Jacob Paullus

@psycep_

@Mandiant Red Teamer / Something something views are my own

Joined November 2021

23Posts 102Followers 48Following

Jacob Paullus reposted

Andrew Oliveau

@AndrewOliveau

Apr 8

RemoteMonologue - A Windows credential harvesting attack that leverages the Interactive User RunAs key and coerces NTLM authentications via DCOM. Remotely compromise users without moving laterally or touching LSASS. Hope you enjoy the blog & tool drop 🤟 ibm.com/think/x-force/…

Jacob Paullus reposted

Andrew Oliveau

@AndrewOliveau

Apr 7

Publishing a new blog and tool tomorrow 👀

Jacob Paullus

@psycep_

Apr 8

The tool is release ready, someone give me motivation to write a blog

Jacob Paullus

@psycep_

Apr 1

Planning a new blog+tool release, stay tuned 👀

Jacob Paullus

@psycep_

Mar 17

ANOTHA ONE ☝️ check out our latest @Mandiant blog, showcasing the terrifying Browser-in-the-Middle techniques of the modern social engineer cloud.google.com/blog/topics/th…

psycep_'s tweet card. The browser in the middle technique can enable compromises, especially if defenses and MFA aren't properly implemented.

BitM Up! Session Stealing in Seconds Using the Browser-in-the-Middle Technique | Google Cloud Blog

Source: cloud.google.com

Jacob Paullus

@psycep_

Feb 3

Our blog on CVE-2023-6080 is here 💥 check it out! We detail the discovery and exploitation process, going from low privilege to SYSTEM 😎 cloud.google.com/blog/topics/th…

psycep_'s tweet card. Mandiant exploited flaws in the Microsoft Software Installer repair action of Lakeside Software's SysTrack installer to obtain arbitrary code execution.

CVE-2023-6080: A Case Study on Third-Party Installer Abuse | Google Cloud Blog

Source: cloud.google.com

Jacob Paullus

@psycep_

Jan 16

T-Minus two weeks until my first Mandiant blog as the principal author drops as well 🥳 (Detailing the discovery of CVE-2023-6080)

Jacob Paullus

@psycep_

Jan 15

Contributed to my first Mandiant blog on web applications, check it out! Officially on my way to becoming a certified web boy (pls no) 🕸️🕸️ cloud.google.com/blog/topics/th…

psycep_'s tweet card. Single-page applications (SPAs) typically have multiple access control vulnerabilities that can introduce risk.

Your Single-Page Applications Are Vulnerable: Here's How to Fix Them | Google Cloud Blog

Source: cloud.google.com

Jacob Paullus

@psycep_

Jan 15

Contributed to my first Mandiant blog on web applications, check it out! Officially on my way to becoming a certified web boy (pls no) 🕸️🕸️ cloud.google.com/blog/topics/th…

Your Single-Page Applications Are Vulnerable: Here's How to Fix Them | Google Cloud Blog

Source: cloud.google.com

Jacob Paullus reposted

Andrew Oliveau

@AndrewOliveau

Oct 18, 2024

Excited to finally share some details of my favorite CVE, discovered with @psycep_ (definitely give him a follow)! This one’s a fun local privilege escalation vulnerability in Lakeside Software’s SysTrack LsiAgent Installer – CVE-2023-6080 🤜🤛 github.com/mandiant/Vulne…

AndrewOliveau's tweet card. Contribute to mandiant/Vulnerability-Disclosures development by creating an account on GitHub.

Vulnerability-Disclosures/2024/MNDT-2024-0009.md at master · mandiant/Vulnerability-Disclosures

Source: github.com

Jacob Paullus

@psycep_

Oct 18, 2024

A long time in the making, my first credited CVE! cve.org/CVERecord?id=C… w/ @AndrewOliveau and Jake Rawlins

Jacob Paullus reposted

Nick

@kulinacs

Aug 19, 2024

Excited to share the (now patched) AKS Privilege Escalation we found! cloud.google.com/blog/topics/th…

kulinacs's tweet card. An attacker with access to a vulnerable Microsoft Azure Kubernetes Services cluster could have escalated privileges and accessed credentials for services used by the cluster.

"WireServing" Up Credentials: Escalating Privileges in Azure Kubernetes Services | Google Cloud Blog

Source: cloud.google.com

Jacob Paullus

@psycep_

Aug 19, 2024

6 business weeks later, the blog is here! 🙌 Check it out: cloud.google.com/blog/topics/th…

psycep_'s tweet card. An attacker with access to a vulnerable Microsoft Azure Kubernetes Services cluster could have escalated privileges and accessed credentials for services used by the cluster.

"WireServing" Up Credentials: Escalating Privileges in Azure Kubernetes Services | Google Cloud Blog

Source: cloud.google.com

Jacob Paullus

@psycep_

Jul 10, 2024

It got delayed :’(

Jacob Paullus

@psycep_

Jul 9, 2024

My first Mandiant blog drops Thursday 🥳

Jacob Paullus

@psycep_

Jul 9, 2024

My first Mandiant blog drops Thursday 🥳

Jacob Paullus

@psycep_

Jun 14, 2024

Disclosed my first 0-day today (with @AndrewOliveau)

Jacob Paullus reposted

Andrew Oliveau

@AndrewOliveau

May 29, 2024

Another option is to run “openssl s_client -connect <DC>:636 -showcerts -debug” and look for the CA server tied to the domain controller.

Aurélien Chalot

@Defte_

May 29, 2024

Wanna blindly check if the ADCS web enroll is installed on a domain ? Bruteforce the /certenroll endpoint without the trailing/ on all webservers. If you hit the ADCS web enroll you will get a location: /certenroll/ header in the response. Now enjoy blind ntlmrelayx ESC8👀👀👀