Gabriel Landau @GabrielLandau Twitter profile

Pinned Tweet

Gabriel Landau

2 months

Thanks to everyone who attended my @reconmtl and @BlueHatIL talks! The exploit and slides are here: If you took any photos during either of the talks, please share them here. Also, please don't hesitate to stop me to say hi!

9

62

181

Last Seen Profiles

@IAFFLocal3328

@omarlz15

@tayyaba_w

@oha_nao3

@mero_2090

@kryptochay

@EAGuingamp

@raksso

@komo758

@eFJ1xJtrG0nIbx4

@Arshadbukhari71

@premebiell

@woo17_min6

@MorRn8883

@Sirat47882355

@Nast_Rach

@y2exe

@Smileybrasilll

@Harmnn_

@Unticklable

@dccybersec

@1roumen

@justminionnn

@PasBks

@bokeplokalmalam

@na_nemesis

@djDAOjones

@la_tuerka

@HirokHazarika78

@nextradio_ug

@UoNMusic

@Tattoo67020933

@Ps4FreeAgentRts

@EconOracle

@ESLBenelux

@TheTailGOAT

Gabriel Landau

@GabrielLandau

6 years

Brand new Win10 laptop. Attempt to install Chrome. Almost get owned with my very first action. Why is this still happening in 2018, @bing ? Please explain.

144

1K

2K

Gabriel Landau

@GabrielLandau

3 years

Evade AV by deleting your payload before running it. Introducing Process Ghosting 👻:

What you need to know about Process Ghosting, a new executable image tampering attack

Several common process tampering attacks exploit the gap between process creation and when security products are notified. Elastic Security detects a variety of such techniques, including Doppelgän...

www.elastic.co

10

345

732

Gabriel Landau

@GabrielLandau

3 years

Antivirus getting in your way? Put it in a sandbox, and go about your day.

12

244

572

Gabriel Landau

@GabrielLandau

2 months

Introducing a new Windows vulnerability class: False File Immutability. 👉 Bonus: a kernel exploit to load unsigned drivers.

Introducing a New Vulnerability Class: False File Immutability — Elastic Security Labs

This article introduces a previously-unnamed class of Windows vulnerability that demonstrates the dangers of assumption and describes some unintended security consequences.

www.elastic.co

10

223

574

Gabriel Landau

@GabrielLandau

1 year

Forget vulnerable drivers - Admin is all you need Article 👉 👇 Demo - enable sound 🔊

13

143

377

Gabriel Landau

@GabrielLandau

1 year

Watch me drop some still-unpatched Windows exploits at BlackHat: ✅ Bypass LSASS RunAsPPL ✅ Modify kernel memory 💥 Zero vulnerable drivers Article: Article #2 : Code: Talk: 👇

GitHub - gabriellandau/PPLFault

Contribute to gabriellandau/PPLFault development by creating an account on GitHub.

github.com

5

130

367

Gabriel Landau

@GabrielLandau

8 months

Friendly reminder that these 476-day kernel and PPL exploits still work on fully-patched 23H2. Happy January pwnage! #NotASecurityBoundary

Gabriel Landau

@GabrielLandau

1 year

Watch me drop some still-unpatched Windows exploits at BlackHat: ✅ Bypass LSASS RunAsPPL ✅ Modify kernel memory 💥 Zero vulnerable drivers Article: Article #2 : Code: Talk: 👇

5

130

367

3

92

307

Gabriel Landau

@GabrielLandau

3 years

Microsoft won't fix this Windows LPE, but I'll show you how to detect and block it:

Detecting and blocking unknown KnownDlls

This is the second in a two-part series discussing a still-unpatched userland Windows privilege escalation. The exploit enables attackers to perform highly privileged actions that typically require a...

www.elastic.co

4

110

291

Gabriel Landau

@GabrielLandau

2 years

The reports of PPLdump's death are greatly exaggerated. Just BYOVDLL - ntdll in this case 😉

Clément Labro

@itm4n

2 years

The July 2022 update of Windows 10/11 killed PPLdump 💀😢 Find out how in this blog post... 👉

