dmitry – WindowsTechs.com

Creation of the Policy.vpol file by the lsass.exe process [migrated]

Posted on April 12, 2024 by dmitry

I discovered an EventID 11 (Microsoft-Windows-Sysmon/Operational) event in the Windows logs, in which the Policy.vpol file is created by the process C:\Windows\system32\lsass.exe on behalf of the system user (NT AUTHORITY\System)
How to ch… Continue reading Creation of the Policy.vpol file by the lsass.exe process [migrated]→

Access to JWT session after OAuth redirects

Posted on October 31, 2021 by dmitry

I have a stateless backend app, session data is stored on the front-end in a JWT token, so the front-end app passes this token in Authorization header to all the requests.
I need to add 3rd party API integration that will use OAuth2.
I imp… Continue reading Access to JWT session after OAuth redirects→

How to maintain and enforce an approved list of software?

Posted on October 14, 2021 by dmitry

I work in a software-development company where we have a lot of tech-savvy people.
For ISO27001 certification we need to maintain list of approved software. And I’d like to understand how in practice this list is maintained and enforced?
T… Continue reading How to maintain and enforce an approved list of software?→

Equivalence of UNC Path Injection and Kerberoasting Attacks on SQL Server

Posted on October 6, 2021 by dmitry

An Active Directory domain is deployed, a domain controller on Windows Server 2019. A computer with SQL Server 2016 is added to it, which is launched under the srv service account. The attacker has unprivileged access to this SQL Server fr… Continue reading Equivalence of UNC Path Injection and Kerberoasting Attacks on SQL Server→

No User SID in the sysmon event with id 1 (process creation)

Posted on September 20, 2021 by dmitry

Extend version of the question
I’m trying to figure out how to detect the launch of unwanted processes based on regular logging in Windows and sysmon. Sysmon event 1 allows you to get a significant amount of information about the running p… Continue reading No User SID in the sysmon event with id 1 (process creation)→

Why does msfvenom payload dll create the run32dll subprocess after it is injected into the explorer process memory?

Posted on February 13, 2021 by dmitry

I am researching payloads that msfvenom (metasploit framework) can be generated and existing methods of injection them into processes for manual incident investigation.
Initial data

Target: Windows 10 x64 (19041.804)
Client: Kali Linux 2… Continue reading Why does msfvenom payload dll create the run32dll subprocess after it is injected into the explorer process memory?→

Host header injection attack with Spring boot embedded tomcat

Posted on May 31, 2018 by dmitry

Our application has been checked by PEN Test tool, and there are description of issue:

An attacker can redirect the application using the host header on the
below mentioned URL to redirect them to phishing websites.

Reproducing ste… Continue reading Host header injection attack with Spring boot embedded tomcat→