Author | Lightnews

malmoeb.bsky.social @malmoeb.bsky.social · 12h

You can turn this feature off, as our client did. [2]

[1] arstechnica.com/security/202...
[2] learn.microsoft.com/en-us/window...

malmoeb.bsky.social @malmoeb.bsky.social · 12h

on data inside an SSL handshake the machine makes with remote servers.

Despite the checks and balances built into STS to ensure it provides accurate time estimates, the time jumps indicate the feature sometimes makes wild guesses that are off by days, weeks, months, or even years.

🤯

1

malmoeb.bsky.social @malmoeb.bsky.social · 12h

it cannot obtain time securely over the network as well, unless you choose to ignore network security or at least punch some holes into it by making exceptions.”

To avoid making security exceptions, Secure Time Seeding sets the time based

1

malmoeb.bsky.social @malmoeb.bsky.social · 12h

“You may ask - why doesn’t the device ask the nearest time server for the current time over the network?” Microsoft engineers wrote. “Since the device is not in a state to communicate securely over the network,

1

malmoeb.bsky.social @malmoeb.bsky.social · 12h

Windows systems with clocks set to the wrong time can cause disastrous errors when they can’t properly parse timestamps in digital certificates or they execute jobs too early, too late, or out of the prescribed order.

1

malmoeb.bsky.social @malmoeb.bsky.social · 12h

If you have never heard of Secure Time Seeding, you might want to read the article on Ars Technica. It might save your day eventually. [1]

Microsoft introduced the time-keeping feature in 2016 as a way to ensure that system clocks were accurate.

1 1

malmoeb.bsky.social @malmoeb.bsky.social · 12h

This one here is a goodie! A customer called us because they had several incidents where the system time "magically" jumped days, sometimes even months, back and forth (see screenshot). You can imagine the issues inflicted by this behavior. So the question was.. Cyber? Attacker? Misconfiguration?

1 1 2

malmoeb.bsky.social @malmoeb.bsky.social · 1d

References:

[1] x.com/malmoeb/stat...
[2] www.microsoft.com/en-us/wdsi/t...

Stephan Berger on X: "C:\Windows\write86.exe - looks suspicious? You're right. In a recent ransomware case, Windows Defender produced the alert "Behavior:Win32/SuspRclone". "This behavioral monitoring signature gets triggered if the file Rclone.exe has been observed residing in a suspicious folder https://t.co/yu51atgUeF" / X

C:\Windows\write86.exe - looks suspicious? You're right. In a recent ransomware case, Windows Defender produced the alert "Behavior:Win32/SuspRclone". "This behavioral monitoring signature gets triggered if the file Rclone.exe has been observed residing in a suspicious folder https://t.co/yu51atgUeF

x.com

malmoeb.bsky.social @malmoeb.bsky.social · 1d

Unfortunately, nobody paid attention to this alert. I just checked our customer alert database, and this detection was not present in the last few months, but it was raised in several of our IR cases. I consider this alert critical and recommend responding to it immediately once it is raised.

1

malmoeb.bsky.social @malmoeb.bsky.social · 1d

My teammate Evgen Blohm analyzed a ransomware incident in which the threat actor used rclone to exfiltrate data from the network. Detected by Defender: behavior:process: C:\PerfLogs\rclone.exe.

1

malmoeb.bsky.social @malmoeb.bsky.social · 1d

So, I wrote about "Behavior:Win32/SuspRclone" before. [1]

"This behavioral monitoring signature gets triggered if the file Rclone.exe has been observed residing in a suspicious folder on a device." [2]

1

malmoeb.bsky.social @malmoeb.bsky.social · 2d

binfmt_misc provides a nifty way (once the attacker has gained root rights on the machine) to create a little backdoor to regain root access when the original access no longer works. This mechanism is not really known, which makes it a perfect fit for staying under the radar.

malmoeb.bsky.social @malmoeb.bsky.social · 2d

Just when you think you know your way around Linux.. binfmt_misc: Hold my beer.

dfir.ch/posts/today_...

