#HuntingTipOfTheDay: there are numerous open-source projects listing cyber threats. Some of these have easily ingestible indicators... how about: 🔵 lots-project.com + LOLBINs 🟠 hijacklibs.net + DLL write events 🟢 lolrmm.io + DNS requests

PatchGuard internals (KPP, Kernel Patch Protection) r0keb.github.io/posts/PatchGua… Credits ö #infosec

AdminSDHolder prevents Account Operators from directly controlling Tier Zero. But most orgs grant Tier Zero privileges to unprotected principals. Jonas Bülow Knudsen explores an attack technique & path from Account Operators → Domain Admin in stock AD forests. ghst.ly/4niCixR

CrowdStrike Researchers Investigate the Threat of Patchless AMSI Bypass Attacks crowdstrike.com/en-us/blog/cro…

Credentials access via Shadow Snapshots, WMI and SMB, all done remotely. Technique implemented inside impacket framework accompanied with detection automation utilizing ETW providers: Microsoft-Windows-WMI-Activity + Microsoft-Windows-SMBServer. A technique developed by Peter

Introduction to Windows kASLR Internals r0keb.github.io/posts/kASLR-In… Credits ö #cybersecurity

Just released a WinDbg extension to read the IDT :) github.com/winterknife/EV…

Modern lateral movement techniques detection (mainly DCOM/DCE/RPC/RDP) with examples. Some assumptions worth mentioning: visibility into source IP/port/hostname, logon activity, remote process metadata. A blog post by Huntress team. Awesome read, guys!

An increased visibility into threads' call stacks helps with more reliable malware detection. The approach is based on ETW telemetry and module's Export Directory data for information enrichment. A post by John Uhlmann of Elastic Security Labs. Great read! #redteam #blueteam #maldev

''Azure Arc - C2aaS'' #infosec #pentest #redteam #blueteam blog.zsec.uk/azure-arc-c2aa…

VEH² technique to bypass ETW-based detection. Hardware breakpoints abuse can be detected with Microsoft-Windows-Kernel-Audit-API-Calls provider by looking into NtSetContextThread() calls. VEH² uses two vector exception handlers to change the thread's context without calling

Most EDR and AV products rely on nt!PsSetCreateProcessNotifyRoutineEx2 to monitor process creation and termination. But what happens if an attacker clears the nt!PspCreateProcessNotifyRoutine array? [1/3]

Good morning! Just published a blog post diving into Windows Kernel Pool internals: basics, memory allocation functions, internal structures, and how Segment Heap, LFH, and VS work. r0keb.github.io/posts/Windows-…

Awesome talk from Roberto Rodriguez 🇵🇪 on AI Agents... this for me is the immediate future of LLM's and it's so exciting! youtube.com/watch?v=zoAPS1…

Onboard yourself - PaloAlto Global Protect edition: 1. Become local admin 2. Export device cert from original workstation 3. Import cert in your VM 4. Login with user creds 5. Enjoy EDR-free testing :)

Wanna see something cool about RDP and NetExec ?

❗️Blog post❗️ Love for Microsoft Component Object Model, RPC and AMSI attack surface [+] Discussion on overlooked aspects of AMSI - COM and RPC . [+] Attack opportunities .. sabotagesec.com/love-for-micro…

Proof-of-concept kernel driver that hijacks the Windows kernel extension table mechanism to preserve process notify callbacks even when attackers disable standard process notify callbacks github.com/Dor00tkit/BamE…

The Blog post about "Revisiting Cross Session Activation attacks" is now also public. Lateral Movement with code execution in the context of an active session? 😎 Here you go: r-tec.net/r-tec-blog-rev…

Process injection in Linux for beginners akamai.com/blog/security-… #infosec #linux