Wait... "BuiltIn" is just a domain name in the SAM database? 🤔And new groups can be created there? 🤯

Coming soon to your toolbox 😎

2 hours of debugging... 🤦‍♂️😭

Does your famous-for-BSODs EDR block creation of IFEO\Utilman.exe Debugger entry? Create Debugger for IFEO\Utilman1.exe and rename the key... 😂

Really, CFA...? 🙄

x.com/i/article/1824…

Phrack #71 Linenoise - "Master of Puppets - turning AV sandboxes into a botnet". What I can say... Honored and proud. Enjoy! phrack.org/issues/71/3.ht…

If you're into #ActiveDirectory, keep it clean from stale objects. CleanupMonster, my new #PowerShell module, can help you with that. I wrote a blog post about it to make it easier to implement. It has fancy reporting and lots of customizations evotec.xyz/mastering-acti…

Yet another KVM on my desk 🙈 This time it's #NanoKVM Pros: tiny, fast, cheap, nice features. ❤️ Cons: no WiFi 👎 Thanks Rev for the tip!

Finally releasing the tool! The Offline SAM Editor is here for IT pros, researchers, and security enthusiasts who want to access and edit SAM databases from offline OS disks. Source code included. Get your access: payments.gtworek.com/buy/54d82b09-4…

Poopowiadam (miejscami bezlitośnie) o Windows API. A w zasadzie o tym, jak kończy się staranie o zachowanie wstecznej zgodności przez kilkadziesiąt lat.

Newag (the company trying to sue hackers after they published information about drm backdoors found in trains) seems to fail with the narration as now they ask a court to make the hearing closed. Oops... 😅

Very informative "The Old New Thing" post about LUIDs: devblogs.microsoft.com/oldnewthing/20… And deeply inside AllocateLocallyUniqueId() is NtAllocateLocallyUniqueId() which in turns is an interlocked add. In current Windows versions it starts with 1001 and grows (quickly!) by 1.

Listing all processes keeping particular file open is not a trivial task but since Vista we have a special syscall parameter for such purpose. Microsoft says "reserved for system use" but I was brave enough to wrap it into PowerShell function. Enjoy! github.com/gtworek/PSBits…

Volume creation time seems to be quite unpopular #DFIR artifact even if it may be useful in some scenarios. Not to mention sandbox detection... 😈 It's why I needed a tool for it. Enjoy the C source code and compiled exe, as usual: github.com/gtworek/PSBits…