b33f | 🇺🇦✊
@FuzzySec
Followers
32,137
Following
898
Media
1,202
Statuses
9,055
意志 / Antiquarian @ IBM Adversary Services / Ex-TORE ⚔️🦅 / I rewrite pointers and read memory / AI Psychoanalyst / Teaching @CalypsoLabs
Jumanji
Joined April 2012
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
مدريد
• 1022673 Tweets
بنفيكا
• 502710 Tweets
Wizkid
• 379614 Tweets
Davido
• 342632 Tweets
Jack Smith
• 132146 Tweets
Bayern
• 113520 Tweets
Lille
• 101742 Tweets
Tigers
• 84977 Tweets
Aston Villa
• 63261 Tweets
Benfica
• 56169 Tweets
Duran
• 54682 Tweets
Mbappe
• 53708 Tweets
Astros
• 47404 Tweets
Ancelotti
• 42795 Tweets
Bank of America
• 35275 Tweets
Kerem
• 32099 Tweets
Shawn
• 30746 Tweets
Carlo
• 25514 Tweets
#ChampionsLeague
• 22476 Tweets
Camavinga
• 20835 Tweets
#LOSCRMA
• 19353 Tweets
Simeone
• 14968 Tweets
Dibu
• 12830 Tweets
Lunin
• 12723 Tweets
Jonathan David
• 11500 Tweets
Kroos
• 10973 Tweets
Rodrygo
• 10869 Tweets
Vlahovic
• 10576 Tweets
Neuer
• 10285 Tweets
Pinned Tweet
I wrote a follow-up post for Android (on device) fuzzing using Afl++ Frida-Mode, check it out on 🔪🧥
I also created an Ansible playbook to build your toolchain so you don't have to suffer doing that:
3
62
206
You definitely aren't more safe on Apple than on Android. Standardized hardware/software with such a large consumer base just means that VR efforts are more focused with better ROI. I switched to an iPhone earlier this year and it's honestly terrifying that there have been like 5
What's your unpopular cybersecurity opinion that gets a reaction like this?
368
87
460
45
123
922
I have posted the slides for the
#BlackHat
talk
@chompie1337
and I gave yesterday -> Close encounters of the advanced persistent kind: Leveraging rootkits for post-exploitation
16
251
700
👋 I'm releasing StandIn, a small .NET 35/45 AD post-exploitation toolkit I wrote for
@xforcered
. Hacking on endpoint is my regular jam but directory services programming is pretty 🔥🧙♂️🍩
7
254
558
Soon everyone will find out anyway so you should be aware that SandboxEscaper has dropped another 0day ->
I'm pretty tired of this => Not earning 💰 on 0day and putting people at unnecessary risk. It's really kind of lame in my book 👎
18
265
481
I posted the slides for "Staying # and Bringing Covert Injection Tradecraft to .NET" which I presented with
@TheRealWover
at
@BlueHatIL
⚔️👻🍩 =>
8
217
469
Pssst, Ghidra 10.0 is out => There is debugger support now which is great, that will definitely bridge a usability gap 🧙♂️🌶️
3
159
467
Start-Hollow -> I POC'd up process hollowing in
#PowerShell
(x32/64), can set parent process =>
7
243
447
I wrote up a POC, WindfarmDynamite, to educate myself on process injection using WNF. This work is based on the great research by
@aionescu
/
@pwissenlit
and the awesome work by modexp ❤️👻⚔️. For further details check out the GitHub page =>
3
228
444
I'm releasing Dendrobate, a framework that can be used to generate managed code hooking payloads. I also added a small case-study on stealing MFA tokens from memory🧙♂️.
