[RELEASE] After a little wait, I'm happy to present SilentMoonwalk, a PoC implementation of a TRUE call stack spoofer, result of a joint research on an original technique developed by namazso, done with my friends trickster0 and waldoirc. Enjoy! ;) github.com/klezVirus/Sile…

New year, new tools! As part of my #KernelKarnage talk at SANS Offensive Operations #SANSPenTestHackFest back in November I'm happy to release: The CobaltWhispers Framework & Interceptor Kernel Driver! github.com/NVISOsecurity/… github.com/NVISOsecurity/…

About 5 years ago I started wondering if a malware C2 channel existed that embedded messages and data payloads inside the x509 cert used for the TLS handshake. I searched but never found this in the wild so this year I decided to write it myself. github.com/jconwell/secre…

lapinousexy waldoirc No amount of R&D is enough in security. If you have a quick look at most TTPs you will realize that most EDRs will cover most of the most dangerous ones, but will leave lots of gaps. Good examaples would be malicious browser extensions which most EDRs don't inspect properly.

Here is a little ETW based tool to play with different IOCs by ImageLoad events. I feel like proxying Kernel32!LoadLibrary through Ntdll is a very strong IOC. :-) github.com/thefLink/Hunt-…

The new Token Universe v0.5 can view and edit security descriptors on 30 types of securable objects. 🔥 It also knows how to handle complex ACLs with compound and callback ACEs, mandatory and trust labels, and more. Enjoy experimenting! github.com/diversenok/Tok…

Being in this class is blowing my mind! The material is amazing and the instructors are crushing it. If you're interested in attacking AI/ML, you have to check out this course!

Just published a blog on the House of Force heap exploitation technique! Learned a ton about glibc's ptmalloc. Check it out! #HeapExploitation #vulnresearch mohamed-fakroud.gitbook.io/red-teamings-d…

[Blogpost] EvtPsst a small EventLog Process Mute tool without OpenProcess call to the EventLog process. This blog shows how to elevate a SYNCHRONIZE handle to a full process handle with a process token of EventLog. nothingspecialforu.github.io/EvtPsstBlog/ #redteam

Call Stack Spoofing for beginners, by Dylan Tran #redteam dtsec.us/2023-09-15-Sta…

Quarterly reminder that Defender for Endpoint (MDE) is not EDR. MDE is a logical grouping of many protections, EDR being one of the them. That is all.

🚀 New Blog & PoC: Abusing IDispatch for COM Object Access & PPL Injection Leveraging STDFONT via IDispatch to inject into PPL processes & access LSASS. Inspired by James Forshaw's research! 🔍 Blog: mohamed-fakroud.gitbook.io/red-teamings-d… 💻 Code: github.com/T3nb3w/ComDotN…

The code and tutorials are here if the link doesn't work! 😒 github.com/google/securit…

This is my research project in creating read, write and allocate primitives that can be turned into an injection in order to evade certain telemetry which I presented last year in RedTreat. I hope everyone likes it \m/. trickster0.github.io/posts/Primitiv…