Today I learned: binfmt_misc | dfir.ch

Technical blog by Stephan Berger (@malmoeb)

dfir.ch

1 3 7

malmoeb.bsky.social @malmoeb.bsky.social · 7d

References:

[1] 0xdf.gitlab.io/2025/10/04/h...
[2] www.youtube.com/watch?v=gVLo...
[3] github.com/CsEnox/SeMan...

HTB: Certificate

Certificate starts with a school website that accepts assignment uploads in limited formats that includes zip archives. I’ll show two ways to bypass the filters in PHP and upload a webshell - first wi...

0xdf.gitlab.io

malmoeb.bsky.social @malmoeb.bsky.social · 7d

0xdf shows the exploitation in his HTB write-up.[1] I reviewed various PingCastle reports, and this privilege was explicitly set only on a small subset of networks, typically on accounts associated with SQL servers.

1

malmoeb.bsky.social @malmoeb.bsky.social · 7d

The privilege provides direct access to the disk: there are intended modifications, but also many undocumented changes that can be made.

There’s a GitHub project by CsEnox, SeManageVolumeExploit, which abuses this to replace all the Administrators group ACL entries on C: with the Users group.[3]

1

malmoeb.bsky.social @malmoeb.bsky.social · 7d

Today I learned: SeManageVolumePrivilege

While reading the HTB write-up for Certificate, I learned about SeManageVolumePrivilege. [1]

A video by Grzegorz Tworek goes into great detail about how to abuse SeManageVolumePrivilege.[2]

1 2

malmoeb.bsky.social @malmoeb.bsky.social · 8d

Reference:

[1] maester.dev/docs/ca-what...

Conditional Access What-If tests | Maester

Overview

maester.dev

1

malmoeb.bsky.social @malmoeb.bsky.social · 8d

I think it's a super cool feature, especially since we’ve had several Incident Response cases lately where the Conditional Access policy was misconfigured, giving attackers the upper hand. Such misconfigurations might have been detected earlier with exactly these kinds of test suites.

1 1

malmoeb.bsky.social @malmoeb.bsky.social · 8d

Coming back to Maester! Do you know about the awesome Conditional Access What-If tests? [1]

The first image is from the official documentation and shows how easily you can build your own test scenario. The second image shows the results from a tenant where I ran the test.

1

malmoeb.bsky.social @malmoeb.bsky.social · 9d

I strongly recommend running Maester periodically to secure your Microsoft 365 tenant, in addition to running PingCastle in your On-Prem AD environment.

[1] maester.dev

Maester

Your Microsoft Security test automation framework!

maester.dev

2

malmoeb.bsky.social @malmoeb.bsky.social · 9d

What is Maester? [1]

Maester is a PowerShell-based test automation framework that helps you stay in control of your Microsoft security configuration. Such a cool tool - test details can be filtered by passed, failed, and skipped. Failed tests come with detailed recommendations on how to do better.

1

malmoeb.bsky.social @malmoeb.bsky.social · 10d

And here, for reference, is the corresponding lolbas article [3]

References:

[1] 0xdf.gitlab.io/2025/09/19/h...
[2] raw.githubusercontent.com/elastic/prot...
[3] lolbas-project.github.io/lolbas/Binar...

malmoeb.bsky.social @malmoeb.bsky.social · 10d

Attackers love vssadmin, and so do the EDR vendors. How about diskshadow? We tested the attack flow in our lab with various EDRs, and the results were .. interesting. Would the command above trigger an alert in your environment?

1

malmoeb.bsky.social @malmoeb.bsky.social · 10d

set verbose on
set context persistent nowriters
set metadata C:\Windows\Temp\0xdf[.]cab
add volume c: alias 0xdf
create
expose %0xdf% e:

and pass it [the script from above] to diskshadow:
C:\programdata> diskshadow /s C:\programdata\backup"

1