.Citrix published a security bulletin regarding a pre-auth RCE in Progress ShareFile Storage Zones Controller (CVE-2021-22941) found by Markus Wulftange: support.citrix.com/article/CTX328… Details will follow on our blog at codewhitesec.blogspot.com

Getting RCE with a Razor! Our walk-through of CVE-2021-22941 affecting Citrix ShareFile Storage Zones Controller by Markus Wulftange is now live codewhitesec.blogspot.com/2021/09/citrix…

Interested in operational security? Join b00n and thefLink talk today to see how we are trying to stay under the radar of the blue team. brucon0x0d.sched.com/event/lMxx/pic…

PIC your Katz! Say hello to HandleKatz, our position independent Lsass dumper abusing cloned handles, direct system calls and a modified version of minidumpwritedump() brought to you by thefLink #BruCON0x0D github.com/codewhitesec/H…

Here is an idea to identify running beacons: 1. Beacons ThreadState often is: DelayExecution 2. Calltrace to NtDelayExecution includes unknown regions Works also fine against beacons sitting in file backed memory github.com/thefLink/Hunt-…

We are going live tonight at 4 PM EST. Season 5 episode 1 Tonight we gave a special guest thefLink is going to present offensive PIC for red teamers. patreon.com/MrUn1k0d3r ❤ #redteam #Pentesting

.NET Remoting Revisited – playing around with .NET Remoting led Markus Wulftange to new insights, some enhancements for James Forshaw's #ExploitRemotingService, a new universal #YSoSerialNet ObjRef gadget and its counterpart #RogueRemotingServer (1/2) codewhitesec.blogspot.com/2022/01/dotnet…

Here is another implementation of Hellsgate + Halosgate It makes sure, that all resolved syscalls go through ntdll.dll by reusing syscall;ret instructions from clean syscall stubs. github.com/thefLink/Recyc…

the callstack scan was inspired by thefLink's github.com/thefLink/Hunt-… (mentioned in the code: github.com/hasherezade/pe…)

Our thefLink and Tjark Rasche will give a workshop tomorrow at BSidesBUD 🇭🇺 on creating complex offensive tools as PIC. Come and learn about offensive coding techniques, memory artifacts and benefits of coding tools as PIC.

As part of our #x33fcon talk, invist and thefLink release a socks4a proxy leveraging PIC, Websockets and static obfuscation on assembly level 😎 Check it out: github.com/codewhitesec/L…

Just pushed a detection idea for Foliage/AceLdr to Hunt-Sleeping-Beacons. State Wait:UserRequest is triggered by KiUserApcDispatcher? Probably a Beacon :-) github.com/thefLink/Hunt-…

Added an attempt to detect suspicious and blocking callbacks of timers to Hunt-Sleeping-Beacons. Probably detects some C2 using timer callbacks for sleep encryption github.com/thefLink/Hunt-…

Today we published a new tool to tamper with Sysmon. Uses handle elevation and a SACL bypass to remain difficult to observe using Sysmon itself or Windows Event logs. github.com/codewhitesec/S…

Here is a ETW based POC to monitor for (some) direct and indirect syscalls. Should find multiple open source implementations trying to avoid userlandhooks. github.com/thefLink/Hunt-…

Here is a little ETW based tool to play with different IOCs by ImageLoad events. I feel like proxying Kernel32!LoadLibrary through Ntdll is a very strong IOC. :-) github.com/thefLink/Hunt-…

[RELEASE] EvtPsst a small mute tool developed by me, that abuses exposed SYNCHRONIZE and Token handles in order to get a process handle to the EventLog Process with more access. Blogpost over the techniques will follow in the next days. github.com/nothingspecial… #redteam

Happy to present our team's research /ˈziːf-kɒn/ together with banane

As presented /ˈziːf-kɒn/, this bigger update of Hunt-Sleeping-Beacons allows enumerating pending timers and their callbacks to identify timer-based sleepmasks. Additional detection ideas included :-) github.com/thefLink/Hunt-…