13

266

685

3

81

260

Gabriel Landau

@GabrielLandau

1 year

Thanks to everyone who attended my Black Hat Asia talk! You can find the slides here:

AS-23-Landau-PPLdump-Is-Dead-Long-Live-PPLdump.pdf.pdf

drive.google.com

3

81

181

Gabriel Landau

@GabrielLandau

3 months

Sure it's off 😉

21

5

171

Gabriel Landau

@GabrielLandau

2 months

> Elastic has pushed the defensive industry forward with their anomalous call stack detection logic that is a formidable challenge for modern red team operations. Thanks for the shout-out! We have plans to make your jobs even harder. 🙂

Cobalt Strike 4.10: Through the BeaconGate - Cobalt Strike

Cobalt Strike 4.10 is live, with the new BeaconGate, post-ex kit, host rotation updates, a new jobs browser and more.

www.cobaltstrike.com

0

34

156

Gabriel Landau

@GabrielLandau

6 years

Yes this is real. Bing lists the scam link without https : //. I can still reproduce it by visiting this link in Edge and hitting F5 a few times. . I can't repro with other browsers.

download chrome - Bing

Intelligent search from Bing makes it easier to quickly find what you’re looking for and rewards you.

www.bing.com

10

24

150

Gabriel Landau

@GabrielLandau

5 months

I'm thrilled to announce that I'll be presenting a previously-unnamed vulnerability class at @BlueHatIL . Oh, and I'll be dropping 0day. Be sure to stop by, learn something new, pwn the kernel, and have a coffee. It should be a good time.

9

33

153

Gabriel Landau

@GabrielLandau

1 year

I was wondering why Elastic wasn't in the list. Now we know 😂

Samir

@SBousseaden

1 year

2

13

86

3

23

141

Gabriel Landau

@GabrielLandau

7 months

It’s crazy how fast these attacks have become. Impressive. I’ve been using PINs for years, but I wish they didn’t have a 20 character limit.

stacksmashing

@ghidraninja

7 months

Lenovo X1 Carbon Bitlocker Key Sniffing any% Speedrun (42.9 seconds)

65

906

5K

3

30

131

Gabriel Landau

@GabrielLandau

2 months

Microsoft is fixing @tiraniddo 's AnyPPL->WinTcb CipSetFileCache LPE in 24H2:

2

22

122

Gabriel Landau

@GabrielLandau

2 months

The video just went live for my recent @BlueHatIL talk about a new Windows vulnerability class, including an exploit for kernel code execution 👇

BlueHat IL 2024 - Gabriel Landau - Smoke and Mirrors: Driver Signat...

In this talk, we’ll uncover a previously-unnamed vulnerability class in Windows, showing how long-standing incorrect assumptions in the design of core Window...

www.youtube.com

3

35

114

Gabriel Landau

@GabrielLandau

2 years

💥My #BHASIA talk was accepted! Come to Singapore and watch me slip into WinTcb-PPL then the kernel - entirely from userland! Long live PPLdump! #ToolDrop #NotASecurityBoundary @elasticseclabs @BlackHatEvents 👇

8

27

107

Gabriel Landau

@GabrielLandau

7 months

Great news! Yesterday's Patch Tuesday fixed PPLFault. Thanks so much to everyone at Microsoft who helped get this 510-day bug fixed (🙌 especially @PhilipTsukerman and @depletionmode ). If you'd like to know more about the fix, see my article: (1/5)

3

35

104

Gabriel Landau

@GabrielLandau

1 year

👇 Check out my new Windows internals article detailing how Microsoft plans to kill ☠ PPLFault (some day). #NotASecurityBoundary

Inside Microsoft's plan to kill PPLFault — Elastic Security Labs

In this research publication, we'll learn about upcoming improvements to the Windows Code Integrity subsystem that will make it harder for malware to tamper with Anti-Malware processes and other...

www.elastic.co

5

46

104

Gabriel Landau

@GabrielLandau

1 year

The code for PPLFault and GodFault is here:

GitHub - gabriellandau/PPLFault

Contribute to gabriellandau/PPLFault development by creating an account on GitHub.

github.com

6

48

103

Gabriel Landau

@GabrielLandau

3 months

Are you tired of being stuck in userland? Come to @reconmtl where I'll show you how to fast-talk your way into the Windows kernel. Coffee and exploits provided. Come for the pwnage. Stay for the knowledge.

