James Forshaw
@tiraniddo.dev
Security researcher in Google Project Zero. Author of Attacking Network Protocols. Posts are my own etc.
Reposted by James Forshaw
Good Monday morning tech nerds. One of my devs wrote *another* blog post about kerberos (I'm creating an army of crazy bloggers). This one you might consider bookmarking.
Introduction to Network Trace Analysis 06: Kerberos it’s AUTH-some! | Microsoft Community Hub
New to the series? Be sure to check out the previous posts!
Introduction to Network Trace Analysis Part 0: Laying the...
techcommunity.microsoft.com
June 16, 2025 at 2:51 PM
Good Monday morning tech nerds. One of my devs wrote *another* blog post about kerberos (I'm creating an army of crazy bloggers). This one you might consider bookmarking.
Reposted by James Forshaw
🚨 Our new blog post about Windows CVE-2025-33073 which we discovered is live:
🪞The Reflective Kerberos Relay Attack - Remote privilege escalation from low-priv user to SYSTEM with RCE by applying a long forgotten NTLM relay technique to Kerberos:
blog.redteam-pentesting.de/2025/reflect...
🪞The Reflective Kerberos Relay Attack - Remote privilege escalation from low-priv user to SYSTEM with RCE by applying a long forgotten NTLM relay technique to Kerberos:
blog.redteam-pentesting.de/2025/reflect...
A Look in the Mirror - The Reflective Kerberos Relay Attack
It is a sad truth in IT security that some vulnerabilities never quite want to die and time and time again, vulnerabilities that have long been fixed get revived and come right back at you. While rese...
blog.redteam-pentesting.de
June 11, 2025 at 8:04 AM
🚨 Our new blog post about Windows CVE-2025-33073 which we discovered is live:
🪞The Reflective Kerberos Relay Attack - Remote privilege escalation from low-priv user to SYSTEM with RCE by applying a long forgotten NTLM relay technique to Kerberos:
blog.redteam-pentesting.de/2025/reflect...
🪞The Reflective Kerberos Relay Attack - Remote privilege escalation from low-priv user to SYSTEM with RCE by applying a long forgotten NTLM relay technique to Kerberos:
blog.redteam-pentesting.de/2025/reflect...
Reposted by James Forshaw
We are removing default admin in Windows 11, get your apps ready now
blogs.windows.com/windowsdevel...
blogs.windows.com/windowsdevel...
Enhance your application security with administrator protection
Introduction
Administrator protection is a new Windows 11 platform security feature that aims to protect the admin users on the device while still allowing them to perform the necessary functions whic...
blogs.windows.com
May 19, 2025 at 6:11 PM
We are removing default admin in Windows 11, get your apps ready now
blogs.windows.com/windowsdevel...
blogs.windows.com/windowsdevel...
Reposted by James Forshaw
@tiraniddo.dev and Eugene Lim—authors of Windows Security Internals and From Day Zero to Zero Day—are at Off-By-One doing what they do best: giving keynotes and running a smart device hacking village, respectively.
offbyone.sg
offbyone.sg
Off-by-One Conference 2025
Off-by-One Conference is a cybersecurity conference where like-minded professionals gather and exchange technical insights while gaining knowledge from one another. As the offensive security landscape...
offbyone.sg
May 8, 2025 at 2:24 AM
@tiraniddo.dev and Eugene Lim—authors of Windows Security Internals and From Day Zero to Zero Day—are at Off-By-One doing what they do best: giving keynotes and running a smart device hacking village, respectively.
offbyone.sg
offbyone.sg
Maybe I’ll pop down to sf for rsa tomorrow. I’ve fortunately never gone before but this is my last chance and I really need a new ai security product.
April 29, 2025 at 4:44 AM
Maybe I’ll pop down to sf for rsa tomorrow. I’ve fortunately never gone before but this is my last chance and I really need a new ai security product.
Reposted by James Forshaw
I took a look at the changes to Microsoft Recall, which is rolling out to compatible Windows devices soon.
