Tony ippsec Rob Fuller Derek Rook @[email protected] Tunny Traffic James Hooker g0t mi1k inCIDRthreat Build your own lab, then ask interesting questions and explore. bit.ly/kickasslab is a decent start :) Da has some amazing resources too, check out his book!

A new .NET command and control platform: Covenant by Ryan Cobb is being released today. Check it out here: posts.specterops.io/entering-a-cov…

Detecting CACTUSTORCH using Sysmon -> blog.menasec.net/2019/02/threat… #ThreatHunting #dfir

If your org is starting a threat hunting program and you want to start somewhere simple, I've built a table with some common use cases and linked them to ATT&CK framework and added some Hybrid Analysis samples. Hope this helps. github.com/dwestgard/thre…

Working on a side project I had to use the SystemProcessAndThreadsInformation class in NtQuerySystemInformation. I wrote a small wrapper which may help as a code reference if you want to do something similar => github.com/FuzzySecurity/…

A quick conspectus on code injection with SetWindowHookEx: ired.team/offensive-secu…

We are excited to announce higher Azure bounties and a new space for Azure research! The Azure Security Lab is a set of dedicated hosts that researchers can use to probe IaaS security without affecting customers. To find out more, see our blog. msrc-blog.microsoft.com/2019/08/05/azu…

A great list of C# resources for red / purple teaming and offensive pen testing Jamie cheers dude. github.com/5ub34x/CSharpT…

10th Chapter (Kernel Debugging) of Practical Malware Analysis (No Starch Press) complete. Just about hit the half way mark of this write-up. Write-ups take significantly longer than just reading content, but if it helps someone learn, then it's worth it. jaiminton.com/Tutorials/Prac…

Recently added EnumerateLoadedModules shellcode execution technique to GoPurple shoutout to 马有怡 and Russel Van Tuyl github.com/sh4hin/GoPurple

Added EnumChildWindows shellcode execution technique to GoPurple github.com/sh4hin/GoPurple

EnumPageFilesW shellcode execution technique added to GoPurple: github.com/sh4hin/GoPurple #purpleteaming

SimpleHTTPServer in Go. Powerful with many must have features github.com/nodauf/Swego

NimGetSyscallStub is now public, the first public fully working (didn't find another myself) Nim imlementation + PoC to grab fresh Syscalls from disk on runtime: github.com/S3cur3Th1sSh1t… Cas van Cooten even with a yara rule (with your template 🤓)

Great book, Well done!

Check out capa v4 with: 1. support for analyzing .NET executables 2. finer grained capability detection via instruction and operand features 3. many new and updated detection rules Blog: mandiant.com/resources/blog… Binaries: github.com/mandiant/capa/… Source: github.com/mandiant/capa

I'm happy to share the results of months of research on code injection, process tampering, and their detection! 🥳 Here you'll find technique categorization, a dive into the underlying OS mechanisms, sample demos, detection suggestions, and much more: huntandhackett.com/blog/concealed…

Reverse Engineering a #CobaltStrike #malware sample and extracting C2's using three different methods. We'll touch on #cyberchef, #x64dbg and Speakeasy from fireeye to perform manual analysis and emulation of #shellcode. A (big) thread ⬇️⬇️ [1/23]

In nearly all of our on-premises engagements, a threat actor has taken total full control of Active Directory. If you are interested in the kind of things Microsoft DART finds, and how we recommend you secure Active Directory, then this blog is for you - techcommunity.microsoft.com/t5/microsoft-s…