5

17

100

Gabriel Landau

@GabrielLandau

4 months

@R00tkitSMM @DonnchaC @jsrailton This has to be a mistake or mixup. Appeal to them and explain that it was credited as a CVE and show the corresponding bounty description. Also link to this thread so they can see the community telling you to sell future bugs instead of responsibly disclosing. With cash off the

1

0

95

Gabriel Landau

@GabrielLandau

2 months

Great article @ateixei ! I have to rebut your claim about EDR being blackboxes. We ( @elastic / @elasticseclabs ) publish our detections for the world to see including over 750 behavioral rules, ransomware lua logic, and over 550 malware/memory Yara rules. We also put our Yara

Nasreddine Bencherchali

@nas_bench

2 months

A good read by @ateixei that you should check out Just wanted to add a small take and perhaps expand on an idea that was highlighted in the article. Before even reading, the answer should be obvious. EDR and Sysmon share only 2 basic things in common,

5

58

214

4

18

88

Gabriel Landau

@GabrielLandau

1 year

☠ As promised, Microsoft killed @itm4n 's PPLMedic with the July 3155/3208 updates. You can see the .data => .mrdata change in IDA below. Great work @PhilipTsukerman and team! I hope we can read about the improvements soon! Rest assured, you can continue to use PPLFault and

David Kaplan

@depletionmode

1 year

The LdrpKnownDllDirectoryHandle to .mrdata Defense-in-Depth mitigation should be coming in June/July Windows updates (platform dependent)

0

1

11

2

31

82

Gabriel Landau

@GabrielLandau

3 months

Elastic's Endpoint Protections team is hiring! If you're passionate about malware tradecraft and OS internals, check us out! 100% remote. The reqs are a bit flexible. Don't worry if you're not an exact match. EMEA: Canada:

2

30

82

Gabriel Landau

@GabrielLandau

2 years

PreviousMode playtime is coming to an end if this 25247 insider feature sees the light of day.

5

19

80

Gabriel Landau

@GabrielLandau

2 years

Think spoofed call stacks are clever? There's truth in the shadows.

Finding Truth in the Shadows — Elastic Security Labs

Let's discuss three benefits that Hardware Stack Protections brings beyond the intended exploit mitigation capability, and explain some limitations.

www.elastic.co

1

50

72

Gabriel Landau

@GabrielLandau

3 years

I repurposed @itm4n 's PPLDump to patch the vulnerability it exploits.

Protecting Windows protected processes

This blog is the first in a two-part series discussing a userland Windows exploit that enables attackers to perform highly privileged actions that typically require a kernel driver....

www.elastic.co

4

35

71

Gabriel Landau

@GabrielLandau

2 months

Rockstars @aall86 and @standa_t up next at @reconmtl !

2

6

62

Gabriel Landau

@GabrielLandau

3 months

We're hiring. 100% remote. Check us out below! Someone suggested adding a cool image to make the post more eye-catching. This is a near-perfect representation of what I look like on any given workday, but with IDA / WinDbg / VS on the screen instead.

Gabriel Landau

@GabrielLandau

3 months

Elastic's Endpoint Protections team is hiring! If you're passionate about malware tradecraft and OS internals, check us out! 100% remote. The reqs are a bit flexible. Don't worry if you're not an exact match. EMEA: Canada:

2

30

82

5

13

61

Gabriel Landau

@GabrielLandau

11 months

@OtterHacker @winlogon0 @aionescu FYI

Weaponizing Mapping Injection with Instrumentation Callback for stealthier process injection

by splinter_code - 16 July 2020 Process Injection is a technique to hide code behind benign and/or system processes. This technique is u...

splintercod3.blogspot.com

1

14

60

Gabriel Landau

@GabrielLandau

2 years

Thanks to everyone who attended our #shmoocon talk. We've published Silhouette's code here:

GitHub - elastic/Silhouette: Keep it secret, keep it safe

Keep it secret, keep it safe. Contribute to elastic/Silhouette development by creating an account on GitHub.

github.com

Gabriel Landau

@GabrielLandau

2 years

I'm pleased to announce that @magerbomb and I will be presenting a mitigation for physical memory credential dumping at @shmoocon . If you work in the Windows space, red or blue, come check us out!

