🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

Swimming deep inside Windows Security Center service to re-engineer API access allowing to disable Windows Defender. COM interface reconstruction and integrity checks bypassed to inform WD that its not the-boss-in-the-house anymore... A post by es3n1n. Nicely done! Repo:

Impressive analysis of goodware and malware static artifacts, identifying some gaps offensive devs fall into during the development process. Research conducted by Michael Ranaldo (@michaeljranaldo) and Brandon (☠️ Brandon) of pre.empt. Great work, gents! Side note: binary

#x33fcon 2025 highlights. Thank you for being with us!

Injecting to a remote process with reduced process access (PROCESS_CREATE_THREAD and PROCESS_QUERY_LIMITED_INFORMATION only). No ROP gadgets needed. Just clever use of Native API calls. Post by Thanos (trickster0). Good job, sir! trickster0.github.io/posts/Primitiv… #redteam #maldev

Credentials access via Shadow Snapshots, WMI and SMB, all done remotely. Technique implemented inside impacket framework accompanied with detection automation utilizing ETW providers: Microsoft-Windows-WMI-Activity + Microsoft-Windows-SMBServer. A technique developed by Peter

Modern lateral movement techniques detection (mainly DCOM/DCE/RPC/RDP) with examples. Some assumptions worth mentioning: visibility into source IP/port/hostname, logon activity, remote process metadata. A blog post by Huntress team. Awesome read, guys!

VEH² technique to bypass ETW-based detection. Hardware breakpoints abuse can be detected with Microsoft-Windows-Kernel-Audit-API-Calls provider by looking into NtSetContextThread() calls. VEH² uses two vector exception handlers to change the thread's context without calling

Another way to circumvent ETW logging the SetThreadContext() calls - use NtContinue()/ZwContinue() instead. Calling thread can change its CONTEXT, including debug registers. This can be used in any patchless hooking, also as an AMSI bypass. A post by Rad Kawar (Rad). Well

Modern obfuscation techniques - a great weekend read. Master's thesis (by Roman Oravec) investigates various common obfuscation techniques and freely available implementations, focusing on the LLVM Pass Framework's potential for program obfuscation. Additionally, several

A new life of reflective DLLs - fixing call stacks. Registering a proper unwinding information from .pdata section with RtlAddFunctionTable() helps fixing the call stack of a function called from within reflective DLL. Example implementation called DreamWalkers and other

On March 13th this year Raphael Mudge, the original author of Cobalt Strike, wrote a post about "Security Conversation" and more recently his comment on Elastic (Elastic Security Labs) vs Shellter (Shellter) case. This reminds the decades-long discussion about the role of

Bypassing AMSI with your own custom COM interfaces inside CLR process - an excellent piece by Joshua Magri (Josh). The custom implementation allows to allocate and load assemblies from memory and invoke Load_2() method instead of typical call to Load_3(). This

Interesting bug in CimFS driver. More importantly, it still lives in the kernel, as "admin to kernel is not a security boundary"... A post by Chen Le Qi (chiefpie). Great work! #redteam #maldev #malwaredevelopment starlabs.sg/blog/2025/03-c…

Introducing Loki, a software obfuscation approach designed to withstand all known automated deobfuscation attacks. This method efficiently combines multiple techniques, including a novel approach to synthesize formally verified expressions of arbitrary complexity. Furthermore,

Summer Sale! 20% off on all courses! Don't take a break; take a leap forward in your career. Enroll now and transform your summer into a strategic career move with SEKTOR7. Use the link below or the code - SUMMERSALE20 institute.sektor7.net/?coupon=SUMMER… Promo ends July 31st (EoD).