Marc-André Moreau @awakecoding Twitter profile

Last Seen Profiles

@NewLifeIVF

@bokeplokalmalam

@nen_chan_35

@LVT7979

@stwmaniax

@BinorRaja

@sagaraneo

@SkylinePaul66

@MarkusSurvrey

@ChalanPatterson

@BinorRaja

@Masaomoshi

@3Hiiif

@cult164411

@_Martiniquaise_

@jandakembangstw

@geziv2

@heena365365

@BinorRaja

@percwrestling

@abjed88

@dei6wifey

@RhyseTremel

@o6WTX0D60d15i

@dolly_ryder

@DerekReilly19

@kuruton_BP

@MakMisle

@thealkayagnik

@hhaloss

@bokeplokalmalam

@Studio77lv

@Tj2Papa

@gaysifamily

@Untitledmag

@dg_mecfs

Marc-André Moreau

@awakecoding

2 years

Get-RdpLogonEvent: extract the list of recent RDP logons from the event viewer and become a magician 🧙‍♀️ that can answer impossible questions like "is it really using Kerberos (nope), or did it downgrade to NTLM (again)"? 👇

20

326

1K

Marc-André Moreau

@awakecoding

2 years

If you think OAuth is hard, wait until you see Windows authentication:

18

232

1K

Marc-André Moreau

@awakecoding

1 year

I have just updated my Wireshark guide to decrypting RDP traffic with notes on FreeRDP, IronRDP, and instructions on how to export a .pcapng file with embedded TLS session keys such that it can easily be shared with other people!

GitHub - awakecoding/wireshark-rdp: Wireshark RDP resources

Wireshark RDP resources. Contribute to awakecoding/wireshark-rdp development by creating an account on GitHub.

github.com

2

177

610

Marc-André Moreau

@awakecoding

4 months

PSA: the list of DNS servers in Windows is not supposed to be an ordered list of DNS servers to try - if you put 8.8.8.8 (Google) or 1.1.1.1 (Cloudflare) as a "fallback" after your internal DNS server, you'll just cause random name resolution failures for internal DNS

31

46

545

Marc-André Moreau

@awakecoding

2 years

Do you need to create a local user account on a Windows 11 test VM? Try using "no @thankyou .com" with password "nope", let it fail, and then the installer will let you create a local user account 👇

16

103

465

Marc-André Moreau

@awakecoding

2 years

Do you want a *FREE* ARM server with 4 CPUs, 24GB of RAM and 200GB storage, in the cloud? 😮 It's possible using the Oracle Cloud Free Tier! Here's how 👇

23

112

458

Marc-André Moreau

@awakecoding

3 years

@aionescu If you click on it, Notepad gets restarted as VSCode

5

6

437

Marc-André Moreau

@awakecoding

3 months

The full OCR text with the temporarily visible password is available in the %LocalAppData%\CoreAIPlatform.00\UKP\{<UUID>}\ukg.db SQLite database, nicely gift wrapped 🎁 for infostealer malware to exfiltrate:

18

128

435

Marc-André Moreau

@awakecoding

3 months

Here's Recall capturing temporarily visible passwords from Remote Desktop Manager in a test Azure VM. It's less effective that I would have thought, the search results are screenshots, and it's unclear how one can obtain the full OCR text it used for the match

14

108

428

Marc-André Moreau

@awakecoding

3 years

Achievement unlocked: #PowerShell RDP client 🚀 Yes, you read that right: launch *and control* multiple RDP connections from #PowerShell scripts! I needed a way to automate MsRdpEx () for stress testing, so here it is:

6

110

407

Marc-André Moreau

@awakecoding

10 months

TIL: Windows 11 23H2 now makes it possible to *uninstall* mstsc.exe 😱

Jen Gentleman 🌺

@JenMsft

10 months

@awakecoding @BurgerhoutJ @smoon_lee Is it uninstalled?

2

4

22

7

69

393

Marc-André Moreau

@awakecoding

3 years

TIL: [HKEY_USERS\.DEFAULT\Control Panel\International\🌎🌏🌍] is a valid registry key. Yes, you read that right - emojis are used (🌎🌏🌍) as part of a Windows registry path, because why not? What's next? C:\Program Files (🤡)? 📀:\?