0

12

50

0

24

55

Gabriel Landau

@GabrielLandau

2 years

I'm pleased to announce that @magerbomb and I will be presenting a mitigation for physical memory credential dumping at @shmoocon . If you work in the Windows space, red or blue, come check us out!

0

12

50

Gabriel Landau

@GabrielLandau

3 years

Attack demo!

1

6

48

Gabriel Landau

@GabrielLandau

6 months

Now it no longer works against Moneta😀

Use `MEMORY_WORKING_SET_EX_INFORMATION.SharedOriginal` to detect CoW regions on 1709+ by gabriell...

It's possible to reset the MEMORY_WORKING_SET_EX_INFORMATION.Shared bit, hiding the fact that a memory region is CoW. Microsoft accounted for this when implementing module tampering protec...

github.com

klez

@KlezVirus

7 months

I had a bit of spare time and managed to recreate this, but SharedOriginal winning again... It amazes me how this is so simple and yet so effective. Really a great finding.

3

25

150

0

16

46

Gabriel Landau

@GabrielLandau

3 months

Thanks for the fast turnaround! #NotASecurityBoundary

6

4

46

Gabriel Landau

@GabrielLandau

6 months

Admin to kernel #NotASecurityBoundary bug gets a CVE and promptly fixed? Is this a new era for @msftsecresponse ?

blackorbird

@blackorbird

6 months

#Lazarus exploited a flaw in the Windows AppLocker driver (appid.sys) as a zero-day to gain kernel-level access and turn off security tools.CVE-2024-21338 Beyond BYOVD with an Admin-to-Kernel Zero-Day

7

178

491

2

5

44

Gabriel Landau

@GabrielLandau

1 year

👀👇 We've added call stacks to many events, with a ton of new rules which leverage them. So much more visibility. Stoppin' shells left and right!

Elastic Security Labs

@elasticseclabs

1 year

Kernel-level callstack visibility is essential for in-memory #ThreatDetection of #Malware and defense evasions, #ElasticSecurityLabs researchers @dez_ , @GabrielLandau , and @SBousseaden explain the research behind this capability:

4

45

124

0

9

38

Gabriel Landau

@GabrielLandau

4 months

Who just got 100% efficacy with 0 FP in AV Comparatives? We did! 🤜🤛 to my excellent peers at @elasticseclabs !

3

4

40

Gabriel Landau

@GabrielLandau

2 months

24 hours until my @reconmtl talk. Make sure to stop by! I apologize for the 10AM time slot (not my choice). Don’t party too hard tonight. I’ll have ibuprofen, caffeine gum, and some 5 Hour Energy for those who need it.

Gabriel Landau

@GabrielLandau

3 months

Are you tired of being stuck in userland? Come to @reconmtl where I'll show you how to fast-talk your way into the Windows kernel. Coffee and exploits provided. Come for the pwnage. Stay for the knowledge.

5

17

100

2

3

34

Gabriel Landau

@GabrielLandau

2 years

@vxunderground Do you find the cat is pulling their weight? Mine is non-productive, arguably distracting.

1

0

32

Gabriel Landau

@GabrielLandau

1 year

Check out @itm4n 's awesome evolution of @tiraniddo 's PPL research! My upcoming #BHASIA talk is unrelated to COM. I just tested it successfully on the latest Win11 (22621.1413) and Insider (25314.1010) builds.

0

4

33

Gabriel Landau

@GabrielLandau

4 months

What a day 🤯. Still riding the high of killing it on the @BlueHatIL stage, I was privileged to have dinner and drinks with @gentilkiwi @dwizzzleMSFT @sherrod_im @JusticeRage and @JonahLevine15 . Surreal.

4

2

32

Gabriel Landau

@GabrielLandau

2 years

Neat. I just bumped into @_JohnHammond at #shmoocon !

