hey 👋 wanna UAC bypass without dll hijacking? check out that amazing trick with only 2 RPC requests by James Forshaw. I wrote a simple PoC for demo, basically rewritten from UACMe. github.com/aaaddress1/PR0…

#CVE-2022-0847 Dirty Pipe 5.8 <= Linux kernel < 5.16.11 / 5.15.25 / 5.10.102 dirtypipe.cm4all.com haxx.in/files/dirtypip…

#DFIR Tip: Don't forget to check out the files sitting in `ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\*`. These XML files are snapshotted daily and denote processes using high CPU cycles. See screenshot for a command to review process names/files.

New from Microsoft: A tool to scan for RouterOS (Mikrotik) forensic artifacts and vulnerabilities github.com/microsoft/rout…

Did you know that attackers could compromise your build pipeline by creating issues on GitHub? Check out my latest blog. Spoiler alert: it's quite disastrous. cycode.com/blog/github-ac…

This week I learned that resource-based constrained delegation can be (ab)used as a means for LPE. Low priv shell -> create machine account -> Webdav -> coerced auth -> RBCD -> LPE Special thanks to Adam Crosser from Praetorian for his blog. Ref: praetorian.com/blog/red-team-…

Since releasing malmemdetect and providing a list of IOCs i feel more comfortable releasing this. github.com/waldo-irc/YouM… This is a project implementation of x64 gargoyle and sRDI to bypass PeSieve and Moneta in memory as threads. It’s stable, blog post after shmoo.

Check out my new post about coercing NTLM authentication from the local admin accounts used by SCCM servers, how to prevent it, and the release of SharpSCCM, a C# tool that can be used to demonstrate the impact of these techniques: posts.specterops.io/coercing-ntlm-…

Updated my ScheduleRunner to include the "hiding scheduled task" technique used by Tarrask malware. This technique can literally make your scheduled task invisible from query tools and Task Scheduler. github.com/netero1010/Sch…

Mysteries of the Registry scorpiosoftware.net/2022/04/15/mys…

Unable to extract credentials via DPAPI or Mimikatz? Don't worry. Microsoft got your back. Just use 'rundll32 keymgr.dll, KRShowKeyMgr' to extract all the stored passwords on the host, be it a target server, FTP or chrome's HTTP creds, microsoft has you covered. #redteam

Significant raise in vulnerability exploitation as initial access vector. Analysis of incident response practice in Ayman Shaaban webinar brighttalk.com/webcast/15591/… and analyst report github.com/klsecservices/… #dfir #incidentresponse #threathunting

More ways to decloak hidden data from Linux LKM stealth rootkits using command line tools: grep . /etc/modules dd count=1000 bs=1 if=/etc/modules 2>/dev/null Quiz: Why does the above decloak the hidden data in this style of Linux rootkit?

My article about using chatGPT for threat detection is out securelist.com/ioc-detection-… #chatgpt #dfir #detectionengineering #ioc #incidentresponse

Way to pass other people's work as your own, Hive Pro! x.com/HiveProInc/sta…

Excited to finally publish research which in the background I have been working on for several years!😃 Introducing Living Off the FOREIGN Land (#LOFL), using a Windows VM over SOCKS as offensive platform✨ 📖 blog.bitsadmin.com/living-off-the… 🏝 lofl-project.github.io More info ⬇️

5 #pros and #cons of using #GenerativeAI during #IncidentResponse securitymagazine.com/articles/99984… #fintech #cybersecurity #AI #ArtificialIntelligence #MaachineLearnig Victor Sergeev Kaspersky SECURITY Magazine

A 'compromise assessment service' in #CyberSecurity is an evaluation that identifies potential unauthorized access or possible breaches in a computer network by analysing system data and logs. Want to learn more? SOC Experts Victor Sergeev & A.Khlief explain 👇 kaspersky.com/blog/understan…

Join me and Amged Wageh for a compelling webinar where we explore real-world cases from our practice, showcasing how Compromise Assessment uncovered hidden threats that went unnoticed. 📅 29 October 2024 🔗brighttalk.com/webcast/15591/… #IncidentResponse #ThreatHunting #InfoSec

We know it’s been a while since our last post. But we’re back, with great news! We’re launching our blog, “Purpleshift,” featuring interesting articles, talks, and research for both blue and red teams. Yeah that’s why it’s purple :) purpleshift.io