25

75

368

Marc-André Moreau

@awakecoding

6 months

Azure Bastion is Apache Guacamole in disguise

17

44

327

Marc-André Moreau

@awakecoding

1 year

The complete guide to RDP with Security Keys by Jonas Markström

The complete guide to RDP with Security Keys

Tired of constantly typing in passwords or using clunky two-factor authentication like OTP to access your Remote Desktop? With the…

link.medium.com

3

97

317

Marc-André Moreau

@awakecoding

1 year

Here's how to decrypt RDP live traffic in Wireshark! I will keep expanding on these notes, there are so many tips and tricks to know to get it right Shout-out to @BoreanJordan for his awesome script using PSDetour that I've imported and adapted

GitHub - awakecoding/wireshark-rdp: Wireshark RDP resources

Wireshark RDP resources. Contribute to awakecoding/wireshark-rdp development by creating an account on GitHub.

github.com

Marc-André Moreau

@awakecoding

1 year

Would you like to know how to decrypt RDP traffic live in Wireshark?

4

1

12

4

89

285

Marc-André Moreau

@awakecoding

26 days

I just added a "resize to fit window" option to mstsc using MsRdpEx, enabling the use of the RDP 8.1 dynamic resizing feature introduced over a *decade* ago with Windows 8.1. Grab a copy of MsRdpEx today to try it out for yourself! 👇

9

51

285

Marc-André Moreau

@awakecoding

8 months

Do you want to hide the Microsoft Edge first run experience and change the default tab to Google instead of random news? Go under HKLM:\Software\Policies\Microsoft\Edge Then set: HideFirstRunExperience = 1 NewTabPageLocation = "" Enjoy!

Marc-André Moreau

@awakecoding

8 months

How can I skip the Microsoft Edge first run experience for all users in a lab environment? I have to go through 4 (!) manual steps every single time I open Edge the first time in a test VM for a new user. The "HideFirstRunExperience" registry key doesn't even show up in ProcMon:

19

8

87

14

50

260

Marc-André Moreau

@awakecoding

1 month

When all you did was add "-Parallel" to a #PowerShell foreach loop and the script runs 250% faster 🔥

Nathan McNulty

@NathanMcNulty

1 month

If you are still using PowerShell 5, you are missing one of the greatest features In PowerShell 7, we have the option to do $something | ForEach-Object -Parallel { "do the thing" Read all about it here:

6

24

193

6

26

238

Marc-André Moreau

@awakecoding

2 years

If you're a 7-Zip user, I highly recommend trying NanaZip from @MouriNaruto instead: it's built on top of 7-Zip, but adds more features like Windows 11 top-level context menu integration. I've been using it for a few weeks and I love it 👇

GitHub - M2Team/NanaZip: The 7-Zip derivative intended for the modern Windows experience

The 7-Zip derivative intended for the modern Windows experience - M2Team/NanaZip

github.com

6

36

229

Marc-André Moreau

@awakecoding

2 years

binwalk: the dream binary extraction tool I wish I knew about earlier. "binwalk -e firmimg.d7" found and extracted the embedded squashfs filesystem from an iDRAC firmware update file:

5

40

217

Marc-André Moreau

@awakecoding

1 year

Wow, when I see a GitHub issue opened on a repository that hasn't seen an update in 10 years, I expect spam, not someone telling me how much my code is garbage and accusing me of filling GitHub with garbage 🗑️ I'm sorry for sharing code that was helpful to people other than you!

55

9

217

Marc-André Moreau

@awakecoding

1 year

I'm thrilled to announce that I've been promoted to Chief Technology Officer (CTO) at @DevolutionsInc ! 🍾🥳 After almost 9 years of hard work, I can't wait to help take the company to the next level! 💪🚀

40

3

214

Marc-André Moreau

@awakecoding

4 months

@getwired "Do security" by pushing users to install random tools to remove built-in Windows 11 ads that shouldn't be there in the first place

1

19

210

Marc-André Moreau

@awakecoding

2 years

@bitfield Code is static, a debugger gives you a dynamic view of the execution with real values in memory, which you can't accurately predict otherwise. Good luck finding what's happening with your code at runtime without running it

4

1

203

Marc-André Moreau

@awakecoding

4 months

Wireshark now has an easy way to embed TLS pre-master secrets (SSLKEYLOGFILE) into a capture file from the GUI: Edit -> Inject TLS Secrets This will make it MUCH easier to save decrypted TLS sessions in a .pcapng file to share with others!