Photographic memory that stores all your deleted messages, keystrokes etc 😅
doublepulsar.com/microsoft-re...
Photographic memory that stores all your deleted messages, keystrokes etc 😅
doublepulsar.com/microsoft-re...
Microsoft Recall on Copilot+ PC: testing the security and privacy implications
A look at the risks and tradeoffs with Microsoft Recall.
doublepulsar.com
April 21, 2025 at 9:26 PM
I took a look at the changes to Microsoft Recall, which is rolling out to compatible Windows devices soon.
Photographic memory that stores all your deleted messages, keystrokes etc 😅
doublepulsar.com/microsoft-re...
Photographic memory that stores all your deleted messages, keystrokes etc 😅
doublepulsar.com/microsoft-re...
Reposted by James Forshaw
KrbRelayEx-RPC tool is out! 🎉
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)
github.com/decoder-it/K...
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)
github.com/decoder-it/K...
GitHub - decoder-it/KrbRelayEx-RPC
Contribute to decoder-it/KrbRelayEx-RPC development by creating an account on GitHub.
github.com
March 14, 2025 at 10:18 AM
KrbRelayEx-RPC tool is out! 🎉
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)
github.com/decoder-it/K...
Intercepts ISystemActivator requests, extracts Kerberos AP-REQ & dynamic port bindings and relays the AP-REQ to access SMB shares or HTTP ADCS, all fully transparent to the victim ;)
github.com/decoder-it/K...
I can now see why my email offering to give the NSA exclusive access to an ultra rare uber 1337 EoP in Windows NT 3.1 bounced 😭
Truly the dumbest timeline.
Truly the dumbest timeline.
3. The memo acknowledges that the list includes many terms that are used by the NSA in contexts that have nothing to do with DEI.
For example, the term "privilege" is used by the NSA in the context of "privilege escalation," which is a counterintelligence technique
For example, the term "privilege" is used by the NSA in the context of "privilege escalation," which is a counterintelligence technique
The NSA's "Big Delete"
Today, the National Security Agency (NSA) is planning a "Big Delete" of websites and internal network content that contain any of 27 banned words, including "privilege," "bias," and "inclusion." The "...
popular.info
February 10, 2025 at 3:21 PM
I can now see why my email offering to give the NSA exclusive access to an ultra rare uber 1337 EoP in Windows NT 3.1 bounced 😭
Truly the dumbest timeline.
Truly the dumbest timeline.
Reposted by James Forshaw
hey quick question does Goliath win in that story
February 2, 2025 at 6:06 PM
hey quick question does Goliath win in that story
New blog post on the abuse of the IDispatch COM interface to get unexpected objects loaded into a process. Demoed by using this to get arbitrary code execution in a PPL process. googleprojectzero.blogspot.com/2025/01/wind...
Windows Bug Class: Accessing Trapped COM Objects with IDispatch
Posted by James Forshaw, Google Project Zero Object orientated remoting technologies such as DCOM and .NET Remoting make it very easy ...
googleprojectzero.blogspot.com
January 30, 2025 at 6:37 PM
New blog post on the abuse of the IDispatch COM interface to get unexpected objects loaded into a process. Demoed by using this to get arbitrary code execution in a PPL process. googleprojectzero.blogspot.com/2025/01/wind...
Reposted by James Forshaw
My RDP IO Lab presentation on "Decrypting and Inspecting RDP traffic in Wireshark" was just *cancelled* - apparently Microsoft decided they would only do internal presentations, with no guest speakers 😠
What's the point of even trying when you get treated like this?
What's the point of even trying when you get treated like this?
Who would like to review my slides for my upcoming RDP IO Lab presentation on "Decrypting and Inspecting RDP traffic in Wireshark"? I have finished my first draft, but could use some feedback. It's supposed to be 45 minutes in total, including Q&A. Just DM me with your email and I'll send you a copy
January 28, 2025 at 9:29 PM
My RDP IO Lab presentation on "Decrypting and Inspecting RDP traffic in Wireshark" was just *cancelled* - apparently Microsoft decided they would only do internal presentations, with no guest speakers 😠
What's the point of even trying when you get treated like this?
