Alex Ionescu
@ionescu.bsky.social
Windows Internals Author, Developer, Reverse Engineer, Security Researcher, Speaker, Trainer, and most recently Nation State Hacker.
Core OS Platform Developer at Apple, Hyper-V Vendor at Microsoft, Chief Architect at CrowdStrike and now Director at CSE.
Core OS Platform Developer at Apple, Hyper-V Vendor at Microsoft, Chief Architect at CrowdStrike and now Director at CSE.
Reposted by Alex Ionescu
ost2.fyi/Sponsorship....
Gold Sponsors & Windows Security Track sponsor Winsider Seminars & Solutions (@yardenshafir.bsky.social & @ionescu.bsky.social)
👇
Gold Sponsors & Windows Security Track sponsor Winsider Seminars & Solutions (@yardenshafir.bsky.social & @ionescu.bsky.social)
👇
December 6, 2024 at 12:53 PM
ost2.fyi/Sponsorship....
Gold Sponsors & Windows Security Track sponsor Winsider Seminars & Solutions (@yardenshafir.bsky.social & @ionescu.bsky.social)
👇
Gold Sponsors & Windows Security Track sponsor Winsider Seminars & Solutions (@yardenshafir.bsky.social & @ionescu.bsky.social)
👇
Now I kind of want to write an mIRC plugin
November 22, 2024 at 8:30 PM
Now I kind of want to write an mIRC plugin
I think it’s « Mahalo, товарищ »
November 14, 2024 at 12:00 PM
I think it’s « Mahalo, товарищ »
Brought back memories 🥲
November 9, 2024 at 4:04 PM
Brought back memories 🥲
LSASS now runs as PPL by default, and that DLL doesn’t have the appropriate signature. Unless you’re relying on Bonjour for AD auth you’re probably fine. Microsoft launched LSA PPL signing for 3rd parties back in Windows 8.1 in 2013: learn.microsoft.com/en-us/window...
It’s only been 11 years ;-)
It’s only been 11 years ;-)
LSA and UEFI file signing - Windows drivers
Local Security Authority (LSA) plug-in and Unified Extensible Firmware Interface (UEFI) firmware signing.
learn.microsoft.com
November 9, 2024 at 11:40 AM
LSASS now runs as PPL by default, and that DLL doesn’t have the appropriate signature. Unless you’re relying on Bonjour for AD auth you’re probably fine. Microsoft launched LSA PPL signing for 3rd parties back in Windows 8.1 in 2013: learn.microsoft.com/en-us/window...
It’s only been 11 years ;-)
It’s only been 11 years ;-)
Normally I would use a kernel debugger to look at the wait block and see what object it’s attached to. Is there an ETW event that might log that?
May 10, 2023 at 10:31 AM
Normally I would use a kernel debugger to look at the wait block and see what object it’s attached to. Is there an ETW event that might log that?
User Mode — into some sort of Ring 3 (non-kernel) service
May 9, 2023 at 8:04 PM
User Mode — into some sort of Ring 3 (non-kernel) service
I’m guessing this is an EDR or similar product that’s calling into UM for a response…
May 9, 2023 at 12:29 AM
I’m guessing this is an EDR or similar product that’s calling into UM for a response…