0

32

Gabriel Landau

@GabrielLandau

2 months

Oh man. Anyone who saw my @reconmtl talk should find this funny. Need to walk a fine line between venting and constructive criticism. 1. Accept bug report. 2. Fix bug without crediting researcher. 3. Close issue 4 months later.

0

3

31

Gabriel Landau

@GabrielLandau

2 months

@chompie1337 I’ve asked myself that question several times. Trying to be a “good guy” really sucks sometimes. AFAIK AngryOrchard and KExecDD both still work. I reported the former in 2022, but MSRC hasn’t moved on it. I will tell you that no matter MSRC’s policies, there are folks within

3

0

30

Gabriel Landau

@GabrielLandau

5 months

I just came across this fun read:

Hyperspace - Hidden Address Spaces

On Windows, each process has its own virtual address space. The CR3 value loaded into a logical processor is located inside of the KPROCESS structure...

blog.back.engineering

0

5

29

Gabriel Landau

@GabrielLandau

1 month

Make sure to check out @dez ’s latest offensive research!

Elastic Security Labs

@elasticseclabs

1 month

We’re so excited for @dez_ ‘s lightning talk at #BHUSA ! Learn about the newly discovered technique on 8/7 at 12:00/3:30 and 8/8 at 1:00! We hope to see you at @elastic booth #2350 ! Won’t be there? Keep an eye out for the article on this technique — published next week!

0

7

40

2

4

29

Gabriel Landau

@GabrielLandau

1 year

Hrm. This just happened.

15

0

28

Gabriel Landau

@GabrielLandau

2 years

Defense just doesn't get as much love as offense. Maybe I'll angle my next prevention release as offense, and throw in a CVSS score for good measure. Yo I just dropped 0day for XYZ TTP. Stoppin' shellz left and right. Total pwnage!

5

29

Gabriel Landau

@GabrielLandau

2 years

The video is up! Check out our Silhouette #shmoocon talk. Beyond physical memory access, we also show mitigations for raw disk attacks like Invoke-NinjaCopy and VSS attacks like hobocopy:

ShmooCon 2023 Day 2 BELAY IT! Track

Recorded Twitch livestream of ShmooCon 2023Schedule: https://web.archive.org/web/20230120215128/https://shmoocon.org/schedule/TIMESTAMPS0:00:00 Les Miserable...

www.youtube.com

Gabriel Landau

@GabrielLandau

2 years

Thanks to everyone who attended our #shmoocon talk. We've published Silhouette's code here:

0

24

55

0

14

28

Gabriel Landau

@GabrielLandau

2 years

@aionescu @yarden_shafir This is awesome. I bet it went something like this: 1) Use PH all the time 2) Get frustrated by Microsoft blocking KPH 3) Buy PH and rebrand it to get away from the "hacker" image 4) Remove the driver-enabled LPEs like the ability to terminate PPL 5) Do WHQL dance

1

2

28

Gabriel Landau

@GabrielLandau

5 months

I'm watching @yarden_shafir 's talk "Intel CET and how to stop being scared of French baking." This part rings so true 😂😭 > Oh this is definitely a malicious thing. We definitely want to detect that always. Then you ship your product, it runs on exactly 3 customer machines,

2

6

27

Gabriel Landau

@GabrielLandau

2 years

Elastic Endpoint has had coverage for this vulnerable driver since April. Yara rule (URL FIXED):

adam_cyber

@Adam_Cyber

2 years

New research from @CrowdStrike Intel on Scattered Spider Bringing their Own Vulnerable Device Driver to Windows:

3

93

243

0

5

27

Gabriel Landau

@GabrielLandau

4 months

@thegrugq No worries. It’s protected by DPAPI. Impenetrable.

0

1

26

Gabriel Landau

@GabrielLandau

6 months

Only A-tier for @elasticseclabs ? I don't know about that. Props to @domchell , creator of Nighthawk C2, for voting his truth 😃 As awesome as we are today, we're continually innovating. There's lots of good stuff in the pipeline. Stay tuned!