3

46

200

Marc-André Moreau

@awakecoding

2 years

@markrussinovich

1

11

186

Marc-André Moreau

@awakecoding

1 year

Did you know Remote Desktop Manager 2023.1 added several RDP client security hardening options? ✅ Enforce Network Level Authentication (NLA) ✅ Enforce Kerberos authentication (no NTLM!) These are all options in FreeRDP, as the first-party RDP client does not support them 👇

2

27

185

Marc-André Moreau

@awakecoding

6 months

🚀 Exciting world first! 🌐 True Kerberos support in an RDP web client! 🛡️ Devolutions: 1 Microsoft: 0 Here's a demo showing IronRDP with Devolutions Gateway connecting using an account member of the Protected Users group in Active Directory 👇

12

39

181

Marc-André Moreau

@awakecoding

4 months

If you want to diagnose weird, random internal DNS resolution failures, I suggest you try the Nirsoft DNS Query Sniffer tool, it's a real lifesaver 🛟, much easier to use than Wireshark:

DNS queries sniffer for Windows

DNSQuerySniffer is a network sniffer utility that shows the DNS queries sent on your system

www.nirsoft.net

3

15

179

Marc-André Moreau

@awakecoding

1 year

And here's my response to such garbage, I think I've been polite enough and will not engage further 👇

15

0

169

Marc-André Moreau

@awakecoding

4 months

@mikeroySoft With everything going on at Broadcom/VMware, I had to read that 5 times just to be sure I understood it correctly. It's good news, but where's the catch? 🧐

5

4

168

Marc-André Moreau

@awakecoding

4 months

@Spshulem @arcsincall Hum... if you're putting "new display type similar to eInk but with a high refresh rate, something that's always been a limiting factor of eInk" in the same bucket as an AI pin, you're officially living in a parallel universe

2

0

164

Marc-André Moreau

@awakecoding

3 years

To finish an evening of reverse engineering: Here's raw YUV dumped from the RDP server H.264 encoder through undocumented registry keys, which is then played using VLC. It's not definitely not production-grade session recording, but it's still something!

4

45

161

Marc-André Moreau

@awakecoding

3 years

RDP NLA delegates the *full* system credentials (interactive logon), except when using: * Restricted Admin Mode * Remote Credential Guard * Smartcard Authentication It has always been the case, by design, so this was obviously bound to happen:

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

So #mimikatz wanted passwords, and Terminal Server has some for us🥝 Cleartext passwords *decrypted* on a fully, up to date Windows 2019 Server No library, no previous code injection, and doesn't use junk part of memory😉 Ping @jonasLyk , still in testing ... 🤪

25

568

1K

4

41

164

Marc-André Moreau

@awakecoding

8 months

New blog post! 📰 Decompiling Hyper-V Manager to rebuild it from source 🔨 Help me convince Microsoft to save Hyper-V Manager by open sourcing it! Until then, here's how to patch it locally from decompiled code! ☀️💻👇

Decompiling Hyper-V Manager to rebuild it from source

This post guides through decompiling Hyper-V Manager to rebuild it from source, aiming to assess its value for potential open-sourcing. It explores manual and automated decompilation processes,...

awakecoding.com

6

41

159

Marc-André Moreau

@awakecoding

3 months

@MalwareJake Recall is a melting pot of everything wrong with modern Windows: Per-user app and settings MSIX app setting virtualization Intune MDM per-user policies WinRT generated proxy code Enabled by default, opt-out If you hate it, it's in there, I tell you

2

30

155

Marc-André Moreau

@awakecoding

2 years

👀 it looks like someone's working on macOS support for Hyper-V

GitHub - acidanthera/MacHyperVSupport: Hyper-V integration support for macOS

Hyper-V integration support for macOS. Contribute to acidanthera/MacHyperVSupport development by creating an account on GitHub.

github.com

5

26

144

Marc-André Moreau

@awakecoding

3 months

New blog post! 📰 Mac RDP Client: Kerberos and Protected Users Guide 🍎 Are you trying to harden your Active Directory environment by eliminating NTLM usage, but RDP from Macs stands in the way? Read this! ☀️💻👇

Mac RDP Client: Kerberos and Protected Users Guide

Explore the essential steps to secure Mac RDP connections using Kerberos authentication with a focus on troubleshooting Protected Users and NTLM issues. This guide provides practical solutions for...

awakecoding.com

3

48

137

Marc-André Moreau

@awakecoding

3 months

RDP smartcard emulation is coming to Remote Desktop Manager 2024.2, with support for mstsc! Import your X.509 client certificate, set a PIN, associate it with your RDP connection entry, enable emulated smartcards and then 🪄 watch the magic happen! 🥳

