Once a month we get in front of our exec/senior leadership team and talk about #SOC performance relative to our business goals (grow ARR, retain customers, improve gross margin). A 🧵on how we translate business objectives to SOC metrics.

If you are responsible for Win11 security baseline, please use the new (I mean fixed after 20+ years) configuration option "Enable MPR notifications" under Windows Components\Windows Logon Options. Defaults allow to read cleartext credentials from Winlogon with a simple DLL.

Will have to write a post on abusing SeManageVolumePrivilege This exploit grants full permission on C:\ drive for all users on the machine. GitHub - CsEnox/SeManageVolumeExploit github.com/CsEnox/SeManag…

Some EDRs catch indirect syscalls with callstack analysis. Here is a totally new technique which build a clean callstack originating from ntdll to avoid detections. No ROP required and tested and works against every EDR. Enjoy! 🔥 0xdarkvortex.dev/hiding-in-plai…

🔥 Brace yourself #LocalPotato is out 🥔 Our new NTLM reflection attack in local authentication allows for arbitrary file read/write & elevation of privilege. Patched by Microsoft, but other protocols may still be vulnerable. cc Andrea Pierini Enjoy! 👇 localpotato.com/localpotato_ht…

Me and @idov31 are happy to introduce HWSyscalls, a new method to execute indirect syscalls using Hardware Breakpoints without calling directly to ntdll.dll, therefore bypassing the current way to detect it. A detailed blog post will follow soon. github.com/Dec0ne/HWSysca…

Cool discovery 😎 Can be used also to weaponize arbitrary file write vulnerabilities. As a bonus, check the screenshot on how to weaponize #LocalPotato with this StorSvc DLL hijacking to get a SYSTEM shell.

My first blog at CS - Dynamically spoofing call stacks with timers: cobaltstrike.com/blog/behind-th… PoC: github.com/Cobalt-Strike/…

#ThreatIntel #DFIR We've identified a new #WatchWolf campaign, who is behind #DarkWatchman backdoor. This time they are using SEO poisoning instead of phishing emails to deliver the backdoor. Check our blog for details: bi.zone/eng/expertise/…

We have launched the 1st part of a new series of blog posts about automation for blue teams. In this first episode, we focus on dangerous misconfigurations in Azure AD. JMP RSP explains how to identify these (some aren’t even visible in your Azure Portal) falconforce.nl/automating-thi…

Some days ago I and Maksim Tumakov provided talk about Hunting for macOS attack techniques on @PHDays12. Slides are available now! #ThreatHunting #ThreatDetection #DFIR #SOC #incidentresponse #PHDays12 speakerdeck.com/heirhabarov/hu…

A TA going by the handle Spyboy is selling an AV/EDR killer that is allegedly capable of killing almost every AV/EDR on the market. streamable.com/ys07we streamable.com/h9n16x

A map of essential techniques to bypass AVs #redteam github.com/CMEPW/BypassAV

If you play with the NTFS USN Journal, you could spot "enableRangeTracking" feature and/or fsutil.exe switch. Does it look like something useful in #DFIR scenarios? What it is all about? The 🧵⬇

Finally decided on my next book to write! leanpub.com/windowsnativea…

poor man's browser pivot through chrome remote debugging.🔥 no need to inject into iexplorer anymore.💪 just came across this awesome solution shared by Tim McGuffin long ago: gist.github.com/NotMedic/b1ab7… and this is also working with msedge (it shares the same chromium engine)!🎉

This map lists the essential techniques to bypass anti-virus and EDR github.com/CMEPW/BypassAV #Pentesting #bypass #CyberSecurity #Infosec

Netsh.exe relies on extensions taken from Registry, which means it may be used as a persistence. And what, if you go one step further, extending netsh with a DLL allowing you to do whatever you want? Kinda #LOLBin 😎 Enjoy the C code and DLL, as usual: github.com/gtworek/PSBits…

Here are a few recent additions to the Microsoft Block Rules 👀 - webclnt.dll - davsvc.dll - HVCIScan.exe And it is nice to see Will Dormann is on Mastodon on the acknowledgements list - congrats! learn.microsoft.com/en-us/windows/…