IT security practices in Dev / DevOps and company processes

Install Visual Studio / WDK and configure virtual machine (Hyper-V) for debugging Windows kernel and drivers

Motivation The purpose of this document is to provide a clear, step-by-step guide for setting up and configuring a Windows development environment specifically tailored for kernel and driver development. Novice developers often face compatibility and configuration issues that make it difficult to get started. This documentation explains practical steps and provides recommendations for configuring a VM with Windows… Read More »

Some my old note regarding enable Credentials Guard for Windows 10 OS

Intro Some time ago, I was in the role of a consultant on how to enable Device Guard in an enterprise in a step-by-step manner. That was the Windows 10 OS, and enabling Credential Guard is another layer of protection against various types of attacks that aim to steal your credentials, such as NTLM hashes, typically with tools… Read More »

Reading User-Mode Process Memory from Kernel-Mode Code in Windows

One of the popular techniques is based on the usage of a pair of functions: KeStackAttachProcess attaches the current thread to the address space of the target process. This function is used by both Antiviruses and Rootkits. Also, I found some of my old screenshots of disassembled ProcessXP that also uses this approach The final snippet code could… Read More »

Keycloak and aud claim usage as additional authentication layer

OpenFGA and Keycloak configuration Some time ago, we integrated OpenFGA with Keycloak for our AuthN/AuthZ implementation. OpenFGA can interpret the token’s “aud” claim when making authentication/authorization decisions. The “aud” claim specifies the intended recipient(s) of the token: The “aud” (audience) claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT must… Read More »

Keycloak cookie based SSO on real example

Intro Many articles have references to SSO capabilities of Keycloak, but they often don’t explain how it works under the hood. In this article we have simple environment in form of Docker Compose with Keycloak and two Angular applications that will help you to understand how cookies based authentication works with Keycloak. We will dive deep into this… Read More »

Keycloak realms and how they can be used for multi-tenancy

If you’re working with Keycloak and wondering how to handle multi-tenancy, then this article is for you. I’ve seen a lot of confusion around realms – what they are, how they behave, and whether they’re the right building blocks for tenant separation. Let’s break it down. What is a Realm in Keycloak? At its core, a realm in… Read More »

Keycloak Admin Rest API and PostgreSQL index optimization

Keycloak Admin REST API performance limitations Previously, we have dealt with some limitations related to Keycloak that might be useful to know before actively using Keycloak Admin REST API in your projects. These are the following: The problem with Keycloak Admin REST API can be mitigated from an architectural perspective by just replacing local Keycloak users with a… Read More »

JVM ergonomics configuration and GC type impact on latency

Latency degradation due to JVM GC This story is about choosing the correct garbage collector and its potential impact on performance. Performance is typically divided into two main areas of interest: Of course, I mentioned these two areas as a matter of interest in this article, but you may have your own perspective. So, what is JVM ergonomics?… Read More »

Windows Server 2012 R2 installation with Powershell and VirtualBox

We basically need a Windows Server for various experiments, such as studying Keycloak federation with AD, exploring different types of attacks like Kerberoasting, learning the Kerberos protocol, and ADFS and SAML integration with Keycloak and etc. It’s not a supported installation of Windows Server on ARM architecture so a simple way is to have separate laptop with installed… Read More »

Analyze memory dump files with YARA signatures in Windbg

Intro Imagine, that you know that attackers are on a particular host but you have no idea whether they are persisted on another ones, servers, domain controllers. Detecting fileless artifacts, such as beacons in the case of Cobalt Strike, is not as easy as it may seem. Two interesting techniques that can be used here are: Below are… Read More »