So far I've written 559 pages to help the security community: 1. exploitreversing.com/2021/12/03/mal… 2. exploitreversing.com/2022/02/03/mal… 3. exploitreversing.com/2022/05/05/mal… 4. exploitreversing.com/2022/05/12/mal… 5. exploitreversing.com/2022/09/14/mal… 6. exploitreversing.com/2022/11/24/mal… 7. exploitreversing.com/2023/01/05/mal… 8. exploitreversing.com/2023/04/11/exp…

I recently was doing a bit of a deeper dive into ImpersonateNamedPipeClient which led me down a rabbit hole into file system drivers. I wrote a blog on some of the cool things I ran across below :) posts.specterops.io/exploring-impe…

I'm super excited to announce the launch of my "Mastering Windows Internals" pilot program. The goal is to share my knowledge and experiences, along with offering practical insights on using the tools I've developed and continue to update.

Cisco intends to acquire Splunk: newsroom.cisco.com/c/r/newsroom/e…

mandiant.com/resources/blog… In March of this year we began seeing similar blending efforts that we saw DPRK do during the pandemic, then 3CX popped off giving us more insight, then Andariel’s ROCKHATCH malware popped off with fingerprints of two other APTs in it….

Great overview table of accounts that belong to tier 0. #mustView for every Sec and AD specialist. [Repo] TierZeroTable specterops.github.io/TierZeroTable/ #CyberSecurity #Identity #SpecterOps #shiftavenue

I've just released the 9th part of my On Detection series. In this post I demonstrate that we see actions in cyberspace at the Operational level and what that means for detection engineers. posts.specterops.io/on-detection-t…

I've just released the next edition of the On Detection series. I investigate why detection rules based on Process Creation are often brittle or easily bypassed. I also provide a framework for discerning when it is appropriate and when it isn't. posts.specterops.io/on-detection-t…

Woooo, legoooo!

It's a bittersweet moment, but our series of "Attacking an EDR" has come to an end! Me and Her0 hope that you had as much fun reading it as we had writing it. riccardoancarani.github.io/2023-11-07-att…

Small experiment today, inspired by Kağan IŞILDAK, using RCON protocol, as used by e.g. CS 1.6 as a C2 channel for the lulz

Wondering what telemetry an EDR collects? Wonder no more! Kostas and Alex Teixeira run an EDR Telemetry Project, covering all major EDRs: "The main goal of the EDR Telemetry project is to encourage EDR vendors to be more transparent about the telemetry they provide". Blog:

A sister team of mine is hiring. They do hard core detection engineering. You will be analyzing things you won't see elsewhere and writing a variety of content to detect it. Super technical role alongside some great folk.

Windows audit policies, the events they enable and the relative volume of events they generate #ThreatHunting #DFIR

Some solid work done by the team! Give them a read :)

Having convertible detection content is great, no doubt. What I think is underrated is blueteam-focused tradecraft intel. Red teams share it all the time, we should too. A threat group recently showed creativity with a known technique. Here's how it worked cloud.google.com/blog/topics/th…

Neat blog on RDP tradecraft, includes examples, practical recommendations on hardening, detection ideas etc.

1) I didn't know .RDP config files could be signed 2) RDP RemoteApps are crazy 3) I always appreciate a Fuzzy Snuggly Duck cloud.google.com/blog/topics/th…

Signed .rdp files are being used to trick users. GTIG observed a novel #phishing campaign targeting European government and military organizations, and has attributed it to a suspected Russia-nexus #espionage actor tracked as UNC5837. Read the details: bit.ly/4jrDcFD

Catch Izy's recent podcast discussing Rogue Remote Desktop Protocol: open.spotify.com/episode/5AGW25…