whoami

My name is Federico a.k.a. last, I’m an Italian security researcher and member of the Advanced Persistent Tortellini collective. I study and develop offensive software, hold a bunch of certs, enjoy lockpicking and acrobatic quadcopter crashing flying. I also play CTFs with my mates @ JBZ Team and I’m a huge fan of XKCD. If you want to have a look at the shitty code I write head to my GitHub profile. Other than that I don’t have much to showcase to be honest… ¯\_(ツ)_/¯

Certifications:

• Offensive Security Certified Professional (OSCP) - 2017
• Offensive Security Certified Expert (OSCE) - 2018
• Certified Red Team Professional (CRTP) - 2019
• Offensive Security Web Expert (OSWE) - 2020
• eLearnSecurity Certified Penetration Tester eXtreme (eCPTX) - 2020
• Certified Red Team Operator (CRTO) - 2020
• Certified Red Team Expert (CRTE) - 2022
• Certified Azure Red Team Professional (CARTP) - 2022

External blog posts:

• Taking a detour inside LSASS - extracting local hashes by hooking the MsvpPasswordValidate function inside LSASS memory
• The dying knight in the shiny armour - killing Defender through NT symbolic links redirection while keeping it unbothered
• Stealing weapons from the Armoury - root cause analysis of a privilege escalation vulnerability in ASUS ROG Armoury Crate Lite Service v4.2.8 (CVE-2021-40981)
• The ace(r) up your sleeve! - privilege escalation vulnerability in Acer Care Center (CVE-2021-45975)
• Gaining the upper hand(le) - hunting for privilege escalations and UAC bypasses by looking for leaked handles in unprivileged processes

CVEs:

• CVE-2021-40981: privilege escalation I found in Asus ROG Armoury Crate. Blogpost here.
• CVE-2021-45975: privilege escalation I found in Acer Care Center for Windows. Blogpost here.

Projects:

• PersistenceSniper: Powershell script that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. The script is also available on Powershell Gallery.
• RIPPL: C++ tool, forked from PPLDump which abuses a flaw in the way Windows manages PPL processes, allowing the operator to tamper, disrupt or, more generally, interact with PPL processes like EDRs, antimalware etc. The flaw has been patched with Windows 10 v21H2 Build 19044.1826.
• unDefender: C++ tool which abuses a flaw in the way Windows loads Defender’s WDFilter.sys driver by redirecting a NT symbolic link in order to make Defender load an arbitrary driver. The full explanation of the technique is available here.
• DefenderSwitch: C++ tool to disable Windows Defender by abusing MsMpEng.exe’s misconfigured ACL. The misconfiguration is now patched.
• HppDLL: C++ DLL that can be injected into LSASS in order to dump local password hashes without touching the registry. The full explanation of the technique is available here.
• Hybris: C++ tool to spawn arbitrary processes running as NT AUTHORITY\SYSTEM by abusing Winlogon’s token impersonation.
• UpperHandler: C++ tool to automatically look for privileged handle leaks which may lead to privilege escalation vulnerabilities. The full explanation of the technique is available here. Not yet released.
• GRIP: Go RIP Injection Program is a tool written in Go that can be used to inject fake routes in a RIPv2 network. The full explanation of the technique is available here.

Public talks:

• 🇮🇹 Windows gold mining - a somewhat deep dive into Windows credentials extraction for fun and (hopefully) profit
• 🇮🇹 Survival of the evilest - persistence techniques in an enterprise environment to ensure the survival of your operation
• 🇮🇹 Anonymity Fails, good shoes won’t save you this time! - how bad guys got busted and what you can learn from an OPSEC perspective

You can find me at last AT notso DOT pro or on Twitter.