Marc-André Moreau

@awakecoding

5 months

Dreaming of X.509 client certificate auth in RDP without dealing with smartcard limitations? We've got you covered with *application-level* virtual smartcards that wrap X.509 certificates! Here is MsRdpEx injecting sspi-rs into mstsc.exe instead of credssp.dll and winscard.dll 👇

7

16

91

6

27

130

Marc-André Moreau

@awakecoding

3 years

Protecting RDP Passwords from Mimikatz Using Remote Credential Guard: @Devolutions @SteveSyfuhs @gentilkiwi @WSV_GUY @RDS4U

Protecting RDP passwords from Mimikatz with Remote Credential Guard

Protect RDP passwords from Mimikatz attacks with Remote Credential Guard. Follow our guide to configure this feature in Remote Desktop Manager and boost your remote access security.

blog.devolutions.net

3

37

128

Marc-André Moreau

@awakecoding

2 years

I found something a bit odd inside WsmSvc.dll (WinRM library). It appears to connect to http://127.0.0.1:80 for proxy auto-detection with a special user agent. Do all Windows machines have such a special localhost HTTP listener on port 80? How does that work exactly? 🤔

4

25

127

Marc-André Moreau

@awakecoding

10 months

Wait, what? If you launch vmconnect.exe without any parameters, you get a simple connection dialog to select the Hyper-V server and target virtual machine from a drop-down list. I had no idea this was even there

9

15

130

Marc-André Moreau

@awakecoding

5 months

New laptop, new Hyper-V Active Directory lab environment, all created with a bunch of scripts

10

3

128

Marc-André Moreau

@awakecoding

4 years

Pssst.🤫 Active Directory still allows unauthenticated LDAP binds (empty password) by default. ⚠️ If you don't need it (hint: you don't) then disable it right now. ⚡️ Here's a reference blog post and #PowerShell code snippet to do it. Please share! 🥰

3

47

119

Marc-André Moreau

@awakecoding

9 months

Are you tired of manually downloading and installing the Windows SDK just so you can copy dbghelp.dll, srcsrv.dll, symsrv.dll from it and get clean stack traces in Process Monitor and Process Explorer? I made a script to download and extract those!

5

21

116

Marc-André Moreau

@awakecoding

3 months

@pavandavuluri "Secure by design and secure by default" the preview version of Recall was made without proper security, so how can it be secure by *design*? Security was an afterthought, you're rushing to *add* security to Recall only *after* it's been pointed out how it was seriously lacking

1

7

117

Marc-André Moreau

@awakecoding

3 years

Remote Desktop Manager supports Remote Credential Guard, but did you know that unlike the Microsoft RDP client, it also accepts explicit credentials? This means you are no longer restricted to just the *current* user to benefit from RCG and avoid exposing credentials to mimikatz!

2

38

115

Marc-André Moreau

@awakecoding

2 years

Something wrong with Azure AD registration on a device, dsregcmd /status looks good, but something's off? DSRegTool.ps1 is the right diagnostic tool for the job, it solved another issue today for me:

Device Registration Troubleshooter Tool - Code Samples

DSRegTool PowerShell is a comprehensive tool that performs more than 50 different tests that help you to identify and fix the most common device registration issues for all join types (Microsoft...

learn.microsoft.com

1

35

113

Marc-André Moreau

@awakecoding

1 year

New blog post! 📰 Active Directory LDAPS certificate selection deep dive 🚀 The ULTIMATE guide to figuring out why your certificate isn't getting picked up for LDAPS, and how to ensure it picks exactly the certificate you want! ☀️💻👇

Active Directory LDAPS certificate selection deep dive

A deep dive into Active Directory LDAPS certificate selection, detailing the technical intricacies of ensuring secure communications through TLS. This guide covers the validation and selection...

awakecoding.com

1

43

113

Marc-André Moreau

@awakecoding

4 months

@techspence There are three possible scenarios: 1) Admin is still logged in, so you bump him and take over his session (very noticeable) 2) Admin is disconnected, but RDP session is inactive, you reactivate it and take over 3) Admin has signed out, so you create a new RDP session

4

0

109

Marc-André Moreau

@awakecoding

4 months

I have just updated my Wireshark RDP decryption instructions and included a first set of sample decrypted capture files to show different RDP authentication scenarios:

GitHub - awakecoding/wireshark-rdp: Wireshark RDP resources

Wireshark RDP resources. Contribute to awakecoding/wireshark-rdp development by creating an account on GitHub.

github.com

2

27

108

Marc-André Moreau

@awakecoding

2 months

Proxy servers edited through the Windows Settings app remain in the registry after being disabled *and removed* in the UI, where it still gets picked up by WinHTTP APIs Remove-Item HKLM:\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\ProxyMgr -Recurse -EA SilentlyContinue

5

29

108

Marc-André Moreau

@awakecoding

1 year

New blog post! 📰 PowerShell Remoting Trusted Hosts: What does it even mean? 😱 Everything you need to know to make WinRM work properly without cryptic errors, and more! ☀️💻👇

PowerShell Remoting Trusted Hosts: What does it mean?

