Want to block [MS-EFSR] / #PetitPotam calls?🤔
Use RPC filters ! 🥳

put previous Tweet in a file: `block_efsr.txt` then:

> netsh -f block_efsr.txt

Just tested: it blocks remote connections & not local EFS usage

Thank you to @CraigKirby to remind us this RPC technology filter!
this is the kind of post/statement that Microsoft could have done rather than focusing on the NTLM relay and how client should block it.

(does not change the fact that MS must fix the noauth part of MS-EFSR)
And I still really like it

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with 🥝 Benjamin Delpy

🥝 Benjamin Delpy Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @gentilkiwi

27 Jul
Little #printnightmare (ep 4.3) upgrade : user-to-system as a service🥝
> Open SYSTEM prompt

connect to \\printnightmare[.]gentilkiwi[.]com (remove [ ]) with
- user: .\gentilguest
- password: password

Open 'Kiwi Legit Printer - x64', enjoy SYSTEM
(just one printer this time🤪)
Of course, video quality: video.twimg.com/tweet_video/E7…
And how to protect you (reminder):

(cause you know, Microsoft does not make statements and fix for now...)
Read 4 tweets
20 Jul
Q: what can you do when you have #mimikatz🥝 & some Read access on Windows system files like SYSTEM, SAM and SECURITY?

A: Local Privilege Escalation 🥳

Thank you @jonasLyk for this Read access on default Windows😘
Ho, and this is not only SAM, but also SYSTEM & SECURITY.
So you can find "interesting" data, like:
- default windows install password (can be valid, trust me 👍)
- DPAPI computer keys (decrypt all computer private keys, etc.)
- Computer Machine account (silver ticket)
- ...
Affected versions / Not affected versions on my tests today:
Read 5 tweets
17 Jul
Want to test #printnightmare (ep 4.x) user-to-system as a service?🥝
(POC only, will write a log file to system32)

connect to \\printnightmare.gentilkiwi.com with
- user: .\gentilguest
- password: password

Open 'Kiwi Legit Printer - x64', then 'Kiwi Legit Printer - x64 (another one)'
You can prevent this behavior by settings some parameters/GPO:

'Package Point and print - Approved servers'
> docs.microsoft.com/troubleshoot/w…
> admx.help/?Category=Wind…

Of course, disable outbound access to CIFS/SMB/RPC...
Very bad impersonation when: docs.microsoft.com/windows-hardwa…
Read 5 tweets
30 Jun
This #printnightmare / CVE-2021-1675 is really serious 🤪

Just adapted/simplified original POC then:
*From Remote standard user to SYSTEM*

Here on a domain controller, but valid on all systems with RPC to spooler available, remote or local

➡️ disable service now (no patch yet)
As usual, video quality: video.twimg.com/tweet_video/E5…
Yes, DC is 2019 and fully patched
And 'localspl.dll' is 06/06/2021 (10.0.17763.1999)

@byt3bl33d3r @allevon412 @PythonResponder

But to be transparent, I don't have a recent CPU & TPM 2.0
That might be the problem, @msftsecurity, isn't it?
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

:(