Check it out on the
@xforcered
GitHub☠️🐸 =>
6
194
429
I wrote a small tool, SwampThing, to demo command line spoofing as outlined by
@joehowwolf
in his recent talk at Wild West Hackin Fest (definitely go check that out!). Think here about uses cases like WMIC with stylesheets 🧙♂️ =>
7
224
427
I have a feeling this will escalate quickly 👀, I didn't realize there were such structural problems with secure boot. This CVE-2022-21894 is wild btw,
7
76
420
I'm so excited today to announce that I'm launching my own online training platform
@CalypsoLabs
🎊
The first course to appear on Labs is "Windows Instrumentation with Frida", check it out:
Labs is partnering with
@vector35
, when you sign up you get a
42
113
418
If you have SharePoint on your estate can you please poke your admins to make sure patches are applied, there is a POC for CVE-2019-0604 which will set you on 🔥 otherwise. For context check this ZDI post =>
4
215
390
Ok I saw people recommending python to new people in the field, please, just stop.
Choose .NET. Choose strong typing for robust code. Choose top-of-the-line IDEs by JetBrains, offering superior debugging capabilities and outstanding compile-time checks. Choose .NET for
101
47
387
I got an interesting question from someone: How can you use a compromised hash from a machine where you have medium integrity? Answer, request a TGT for the user and apply it to the current logon session. Here I'm using Seatbelt & Rubeus from GhostPack =>
2
174
390
I though I might as well drop this stand-alone port of
@tiraniddo
's UAC token abuse, bypasses "AlwaysNotify" -
8
252
367
I've seen some takes about the Storm actor being "lucky" and the like. Don't kid yourself, there is really good tradecraft happening here:
- Initial compromise (likely not the engineer), at a hard target (if VR angle then more likely the engineer)
- Situational awareness to
17
100
366
Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques -
3
180
339
How did I not know about this awesome collection of CON talks/videos! =>
2
203
339
I'm releasing a crude POC Melkor. Melkor DPAPI encrypts .Net assemblies in memory and can decrypt & execute them on demand in a new AppDomain. This technique is an adaptation of a TTP used by InvisiMole. More details here -->
5
149
338
I hope defenders have taken note of PrivExchange and kicked their Admin's into action. Don't make me come and investigate that meltdown 👻. Check out this post by
@G0ldenGunSec
-> and the execute-assembly evil by
@den_n1s
->
0
170
337
Windows 10 RS2: Arbitrary write -> Bitmap -> PTE overwrite -> shellcode. LowIL compatible and could work with 1 byte uncontrolled write 😎🐚
7
191
327
When attackers pop your box they own your mail as well 🔪💣, DiaLogos is a self-contained .Net binary so there is the added ph33r of execute-assembly 💐
8
136
327
Start-Eidolon is now available on github => Can load PE from disk, can load Mimikatz from memory & can set parent process for the doppelgänger -
7
202
302
Don't think attackers can modify your event logs? Are you shipping logs off for remote collection? Have you set traps for EventLogEdit type attacks (e.g. handle duplication, thread state, file write events)? Check out my
#PowerShell
POC demo 🙈🔪💣 -
3
165
302
I am releasing DiscerningFinch, a small toolkit to generate keyed -> encrypted wrappers for .NET binaries. DiscerningFinch itself doesn't know the key and will try to brute force decrypt the inner binary based on OS constants. More details on GitHub =>
5
146
297
The Barracuda story is wild, terminate your devices with 🔥 regardless of patch level is not something you like to hear ->
I grabbed the SALTWATER sample and had a 3 minute look at it (some screenshots below). Can I just say how wild it is that endpoint
5
78
282
I added a kernel shellcode generator to the
#PowerShell
PSKernel-Primitives repo -> Get-KernelShellCode:
4
142
284
I wrote a post on coverage guided fuzzing for native Android libraries (using Frida & Radamsa), check it out on KnifeCoat 🔪🧥
1
82
283
I am releasing a small POC, VirtToPhys, to show how you can abuse Driver physical mem map bugs to resolve Kernel Virtual Addresses to Physical Addresses =>
3
101
276
200+ RCE vulns in Trend Micro, the HITB slides are totally savage guys! 😍😎
@steventseeley
&
@malerisch
-
2
196
277
Invoke-SMBShell, POC shell that uses encrypted SMB for communication -
5
192
269
I implemented doppleganger in
#PowerShell
, still needs a bit of cleanup. Seems to do the trick but there are some limitations (x64->x32 & need write access to the process you want to masquerade).
