Archive for category Defense

The Infosec Revival – DerbyCon 2013

DerbyCon this year was awesome as usual. I presented “The Infosec Revival: Why owning a typical network is so easy, and how to build a secure one.” The video is here on Youtube: Or you can check out the slides here: The RDP video is here: And the VM isolation video is here: I should […]

, , , ,


Remote Desktop and Die – How to RDP Faster Without Getting Robbed

Unless you have not patched your domain controller in the past five years, chances are, if an intruder gets domain admin or enterprise admin level access, they probably did it through credential theft. One of the biggest recurring themes of countless intrusion and pentest reports is that to accomplish lateral movement and privilege escalation to […]

, , , , , , , , ,


Ambush Standalone

Ambush was designed in a server-client architecture to make it easy to deploy to lots of systems, but sometimes you just want to get it running on a single system, without the hassle of requiring a custom server setup or signature creation.


No Comments

Fixing Pass The Hash and 14 Other Problems

A combined solution to 15 different serious problems with password-based authentication, including the Pass-The-Hash (PTH) attack. No other measures come close to solving all these problems, and for many of the problems, I am unaware of any other solution at all. Sadly, both Microsoft and other security researchers did not really consider this solution or discounted it as unrealistic. The objections either showed flaws with only implementating half a solution or assuming legacy equipment or implementation difficulties will doom the project, due to a focus on what a large enterprise would be likely to implement with minimal effort right now. It reminds me of an immigration debate that focuses on people who are already here, paying less attention to future immigrants only to find that 30 years later, what happened to the future immigrants is all that mattered. Here are the objections, and why they should not stop you.

, , , , , , ,


Breaking and Building a Secure Network – BSides San Antonio

This past weekend I gave a talk at BSides San Antonio titled “Pigs Don’t Fly – Why owning a typical network is so easy, and how to build a secure one.” I took a top-down look at the security barriers in a typical organizational network, the many techniques attackers use to break them, and how […]

, , , , ,


Authenticated Remote Code Execution Methods in Windows

All of the below are supported ways of remotely executing code that are built-in to Windows. If psexec isn’t working since a service is not running or ports are blocked, you can try all these other options; defenders who want to detect intruders moving through the network need to detect all of these; incident responders might want to look for evidence of these…

, , , ,


Attack Test

Well, the Mayan Apocalypse came and went, and since we’re all still here, it’s time to get back to computer security. It shouldn’t be a surprise that the most likely way you’ll get exploited is through your browser, so you should routinely check for vulnerabilities there. I was inspired by some of the free browser […]

No Comments

Hoarder, HIPS bypasses, and Ambush

I gave an updated Ambush Presentation at Derbycon today… On the attack side, I demonstrated Hoarder, which is a proof of concept to bypass standard hook-based host intrusion prevention systems by avoiding making any calls to OS DLLs at all, and only making raw syscalls to the kernel. It works in two steps. First, the getdlls program opens the target executable and recursively reads it and all of its required DLLs into C language byte arrays.

No Comments

Ambush – A New Capability for Advanced Defense

At BSides Las Vegas, I just released Ambush, an open-source Host Intrusion Prevention System that I have been developing for the past few months. See my talk at for the full motivation, description, and demonstration. In summary, after all of my offensive research, Ambush is my effort to arm the defense. I wrote Ambush […]

, ,

No Comments