This guide demystifies the "TrustedHosts" setting in PowerShell remoting, explaining its significance and how to configure it to avoid common errors. It offers solutions for enabling remote connect...

awakecoding.com

5

31

107

Marc-André Moreau

@awakecoding

2 years

@SwiftOnSecurity Fun fact: the dancing banana gif is small and has low entropy, so it compresses well and can serve as a good animated sample for codec testing. I've recorded it in my Apple Remote Desktop reversing work to get an MVS codec message sequence that could be replayed to the client:

3

10

106

Marc-André Moreau

@awakecoding

3 years

Remote Desktop Manager ❤️ Remote Credential Guard I finally figured it out! Here's a preview showing RDM successfully connecting with an RCG-enabled embedded RDP session! Stay tuned for an upcoming release 😁

5

15

104

Marc-André Moreau

@awakecoding

7 months

New blog post! 📰 Enable PowerShell WinRM Remoting in PowerShell 7 😱 Yes, you can use PowerShell 7 in the server without switching to SSH-based remoting, and here's how to do it for WinRM and Hyper-V PowerShell Direct! ☀️💻👇

Enable PowerShell WinRM Remoting in PowerShell 7

Enable PowerShell 7 WinRM remoting for efficient server management without relying on SSH. This post provides a straightforward method to incorporate PowerShell 7 into Windows environments, ensuring...

awakecoding.com

4

31

95

Marc-André Moreau

@awakecoding

2 years

@ShawnWildermuth @markrussinovich It's very hard to unlearn C/C++, but it doesn't matter, young developers can pick up Rust quite fast, and that makes it vastly easier than trying to find talented C/C++ developers.

Marc-André Moreau

@awakecoding

2 years

Am I weird to like Rust as a language for which I mostly have *other* developers write the actual code? I still feel vastly more comfortable in C/C++ myself, but I would would take Rust deliverables any day over C/C++ deliverables. Code safety, quality and stability is higher

4

5

34

5

4

95

Marc-André Moreau

@awakecoding

5 months

Dreaming of X.509 client certificate auth in RDP without dealing with smartcard limitations? We've got you covered with *application-level* virtual smartcards that wrap X.509 certificates! Here is MsRdpEx injecting sspi-rs into mstsc.exe instead of credssp.dll and winscard.dll 👇

7

16

91

Marc-André Moreau

@awakecoding

10 months

Remote Desktop Manager 2023.3 includes revamped X.509 certificate support! The new credential entry can import/export to/from PEM/PFX formats (no OpenSSL!), but it can also link to the Windows certificate store, and even automatically select an RDP smartcard with PIN injection!👇

4

5

90

Marc-André Moreau

@awakecoding

7 months

Remote Debugging 101: 1) Download winsdksetup.exe 2) Install "Debugging Tools for Windows" 3) Add dbgsrv.exe Windows Firewall exception 4) Go to "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64" 5) .\dbgsrv.exe -t tcp:port=1234 6) From WinDBG: tcp:server=HOST,port=1234

2

17

86

Marc-André Moreau

@awakecoding

8 months

How can I skip the Microsoft Edge first run experience for all users in a lab environment? I have to go through 4 (!) manual steps every single time I open Edge the first time in a test VM for a new user. The "HideFirstRunExperience" registry key doesn't even show up in ProcMon:

19

8

87

Marc-André Moreau

@awakecoding

24 days

I know Windows 11 is making it increasingly harder to create an *initial* local user account, but I hadn't noticed the new dark patterns that make it harder to create additional local user accounts. This is just bad for testing:

18

8

86

Marc-André Moreau

@awakecoding

2 years

sspi-rs is taking form: here's FreeRDP using a pure @rustlang Kerberos SSPI module on Linux to perform RDP NLA with Windows Server. This supports both TCP and HTTP(S) transports for Kerberos. KDC detection is still a work in progress, but it's coming! 💪