What's the point of even trying when you get treated like this?
It's good to see some of the "authentication" vectors being patched in Admin Protection. I might look at it again once it's actually considered complete, don't want MS on my back again :D
Now, with the background context in mind, let's look at Windows 11's new Admin Protection:
techcommunity.microsoft.com/blog/microso...
techcommunity.microsoft.com/blog/microso...
techcommunity.microsoft.com
January 28, 2025 at 8:08 PM
It's good to see some of the "authentication" vectors being patched in Admin Protection. I might look at it again once it's actually considered complete, don't want MS on my back again :D
Reposted by James Forshaw
In our latest article, @croco_byte proposes an implementation of a trick discovered by James Forshaw in his research regarding Kerberos relaying. Discover how to perform pre-authenticated Kerberos relay over HTTP with our Responder and krbrelayx pull requests!
www.synacktiv.com/publications...
www.synacktiv.com/publications...
Abusing multicast poisoning for pre-authenticated Kerberos relay over HTTP with Responder and krbrelayx
www.synacktiv.com
January 27, 2025 at 12:06 PM
In our latest article, @croco_byte proposes an implementation of a trick discovered by James Forshaw in his research regarding Kerberos relaying. Discover how to perform pre-authenticated Kerberos relay over HTTP with our Responder and krbrelayx pull requests!
www.synacktiv.com/publications...
www.synacktiv.com/publications...
Reposted by James Forshaw
In case if you wonder what broke #ProcessHollowing on Windows 11 24H2, I have something for you: hshrzd.wordpress.com/2025/01/27/p...
Process Hollowing on Windows 11 24H2
Process Hollowing (a.k.a. RunPE) is probably the oldest, and the most popular process impersonation technique (it allows to run a malicious executable under the cover of a benign process). It is us…
hshrzd.wordpress.com
January 26, 2025 at 11:55 PM
In case if you wonder what broke #ProcessHollowing on Windows 11 24H2, I have something for you: hshrzd.wordpress.com/2025/01/27/p...
Reposted by James Forshaw
Azure Trusted Signing is now available for individuals techcommunity.microsoft.com/blog/microso...
Trusted Signing is now open for individual developers to sign up in Public Preview! | Microsoft Community Hub
Exciting news for developers! Individual developers can now sign their apps with Trusted Signing.
techcommunity.microsoft.com
January 22, 2025 at 9:43 PM
Azure Trusted Signing is now available for individuals techcommunity.microsoft.com/blog/microso...
Reposted by James Forshaw
An embarrassment of riches
January 22, 2025 at 5:36 AM
An embarrassment of riches
You know you travel too much when you get top tier status on the three main airline alliances at the same time. Fortunately moving back to the UK will probably mean I’ll slow it down as I doubt I’ll travel much to the USA anymore.
January 22, 2025 at 4:29 AM
You know you travel too much when you get top tier status on the three main airline alliances at the same time. Fortunately moving back to the UK will probably mean I’ll slow it down as I doubt I’ll travel much to the USA anymore.
Reposted by James Forshaw
It took me about a month, but I've got my win32-appcontainer-tools ready to share.
- Launch Win32 apps in AppContainer
- Set ACL permissions per-container
- ETW tracing for Permissive Learning Mode
Special thanks to Fredrik Orderud, @tiraniddo.dev and Helge Klein.
- Launch Win32 apps in AppContainer
- Set ACL permissions per-container
- ETW tracing for Permissive Learning Mode
Special thanks to Fredrik Orderud, @tiraniddo.dev and Helge Klein.
January 13, 2025 at 6:25 PM
It took me about a month, but I've got my win32-appcontainer-tools ready to share.
- Launch Win32 apps in AppContainer
- Set ACL permissions per-container
- ETW tracing for Permissive Learning Mode
Special thanks to Fredrik Orderud, @tiraniddo.dev and Helge Klein.