Melvin langvik

@Flangvik

6 months

Had an absolute blast on stream today, thank you so much to everyone who showed up☺ VOD is on YouTube if you missed it👏 Allot of people came with input, so naturally I 100% blame chat for this now OFFICIAL OFFSEC EDR TIER LIST

17

45

223

3

1

27

Gabriel Landau

@GabrielLandau

5 months

While watching @aionescu 's 2015 @InfiltrateCon talk, I came across this bit of gold 😂 > If you read the docs, it says "Do not attempt to modify this buffer. It contains operating system data, and corruption could be catastrophic. The information in the buffer is not useful to

1

4

23

Gabriel Landau

@GabrielLandau

7 months

@tiraniddo At BlueHat IL last year, Microsoft's Director of OS Security said that Microsoft considers vulnerabilities to be potential risk and exploits to be actual risk (timestamped link: ). In a sense then, exploit drops like PPLFault help Microsoft prioritize their

2

4

25

Gabriel Landau

@GabrielLandau

1 year

I just came across this. Great read for anyone interested in how the Windows kernel handles file mappings at a low level. This includes EXE/DLL mappings. Thanks for writing it, @artem_i_baranov .

Artem I. Baranov

@artem_i_baranov

2 years

Published on my blog "Dissecting Windows Section Objects"

2

43

121

1

9

25

Gabriel Landau

@GabrielLandau

5 months

Cool article, and thanks for the shout out! @jdu2600 actually listed that evasion in his talk last year (timestamped: ). Yep we know it's indefensible, and he even said so while discussing evasion opportunities. Most detections can be evaded, and

bakki

@shubakki

6 months

first chapter of two, stay tuned 🤠

22

77

168

1

9

24

Gabriel Landau

@GabrielLandau

1 year

I'm excited! Just one week to go!

Gabriel Landau

@GabrielLandau

2 years

💥My #BHASIA talk was accepted! Come to Singapore and watch me slip into WinTcb-PPL then the kernel - entirely from userland! Long live PPLdump! #ToolDrop #NotASecurityBoundary @elasticseclabs @BlackHatEvents 👇

8

27

107

1

3

24

Gabriel Landau

@GabrielLandau

4 months

@Ayfais1 @CoreSerena Please never, ever do this.

0

24

Gabriel Landau

@GabrielLandau

2 months

@endingwithali Found an in accuracy. I’ve been fucked by C++ many times.

0

24

Gabriel Landau

@GabrielLandau

5 months

Two things: 1. Working with smart people is awesome. 2. I love seeing things I've built solving real problems.

Samir

@SBousseaden

5 months

New blog post is up, exploring detection options for some recent In- the- Wild Windows LPE 0- days

5

98

277

1

0

24

Gabriel Landau

@GabrielLandau

1 month

TIL eBPF can install usermode hooks: .

Linux Observability with BPF

Chapter 4. Tracing with BPF In software engineering, tracing is a method to collect data for profiling and debugging. The objective is to provide useful information at runtime for future … - Select...

www.oreilly.com

2

22

Gabriel Landau

@GabrielLandau

3 months

It must be flattering to have someone as talented as @i41nbeer so humbly analyze your exploit at @offensive_con .

OffensiveCon24 - Ian Beer - Blasting Past Webp

https://www.offensivecon.org/speakers/2024/ian-beer.html

www.youtube.com

0

4

22

Gabriel Landau

@GabrielLandau

2 years

@SpikySabra You can also use Backstab, which uses a vulnerable Microsoft driver:

GitHub - Yaxser/Backstab: A tool to kill antimalware protected processes

A tool to kill antimalware protected processes. Contribute to Yaxser/Backstab development by creating an account on GitHub.

github.com

2

5

20

Gabriel Landau

@GabrielLandau

2 months

I just got home after 8 days of excellent talks and training at @reconmtl . At last night’s after-party, it was wild to see so much infosec genius concentrated in one small bar. A++ would do again - just need to find another new bug class for next year 🤔 So drained. Need to

1

0

20

Gabriel Landau

@GabrielLandau

1 year

Off time is important. Remember to get away from screens every now and then. You will never be as good as your imposter syndrome says you should be.

1

3

20

Gabriel Landau

@GabrielLandau

2 months

Why would criminals use polished and tested commercial penetration testing tools to hurt people when they could instead develop and QA their own from scratch?