2
120
262
AtomicBird, a quick crude POC to chain together some things => EasyHook for .NET payloads, Costura to pack modules (managed/unmanaged), Donut for shellcode generation and UrbanBishop for injection ❤️⚔️. More details on Github =>
3
98
252
Today is a special day for me. After almost 10 years of professional service in the UK, I'm in the airport now, leaving the Kingdoms to make a new start in the USA. Do you think they know about English breakfast tea, queueing and sarcasm? 🫡🥲
59
6
253
A
#PowerShell
wrapper for CVE-2017-8464 LNK vulnerability is coming 😎 (uses ShellLink lib cc
@yorickkoster
)
3
151
245
For science and profit I wrote an exploit for CVE-2022-21882. It works on 10 and 11. It's a really good case-study on win32k callbacks, more details in thread 🧵
5
68
237
I made a highlight of the first Patreon live session 🎥where we exploited CVE-2017-9769 & CVE-2017-14398 in rzpnk.sys
5
97
231
I have released Fermion, an electron application for
@fridadotre
with integrated Monaco code editor. Check out the repo here => you can also download a pre-built release package for x64 Windows ❤️💀
3
94
217
I posted the slides, setup script and walkthrough for our DefCon Windows Breakout & Privesc workshop on GitHub -
6
141
215
As people may not be familiar with Frida on Windows I'll add some sample scripts as and when I can. I just added DllLoadBehaviour.js which demonstrates how to hook LoadLibraryA/W, LoadLibraryExA/W, LdrLoadDll and pull out various bits of information 👍 =>
6
100
217
Since there is a lot of talk about Kernel drivers and I have been writing some myself I though it would be beneficial to upload a template people can use if they want to play or get a head start on their own project. =>
3
68
216
I wrote an "aimbot" for XP's minesweeper (any size / configuration) using
@fridadotre
, apparently I got some high scores ❤️😂😂. POC is in the
#Fermion
repo =>
7
54
213
I posted the slides and demo's for my talk at
@WWHackinFest
Statikk Shiv: Leveraging Electron Applications For Post-Exploitation =>
12
75
213
I spent some time studying Donut () recently, great work by
@TheRealWover
and odzhan <3. I wrote a small loader for testing, UrbanBishop, which is doing some interesting tricks. Details on GitHub =>
2
99
211
FuzzySec [More PS Kernel Pwn!] -> Windows Kernel Exploitation: Null Pointer Dereference -
5
156
208
The recording for the talk I did at SANS HackFest is online:
(Ab)using the Microsoft Identity Platform: Exploring Azure AD Token Caching
I want to thank
@Steph3nSims
for the invitation and putting on such an excellent event 🙇♂️
5
75
208
I wanted to highlight some of the foundational capabilities that we introduced into SharpSploit as part of our
#BlueHatIL
talk --> Manual mapping, generic Syscalls & dynamic module/function resolution. Simple usage examples here =>
0
87
208
A quick repro for CVE-2024-21338 that was used by Lazarus to stage their rootkit in-the-wild. There will be a blogpost later to share the technical details 👻💀
5
49
201
Masquerade-PEB, overwrite PowerShell's PEB to impersonate a process -
7
136
199
Here is an RCE demo for Cobalt Strike CVE-2022-39197. Like
@0x09AL
said the patch is not a complete fix, be careful. Also I don't want to see any more java code for a while, holy f. Maybe at some point I will post some patch analysis 🥃
17
90
195
I wrote a
#PowerShell
function, Native-HardLink to create NtSetInformationFile hard links on Windows (seems appropriate given this week 😉) =>
2
104
193
I wrote a quick post on setting up your Burp CA on Android 14. I wasted some time getting this to work so I thought I would share steps to save someone else the trouble 🔪🧥
3
68
193
I pushed an update for
@xforcered
StandIn (v1.3) which includes a number of companion functions for Certify and ADCS template attacks 🌶️👻🧙♂️ ==> new docs
3
83
186
A sneak peak at SilkETW, a flexible tool to capture and analyse ETW trace data. Not only useful for detection but also to aid researchers ❤️👻
3
73
185
