🍎 MacNoise

It’s been quite a while since my last blog post but I’ve been really busy working on a project I’m thrilled to talk about, MacNoise. MacNoise is a modular macOS telemetry noise generator for EDR testing and security research. It generates real system events: network connections, file writes, process spawns, plist mutations, TCC permission probes, and more so security teams can validate that their EDR, SIEM, and firewall tooling detects what it is supposed to detect.

…

What is qwinsta?

qwinsta : Displays information about sessions on a Remote Desktop Session Host server. The list includes information not only about active sessions but also about other sessions that the server runs. (ref: MSFT Docs)

It is also possible to remotely enumerate user sessions via the /server:{hostname} parameter. Despite the Microsoft documentation specifying this binary being related to Remote Desktop Sessions, Remote Desktop does not need to be enabled in order for the binary, and enumeration to succeed:

…

Acknowledgments: Thanks to the various people that proofread my ramblings and offered valuable feedback. Thanks to @_RastaMouse (and ZeroPointSecurity) for creating courses that have inspired me to learn more about security every day.
 

I want to start this blog by stating basically none of this research is “new”. A lot of the information surrounding process protection in Windows, and the various methods of exploitation have been explored in extreme depth (such as the work done by Benjamin Delpy and the mimikatz driver). The goal here is to share my personal journey through understanding process protection in Windows, and document a few “gotchas” I encountered on my way to disabling PPL for a process like lsass.exe.

…