Antonio Cocomazzi

@splinter_code

2 months

Excited to share my latest research about FIN7 🔥 The discovery of a new abuse for the Windows built-in driver ProcLaunchMon.sys (TTD Monitor driver) to tamper with EDRs has been an interesting surprise. Enjoy the read 👇

9

79

217

3

19

Gabriel Landau

@GabrielLandau

3 months

@IanColdwater How much did you take and at what time?

2

0

20

Gabriel Landau

@GabrielLandau

8 months

Yesterday's KB5034441 patch is failing on two Win10 machines. Docs instruct me to manually expand my recovery partition with diskpart. "delete partition override" is a pretty dangerous command. Do we expect non-technical users to run this? Could we automate this instead?

6

4

18

Gabriel Landau

@GabrielLandau

5 months

Microsoft just put out a new threat report. Our existing protections catch the TTPs. Elastic Defend FTW!

Samir

@SBousseaden

5 months

1

13

56

0

2

19

Gabriel Landau

@GabrielLandau

9 months

Great talk by @DrAzureAD detailing various wins, losses, and frustrations dealing with @msftsecresponse .

BlueHat Oct 23. S08: "It's By Design!"

"It's by design" is the phrase most bug bounty hunters see in their nightmares. It means the vulnerability they reported is (actually) a feature working as i...

www.youtube.com

0

5

19

Gabriel Landau

@GabrielLandau

28 days

Great new research from @itm4n .

Orange Cyberdefense Switzerland

@orangecyberch

1 month

💻🛡️ In this series of blog posts, Clément Labro (itm4n) one of our ethical hacker, explores yet another avenue for bypassing LSA Protection in Userland. To discover the first article of this series: #orangecyberdefense #ethicalhacking #switzerland

2

53

127

1

4

19

Gabriel Landau

@GabrielLandau

6 years

@BingAds Thank you @BingAds . Did you discover how the ad was listed as ? Have any changes been made to prevent this type of attack from happening again in the future?

4

1

17

Gabriel Landau

@GabrielLandau

1 year

If you have access to information that well-funded threat actors would find valuable, or have write access to a software repository (or CI system) that is widely-used, please consider enabling iOS Lockdown Mode.

Eugene Kaspersky

@e_kaspersky

1 year

The spyware managed to infect several dozen iPhones of our employees. Thanks to the measures taken, the company is operating normally, business processes and user data are not affected, and the threat has been neutralized. We continue to protect you, as always #IOSTriangulation

3

20

146

5

8

18

Gabriel Landau

@GabrielLandau

5 months

Is there any way for a kernel driver to quickly get KeGetCurrentThread()->TrapFrame->Rip without undocumented structures or functions? RtlCaptureContext gives you the KM context, not UM. _KTHREAD is undoc. PsGetContextThread is undoc.

3

4

18

Gabriel Landau

@GabrielLandau

6 years

This looks interesting. I'll definitely be going to this talk:

1

6

18

Gabriel Landau

@GabrielLandau

2 months

This is horrible - a possibility every time we push an update. Boot loops are nightmare fuel for EDR vendors. I hope @CrowdStrike and their customers can move past this quickly.

George Kurtz

@George_Kurtz

2 months

CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. The issue has been identified, isolated and a fix has been deployed. We

5K

6K

22K

1

0

18

Gabriel Landau

@GabrielLandau

3 months

Beyond consistently-great technical content, the man sure knows how to write a hook.

James Forshaw

@tiraniddo

3 months

Just because you get access denied accessing a folder, it doesn't mean you can't get access. A quick look at bypassing the security on the WindowsApps folder.

6

188

533

1

2

18

Gabriel Landau

@GabrielLandau

1 year

ProcMon 3.93 supports configurable minifilter altitudes. This is great for teams that have to support minifilters! Thanks @markrussinovich !

0

3

16

Gabriel Landau

@GabrielLandau

2 months

Thanks for the additional exploit testing and observations, @wdormann . #NotASecurityBoundary

Will Dormann (@[email protected])

Attached: 4 images Excellent work from @GabrielLandau on how Windows can be tricked into loading drivers with untrusted signatures: https://www.elastic.co/security-labs/false-file-immutability Repeat...

infosec.exchange

0

4

17

Gabriel Landau

@GabrielLandau

2 months

New toy - Ioniq 5 N (the fast one) 🙂

2

0

17

Gabriel Landau

@GabrielLandau

6 months

It’s progress, but “31-step SHA-256” isn’t SHA-256; it’s a weakened variant. The SHA-256 algorithm uses 64 rounds, not 31.