I added another quick tool, Canary, it lets you pull browser history from Chrome and the new chromium Edge. It's a DYI extension basically for SharpChrome -
3
69
181
Tonight I'm toasting team red; may your phish always have a ring of truth, may the domain be full of silver and your tickets made of gold. I'm very exited to announce I'm hopping the fence to the blue side on
@FireEye
's Advanced Practices team 🧙♂️🔥 (Cc
@ItsReallyNick
)
30
18
183
So I saw a post about a treat actor using Telegram for C2 (interesting, I dig it). Turns out there is robust API support for telegram. I, however, was curious about signal. I had a quick look at the security profile of Signal Desktop and it's bad ok, like really bad. Do not use
11
39
180
Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472) ->
2
79
183
Looking at -> Exploiting Windows RPC to bypass CFG mitigation (
@iamelli0t
)
This indirection using NdrServerCall2 is really interesting (not just for VR). I wrote a small Frida script for parsing:
3
58
179
Over the weekend I was reading a post by
@inversecos
on exploiting an Arm64 binary:
I thought it would be interesting to also do the exploit on x64 Windows and show how we can use Frida to autopwn the binary, check it out on 🔪🧥
2
63
172
SharpWeb - .NET 2.0 CLR project to retrieve saved browser credentials from Google Chrome, Mozilla Firefox and Microsoft Internet Explorer/Edge =>
1
91
163
I wrote a quick introduction post on using unsafe in .NET, I figured there isn't a lot of simple literature on the subject so someone may find it useful 🙇♂️
2
45
161
It's interesting, if you hook ntlmshared!MsvpPasswordValidate and try to auth as any user then Password->_SAMPR_USER_INTERNAL1_INFORMATION.NTHash gives you the hash of that user. This is probably an easy way to write your own DIY hash dumping util.
3
47
159
Wait but why does Windows let you load a driver that was signed with a cert which is now expired and was not timestamped when it was signed? How does that make sense (cc
@mattifestation
)? I recommend that defenders write signatures for files signed with leaked NVIDIA certificate
14
25
157
Bugfix for Invoke-MS16-032, 100% reliable & no more looping = instant shellz
2
125
152
Over the past few evenings I have been teaching myself more about .NET deserialization vulnerabilities and writing up my notes. Check out my post on ObjectDataProvider Deserialization using XamlReader on 🔪🧥
1
53
156
A quick demo of corrupting an IORING object for arbitrary R/W on Win11 22H2+. Big thanks to
@yarden_shafir
for her excellent research and debugging help 😁💐. Probably I will write a small overview of the process on 🔪🧥 later this week.
3
38
150
Low integrity token stealing on Win10 RS2, I will update the
#PowerShell
PSKernel-Primitives repo tomorrow! (cc
@Blomster81
)
2
78
145
Check out this great talk by
@Cyb3rWard0g
&
@cyb3rPandah
at Insomni'hack => If you play with SilkETW remember that you can augment your collection with Yara and only write matches to file/ELK/eventlog ❤️🔪
1
63
148
Windows is the best way to have Linux at hand, period. As a desktop I ran RH (when it was still free), Fedora, Mint, Debian, Ubuntu so don't @ me. The truth is WSL has done more to bring Linux to desktop that any distro has been able to ¯\_(ツ)_/¯
17
17
146
Advanced VBA macro analysis, some very interesting details =>
0
49
143
I'm teaching myself some automation with Chef. I wrote my first cookbook today 🎊. I'll add some code as I go on GitHub if people are interested =>
3
29
141
TyphoonCon 2019: Overview of the latest Windows OS kernel exploits found in the wild (
@oct0xor
&
@0x1ffffffffffff
) =>
2
74
142
FuzzySec [$KernelPwn++] -> Windows Kernel Exploitation: Integer Overflow -
2
82
141
Malware repository (not sure about the "research" tag but very interesting)
0
78
138
Shellcode: Data Compression (by odzhan) -
1
68
140
Because online dating is harder than any FromSoft boss I decided to spend a little bit of time today on making a not-really-submission for the Binary Golf
#BGGP4
replicate challenge using .NET PE's. You can read the write-up here:
1
43
142