2

13

85

Marc-André Moreau

@awakecoding

2 years

@pati_gallardo Want to feel old? When my colleague in the security team mentioned it was the biggest OpenSSL vulnerability in the last ten years, I wanted to contradict him with heartbleed, only to realize that was in 2012. It is literally 10 years ago already 😭

3

19

86

Marc-André Moreau

@awakecoding

2 years

@kelseyhightower It was already a problem 10 years ago, and it's probably only worse now. I feel like most low-level developers coming out of school today learned it by themselves

5

1

82

Marc-André Moreau

@awakecoding

6 months

RDP ActiveX host window in plain Win32 with C/C++ and COM, without ATL and all that funky stuff that made everything so much harder to understand:

Marc-André Moreau

@awakecoding

6 months

I'm writing raw Win32 GUIs with ATL and ActiveX in 2024, ask me anything

10

1

37

2

6

85

Marc-André Moreau

@awakecoding

1 year

Windows smartcard authentication client certificate mapping is easy, just refer to the following diagram!

Marc-André Moreau

@awakecoding

1 year

Why is it that every time I try to set up RDP smartcard authentication I hit a new error I didn't have before

5

4

23

3

21

84

Marc-André Moreau

@awakecoding

3 years

My new blog post "Finding Secret RDP Registry Keys Using @HexRaysSA IDA Free" is finally out, showing the thought process behind simple reverse engineering tasks. If you've never decompiled programs and don't know how to get started, this is for you! 🚀

Finding secret RDP registry keys using IDA Free

Uncover secret RDP registry keys with IDA Free. Follow our guide to enhance your secure RDP configurations and improve your remote access security.

blog.devolutions.net

3

24

83

Marc-André Moreau

@awakecoding

3 months

Do you sometimes use RDP through an SSH tunnel? Are you aware that this specific use case is not properly covered by the current NTLM deprecation plan from Microsoft? Even with IAKerb and the TryIPSPN solution, connecting to "localhost:<local port>" will never work for Kerberos

11

84

Marc-André Moreau

@awakecoding

3 years

SUCCESS! 🥳 As I suspected, rdclientax.dll from the modern Microsoft Remote Desktop client (msrdc.exe) is basically the same ActiveX component as mstscax.dll from the classic Microsoft Terminal Services client (mstsc.exe). They are binary compatible, and here's proof:

2

9

81

Marc-André Moreau

@awakecoding

1 year

Simply put, the annoying mstsc certificate prompt users have ignored for years by habit has zero value since the CredSSP protocol not only doesn't care about it, but the RDP client will begin NTLM authentication with the server *before it even validates it* - by design, won't fix

Olivier Bilodeau (@[email protected])

@obilodeau

1 year

Our latest blog post is out. After years of RDP research, I decided that it was time that googling "Is RDP safe to use over untrusted networks?" had a good answer with the biggest risk clearly laid out. Spoiler: the answer is no.

5

47

128

5

20

82

Marc-André Moreau

@awakecoding

3 months

Adding the missing RDP in-process virtual channel APIs Microsoft forgot to add all those years ago - I've had to register MsRdpEx.dll as a "plugin" with a per-session CLSID to then find a registered IWTSPlugin pointer from a global table to make it happen, but it finally works!

0

12

79

Marc-André Moreau

@awakecoding

4 months

Oh, the Microsoft legendary RDP error handling. With the Protected Users Group: Invalid password = "A user account restriction is preventing you from logging on" Invalid PIN + smartcard = "Your credentials did not work" Is it really that hard to return a proper error message?

18

4

77

Marc-André Moreau

@awakecoding

3 years

I just published a reversing project of the Hyper-V VMBusPipe (a special host/guest named pipe transport over the VMBus) that I worked on back in 2014. I hope this can be useful to reversers and security researchers, so please share! @gerhart_x @aionescu

GitHub - awakecoding/VMBusPipe: Hyper-V VMBusPipe Reversing

Hyper-V VMBusPipe Reversing. Contribute to awakecoding/VMBusPipe development by creating an account on GitHub.

github.com

2

34

78

Marc-André Moreau

@awakecoding

4 years

@PowerShell_Team @Steve_MSFT PowerShell remoting over SSH, without SSH!

PowerShell Remoting Over SSH, Without SSH!