- Launch Win32 apps in AppContainer
- Set ACL permissions per-container
- ETW tracing for Permissive Learning Mode
Special thanks to Fredrik Orderud, @tiraniddo.dev and Helge Klein.
Reposted by James Forshaw
Either Keir Starmer is the biggest mark to ever live or he's still hoping for a few 'freebies' from his corpo mates. I cannot understate how atrocious this is.
January 13, 2025 at 7:33 AM
Either Keir Starmer is the biggest mark to ever live or he's still hoping for a few 'freebies' from his corpo mates. I cannot understate how atrocious this is.
Reposted by James Forshaw
Project Zero is hiring 🎉
Please share with anyone you think would be great for the team
www.google.com/about/career...
Please share with anyone you think would be great for the team
www.google.com/about/career...
Senior Security Engineer, Security Research — Google Careers
www.google.com
January 7, 2025 at 10:27 PM
Project Zero is hiring 🎉
Please share with anyone you think would be great for the team
www.google.com/about/career...
Please share with anyone you think would be great for the team
www.google.com/about/career...
Reposted by James Forshaw
Just unrestricted an issue that shows a fun new attack surface. Android RCS locally transcribes incoming media, making vulnerabilities audio codecs now fully-remote. This bug in an obscure Samsung S24 codec is 0-click
project-zero.issues.chromium.org/issues/36869...
project-zero.issues.chromium.org/issues/36869...
Project Zero
project-zero.issues.chromium.org
January 10, 2025 at 12:08 AM
Just unrestricted an issue that shows a fun new attack surface. Android RCS locally transcribes incoming media, making vulnerabilities audio codecs now fully-remote. This bug in an obscure Samsung S24 codec is 0-click
project-zero.issues.chromium.org/issues/36869...
project-zero.issues.chromium.org/issues/36869...
Reposted by James Forshaw
I've been dealing with mysterious high CPU utilization from WmiPrvSE.exe for MONTHS. I finally did some digging using github.com/luctalpe/WMI... (run wmimon from an elevated cmd prompt). Guess what the culprit was?
GitHub - luctalpe/WMIMon: Tool to monitor WMI activity on Windows
Tool to monitor WMI activity on Windows. Contribute to luctalpe/WMIMon development by creating an account on GitHub.
github.com
January 5, 2025 at 3:54 AM
I've been dealing with mysterious high CPU utilization from WmiPrvSE.exe for MONTHS. I finally did some digging using github.com/luctalpe/WMI... (run wmimon from an elevated cmd prompt). Guess what the culprit was?
Reposted by James Forshaw
I added a true 14-bit MIDI mode to my controller and it's very smooth indeed. Ableton Live maps it with no issues and while I had to make a slight compromise on speed, the high resolution accuracy over a 100mm fader feels great. Boring details to follow.
#gameaudio #gamedev #screenshotsaturday
#gameaudio #gamedev #screenshotsaturday
January 4, 2025 at 4:45 PM
I added a true 14-bit MIDI mode to my controller and it's very smooth indeed. Ableton Live maps it with no issues and while I had to make a slight compromise on speed, the high resolution accuracy over a 100mm fader feels great. Boring details to follow.
#gameaudio #gamedev #screenshotsaturday
#gameaudio #gamedev #screenshotsaturday
Anyone who says UK food is terrible clearly doesn’t know about the greatest culinary invention yet conceived.
December 15, 2024 at 12:27 AM
Anyone who says UK food is terrible clearly doesn’t know about the greatest culinary invention yet conceived.
Reposted by James Forshaw
Ever wanted to know what data #PowerShell or other programs send to AMSI. I wrote a C# COM server implementation that logs this data as a JSON string. Had some fun learning more about COM and .NET AOT with this little project github.com/jborean93/Am...
December 13, 2024 at 6:45 AM
Ever wanted to know what data #PowerShell or other programs send to AMSI. I wrote a C# COM server implementation that logs this data as a JSON string. Had some fun learning more about COM and .NET AOT with this little project github.com/jborean93/Am...