Frank ⚡

@jedisct1

6 months

First practical SHA-256 collision for 31 steps. #fse2024

84

565

3K

0

8

16

Gabriel Landau

@GabrielLandau

2 months

@ateixei @elastic @elasticseclabs > good signals! We're fortunate to have brilliant and dedicated folks like @SBousseaden , @dez_ , and @br0k3ns0und (++many more) continually tracking ITW tradecraft and writing/updating detections. There's a lot of work behind the scenes to minimize FP.

0

5

16

Gabriel Landau

@GabrielLandau

4 months

I’m having black and white ice cream for lunch @BlueHatIL .

2

0

16

Gabriel Landau

@GabrielLandau

3 years

@tiraniddo > For a quick primer on Kerberos ... you can always read RFC4120. 😂

0

1

15

Gabriel Landau

@GabrielLandau

1 year

Demo!

1

4

16

Gabriel Landau

@GabrielLandau

6 months

@eversinc33 Great work! Thanks for sharing with the community. Since you're interested in rootkit detection, you may want to check out our 2018 BHUSA talk, particularly the second half:

Kernel Mode Threats and Practical Defenses

Recent advancements in OS security from Microsoft such as PatchGuard, Driver Signature Enforcement, and SecureBoot have helped curtail once-widespread commod...

www.youtube.com

1

5

16

Gabriel Landau

@GabrielLandau

2 years

@timmisiak

0

16

Gabriel Landau

@GabrielLandau

1 year

@SwiftOnSecurity To prevent Microsoft Cortana for Defender from getting owned, you need to install Microsoft Defender for Microsoft Cortana for Defender.

1

0

15

Gabriel Landau

@GabrielLandau

10 months

If you publish anything that involves a list of hashes, please consider publishing tuples of (hash,size) instead. This enables lookups to skip expensive hashing work if the size does not match anything in the set. 64-bit file sizes can be encoded as 8 bytes concatenated onto

3

2

15

Gabriel Landau

@GabrielLandau

5 months

I think I just made a more-profound observation but please sanity check me here. _KTRAP_FRAME is documented in ntddk.h. Is the top of the kernel stack for a syscall guaranteed to always be a _KTRAP_FRAME, or is it an implementation detail? What about inside

Gabriel Landau

@GabrielLandau

5 months

@sixtyvividtails 😀

1

0

3

0

15

Gabriel Landau

@GabrielLandau

7 months

Let's play a game. How many Windows symbols can you reasonably claim credit for? No [Ex-] MS folk allowed. I think I have: nt!SepSetProcessTrustLabelAceForToken per and I just spotted this one in 22631.3155:

Yarden Shafir

@yarden_shafir

2 years

PPLs (aka "not a security boundary") are getting some new protections in Windows 11. One of them fixes a technique documented by @elastic last year where they "sandbox" Windows Defender by modifying its token:

5

71

164

1

4

15

Gabriel Landau

@GabrielLandau

3 months

It’s really a privilege to work with such a team.

bohops

@bohops

3 months

* @SBousseaden and the Elastic team are just top tier, and probably uncover top notch "LO(T)L" tradecraft better than anyone. Snap-ins are something I've always thought were underrated, and script host capabilities from MMC are still untapped IMO ;)

4

5

63

0

15

Gabriel Landau

@GabrielLandau

1 year

For more information about how Elastic Defend detects these code integrity violations, check out my article and PoC here:

Detecting and blocking unknown KnownDlls

This is the second in a two-part series discussing a still-unpatched userland Windows privilege escalation. The exploit enables attackers to perform highly privileged actions that typically require a...

www.elastic.co

Samir

@SBousseaden

1 year

solid research & implementation by @itm4n (as usual 👏) - Elastic Defend detects the abnormal DLL load (section creation step + CI violation)

3

15

51

0

5

14