A few months ago, PowerShell 7 came out, finally bridging the gap between Windows PowerShell and PowerShell Core. It is now possible to use the same PowerShell everywhere (Windows, macOS, Linux!)...

blog.devolutions.net

1

38

77

Marc-André Moreau

@awakecoding

1 year

New blog post! 📰 Active Directory Kerberos KDC certificate selection 🚀 Yes, it is possible to select a specific Kerberos KDC (PKINIT) certificate that isn't the same as the LDAPS certificate, and here's how! ☀️💻👇

Active Directory Kerberos KDC certificate selection

Discover the intricacies of Active Directory's Kerberos KDC certificate selection for PKINIT, including techniques for choosing a specific certificate, analysis using IDA Pro, and PowerShell cmdlets...

awakecoding.com

5

24

79

Marc-André Moreau

@awakecoding

3 years

@SwiftOnSecurity I think the biggest mistake here is assuming that all Windows installations are for personal devices, or used by a single person. I don't care if the local account setup is hidden behind dark patterns, I still want clean lab/test VMs unattached to a Microsoft account

1

77

Marc-André Moreau

@awakecoding

1 year

Is your Windows Hello for Business deployment gone wrong with users unable to login from home after the initial setup? Have you checked that they didn't end up with a key trust deployment when a cloud Kerberos trust deployment was expected? New blog☀️💻👇

Windows Hello: Cloud Kerberos Trust, or Key Trust?

Unpack the dilemma between Cloud Kerberos Trust and Key Trust in Windows Hello for Business deployments. This post navigates through troubleshooting login issues, clarifying deployment types, and...

awakecoding.com

4

7

79

Marc-André Moreau

@awakecoding

4 months

My RDP authentication training at was a success, the attendees were quite interested in the material I presented. Here are the slides (in French) for "Démystifier l'authentification RDP: techniques avancées de diagnostic":

wireshark-rdp/documents/ITSec 2024 - Démystifier l'authentification RDP.pdf at master · awakecodi...

Wireshark RDP resources. Contribute to awakecoding/wireshark-rdp development by creating an account on GitHub.

github.com

1

18

77

Marc-André Moreau

@awakecoding

2 years

@bettersafetynet @SwiftOnSecurity No copy/paste = manually typed passwords = low entropy passwords It's extremely important to support copy/pasting passwords, or injecting passwords, otherwise they make strong, generated passwords unusable

1

3

76

Marc-André Moreau

@awakecoding

3 months

@GossiTheDog To add on top of this: how does Recall in its current form fit with GDPR? Things like *customer email addresses* are hidden from user interfaces to facilitate GDPR compliance, and here Recall just captures everything visible at the screen with OCR text like it's no big deal

5

4

76

Marc-André Moreau

@awakecoding

7 months

I just fixed the same issue on a Windows 10 machine: it prevents Windows Update until you resize your recovery partition with enough free space. This isn't the kind of thing regular users can figure out on their own, so prepare yourself to fix a lot of PCs from friends and family

Jeremy Moskowitz

@jeremymoskowitz

7 months

Here we go a 'goggle-ing...among the leaves so greeeennnnnn... Both My Server 2022 machines wont take the automatic update. @WSV_GUY any ideas? Reddit agrees:

9

16

42

8

20

74

Marc-André Moreau

@awakecoding

2 months

I finally have Internet fiber optic cable installed all the way through a 400 feet trench I had to dig myself to put the PVC tubing in place. It wasn't easy digging through roots and rocks and all kinds of obstacles, but it's finally done 💪

16

3

74

Marc-André Moreau

@awakecoding

3 years

@grhmc @MalwareTechBlog That's what baffles me - how can a bug so severe be discovered multiple times but only gain attention once people use it in Minecraft? Not only the bug has to be found, but it has to be "promoted" somehow. That doesn't make any sense

3

73

Marc-André Moreau

@awakecoding

3 months

@GossiTheDog Is it still just a per-user setting, with no device-wide group policy? There's so much being said about Recall that I'm no longer sure if that part is true, even the docs only mention the per-user setting:

WindowsAI Policy CSP

Learn more about the WindowsAI Area in Policy CSP.

learn.microsoft.com

0

74

Marc-André Moreau

@awakecoding

3 months

@RonnyTNL @GossiTheDog The user can manually exclude applications by executable path, but only through the GUI, and it stores the settings in MSIX virtualized registry hives that can't be accessed directly, meaning there's no way for application vendors to automatically exclude their apps on install

3

8

73

Marc-André Moreau

@awakecoding

3 years

mstsc.exe /dpiunaware This undocumented command-line option turns off DPI awareness in the Microsoft RDP client, which can be useful in certain cases

