Sysmon - IDA Network packets and API calls don't lie, but people may tho :)

11

16

160

DebugPrivilege

@DebugPrivilege

2 years

Folks that are using ADCS. Please update all servers that run Active Directory Certificate Services and Windows domain controllers that service certificate-based authentication. For more information:

5

64

160

DebugPrivilege

@DebugPrivilege

2 years

Great thing that I recommend folks in InfoSec doing is to learn from different roles. Whether it's IR, Red Teaming, SOC, Threat Hunting, etc. Being able to learn from different roles will help you gather different perspectives and come up with new ideas.

4

31

153

DebugPrivilege

@DebugPrivilege

2 years

👀

Elon Musk

@elonmusk

2 years

@DebugPrivilege 👍

449

325

12K

30

2

155

DebugPrivilege

@DebugPrivilege

1 year

Do you use Sigma and YARA rules during IR investigations?

37

12

157

DebugPrivilege

@DebugPrivilege

2 years

I don't like to promote my own site perse, but last week I was working on some Exchange stuff. If you're interested in stuff like Exchange Split Permissions Model, Exchange Webshell, and some useful artifacts in On-Prem Exchange. Check out:

Microsoft 365 Security

Everything about Microsoft Security

m365internals.com

4

44

156

DebugPrivilege

@DebugPrivilege

2 years

Ransomware incidents often follow a standard playbook that contains similar stuff to: AD Recon with PS - Cobalt Strike - SystemBC - Common tools such as AdFind, Mimikatz, PsExec, etc. 1/2

HAMZA 🇲🇦 🇵🇸

@Cyb3rSn0rlax

2 years

@DebugPrivilege Key differences between responding to Ransomware incident and other types of impact?

1

0

7

4

24

155

DebugPrivilege

@DebugPrivilege

1 year

Been on a few IR engagements that involves Qakbot. I've been using the 'Microsoft-Windows-VHDMP' ETW Provider to hunt for Qakbot activities on a large scale of systems. %LOCALAPPDATA%\Temp that contains a ZIP starting with Temp1_* or some random .ISO file is a good indicator.

5

35

157

DebugPrivilege

@DebugPrivilege

2 years

Decided to plan in blogging this weekend. Using a real world example in my upcoming blog post. Practical shit only!

9

14

153

DebugPrivilege

@DebugPrivilege

2 years

When I was a sysadmin. I used to create a fake 'Domain Admin' group with the same description as the real Domain Admins group and added members too it. Some of the admins wanted to feel privileges, so I helped them out a bit. Fun times lol

12

7

153

DebugPrivilege

@DebugPrivilege

2 years

My goal of 2022 is to deliver one free Windows Internals session. I just want to challenge myself to see if I can share meaningful content to people, and if I have the right skills to be a instructor.

13

7

153

DebugPrivilege

@DebugPrivilege

3 years

Impressive stuff by Mr @olafhartong on Sysmon and MDE telemetry.

Sysmon vs Microsoft Defender for Endpoint, MDE Internals 0x01

It is not a big secret that we at FalconForce work a lot with, and are big fans of, both Microsoft Defender for Endpoint (MDE) and…

medium.com

2

44

151

DebugPrivilege

@DebugPrivilege

2 years

Useful forensic artifacts for those that are into DFIR: 'C:\ProgramData\Microsoft\Windows Defender\Support' - And then files starting with MpLog and MpDetection.

3

39

151

DebugPrivilege

@DebugPrivilege

5 months

Literally every Windows Internals question I've been dealing with so far has been answered on some Chinese/Russian website lol

11

148

DebugPrivilege

@DebugPrivilege

3 years

Today is exactly my first week at Microsoft. 😳

9

0

149

DebugPrivilege

@DebugPrivilege

3 years

Is it weird to say that I don’t think end users are the highest risks at an organization, but the IT Admins? 🤔

31

3

147

DebugPrivilege

@DebugPrivilege

2 years

For me it was companies who trust me with Domain Admin privileges 😆 ok jk jk

4

1

145

DebugPrivilege

@DebugPrivilege

2 years

Managing local admin account passwords in AD and Azure AD

What? Can it be? A session on LAPS? Yes!! The Local Administrator Password Solution (LAPS) has been widely used by IT pros for nearly a decade to secure Wind...

www.youtube.com

5

41

145

DebugPrivilege

@DebugPrivilege

1 year

Do companies still give their entire NTDS.DIT away to security firms to allow them perform password cracking? I have a strong opinion on this, but curious if companies still do this. I have seen this recently…

36

14

144

DebugPrivilege

@DebugPrivilege

2 years

We're hiring folks! We are looking for a Forensic Analyst with a strong, experienced security background to join our team delivering Incident Response investigations and point-in-time cybersecurity assessments

3

61

140

DebugPrivilege

@DebugPrivilege

3 years

I’m now one month at Microsoft, but it feels like one year… 😳

19

3

141

DebugPrivilege

@DebugPrivilege