I figured out a new way to **completely** disable certain EDR products only with Admin privileges in less than 30 lines of code with native applications. It works by deleting critical application files before they can do anything 🙃 A link to the GitHub repo with a PoC follows.

Astral-PE is a powerfull low-level mutator (headers obfuscator) for native Windows PE files (x32/x64). Supports EXE and DLL. github.com/DosX-dev/Astra… #obfuscator #infosec #CodeSecurity

How Malware Uses Sleep Cycles to Avoid Detection. binarydefense.com/resources/blog…

That happened much faster than I thought, awesome! ❤️

Interesting post about UDL and REG files by Kill Switch  blog.killswitchx7.com/enterprise-phi…

published a new version of defendnot (the tool that disables windows defender using wsc) with a bunch of compability fixes, if something didn't work on your machine - consider trying again with the latest version github.com/es3n1n/defendn…

Ohhhh snap now you can use Claude in your #maldev and #redteam workflow LitterBox v3.0.0: GrumpyCats python client & #MCP server that can be used to interact with LitterBox #sandbox See it in action

Good morning! I just published a blog post about a KASLR bypass that works on modern Windows 11 versions. It leverages Intel CPU cache timings to exfiltrate the base address of ntoskrnl.exe. I hope you like it! r0keb.github.io/posts/Bypassin…

Looks like Microsoft added such a "lsof" feature to fsutil.exe file queryProcessesUsing in Windows 11 24H2. 🥳 It uses the same Vista-old syscall I am using in my PowerShell script. The choice is yours :) BTW I have created my script literally one month before 24H2 release. 😎

😈 BEWARE: Claude 4 + GitHub MCP will leak your private GitHub repositories, no questions asked. We discovered a new attack on agents using GitHub’s official MCP server, which can be exploited by attackers to access your private repositories. creds to Marco Milanta (1/n) 👇

Hiding In PlainSight - Proxying DLL Loads To Hide From ETWTI Stack Tracing 0xdarkvortex.dev/proxying-dll-l…

well i have something unfortunate to share last night they gave my bounty an important rating, but marked it out of scope some how all of this is just wildly dishonest. For one its not just information disclosure. I included and addendum that showed how to leak bearer tokens and

Big fat F you microsoft energy

Very stealthy way of dumping LSASS, is done from the kernel, doesn't matter if LSASS is LSA Protected. Once loaded, the rootkit creates a system thread (PsCreateSystemThread) for dumping LSASS, iterates over all processes gets its EPROCESS (PsLookupProcessByProcessId ), then its

🔧 NT Unhooker - (PoC) A Windows security tool that detects & removes inline/IAT hooks from NTDLL.dll github.com/Teach2Breach/n…

Coming up on my 1 year anniversary with Huntress ! Taking this opportunity to go over some things myself and the team have seen in intrusions and drop some tips on basic things you can do to make your network more immune to compromise. Let's start with initial access -

Good morning! Just published a blog post diving into Windows Kernel Pool internals: basics, memory allocation functions, internal structures, and how Segment Heap, LFH, and VS work. r0keb.github.io/posts/Windows-…

Proof-of-concept kernel driver that hijacks the Windows kernel extension table mechanism to preserve process notify callbacks even when attackers disable standard process notify callbacks github.com/Dor00tkit/BamE…

Ever since I was baby I've wanted speak or give a workshop at Defcon.. This year I get to finally make that dream happen. It's on, [email protected] 😎

Another way to circumvent ETW logging the SetThreadContext() calls - use NtContinue()/ZwContinue() instead. Calling thread can change its CONTEXT, including debug registers. This can be used in any patchless hooking, also as an AMSI bypass. A post by Rad Kawar (Rad). Well