2

15

68

Marc-André Moreau

@awakecoding

10 months

Windows code signing has one big problem: it's too expensive 🫰 and difficult to deal with for most open source projects, where it's often coming out of someone's personal money, not from a business that can well afford it

🧙‍♂️Dirk Lemstra

@MagickNET

11 months

For those who are following me because of @ImageMagick and are using it on @Windows make sure you read this:

9

14

78

10

9

68

Marc-André Moreau

@awakecoding

1 year

Have you ever wanted to query Azure AD (Entra ID) join information in #PowerShell without calling dsregcmd.exe /status and parsing the textual output? I've got you covered with this code snippet that calls the underlying Windows APIs directly:

Get Azure AD (Entra ID) Join Information without dsregcmd

Get Azure AD (Entra ID) Join Information without dsregcmd - Get-AadJoinInformation.ps1

gist.github.com

6

11

68

Marc-André Moreau

@awakecoding

4 years

Behold, the best feature of Windows Server 2022: Windows Terminal support! 👀 @richturn_ms @cinnamon_msft @unixterminal

3

12

67

Marc-André Moreau

@awakecoding

1 year

@RReverser Looks like the Rust builder pattern would make this API a LOT better here!

2

0

66

Marc-André Moreau

@awakecoding

3 years

@mdjxkln @GossiTheDog I thought this was a joke, so I went to look at the menu in Notepad, only to realize it's real...

4

5

62

Marc-André Moreau

@awakecoding

10 months

My dream: every single Windows Server ISO by OS Build number available for download. Just select something like Windows Server 2022 Version 21H2 (OS Build 20348.887) or (OS Build 20348.1726) and bootstrap a temporary VM to reproduce a customer issue. It would save so much time

4

2

64

Marc-André Moreau

@awakecoding

1 year

I hooked the RDP input window (different from the output window), registered a WM_TIMER that calls PostMessage for F15 WM_KEYDOWN, WM_KEYUP, then set AllowBackgroundInput to 1 and it works even when the RDP ActiveX window is not in focus!

Marc-André Moreau

@awakecoding

1 year

Has anyone ever implemented a "mouse jiggler" for RDP connections that works with mstsc, forcing a session to be kept alive from the client, without touching server-side settings? I don't care how sketchy the solution is, I'm just curious to see if someone's done it and how

15

2

34

9

16

62

Marc-André Moreau

@awakecoding

2 years

@SwiftOnSecurity Instant NTLM downgrade when using the IP address instead of FQDN

1

0

62

Marc-André Moreau

@awakecoding

10 months

You asked for mstsc improvements The best we could do is a "native" RDP web client that only works with Azure

Marc-André Moreau

@awakecoding

10 months

@hoyty I don't know if I should laugh or cry at the irony of "Windows App" on Windows being literally unable to connect to Windows unless it's Azure Virtual Desktop, Windows 365 or Microsoft DevBox. Might as well call it "Windows-but-only-in-Azure App" 🤷

4

1

20

2

7

62

Marc-André Moreau

@awakecoding

2 years

How does Windows determine which DNS servers to use? Each network interface can have a different one, and there doesn't seem to be a globally "chosen" one in the registry? It looks a lot more complicated than resolv.conf on other platforms 🤔

11

5

60

Marc-André Moreau

@awakecoding

3 months

Does anybody understand how to access a path like \REGISTRY\A\{e3a59865-c117-3e84-7ce0-61287be4c1b8}\LocalState\.ScreenUnderstanding.Settings\CaptureExclusion as shown in ProcMon with regedit.exe? It's such an odd registry path:

10

4

60

Marc-André Moreau

@awakecoding

5 months

@sinclairinat0r The scripts are here with instructions, I've been maintaining it for years for developers at Devolutions but recently a few external users gave it a try with success. It's built using Hyper-V PowerShell Direct, entirely driven from the Hyper-V host:

GitHub - Devolutions/devolutions-labs: Self-contained Hyper-V Active Directory Lab Environment

Self-contained Hyper-V Active Directory Lab Environment - Devolutions/devolutions-labs

github.com

1

7

60

Marc-André Moreau

@awakecoding

3 months

@GossiTheDog Disable Recall with a PowerShell one-liner: Set-ItemProperty HKLM:\SOFTWARE\Microsoft\PolicyManager\default\WindowsAI\DisableAIDataAnalysis -Name Value -Value 1 I'm confused - this is a per-user setting, yet it's apparently stored under HKEY_LOCAL_MACHINE?

2

6

59