eversinc33 🤍🔪
@eversinc33
Followers
3,978
Following
688
Media
38
Statuses
511
malware development and windows kernel stuff
Vienna
Joined January 2022
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
EXTRAORDINARY OIL WITH BECKY
• 560633 Tweets
Atatürk
• 330481 Tweets
ラピュタ
• 178832 Tweets
#خلصوا_صفقات_الهلال1
• 177957 Tweets
#AlnassrNeedsMidfielder
• 95257 Tweets
#それスノ
• 82210 Tweets
Gaudreau
• 62920 Tweets
Kimi
• 44555 Tweets
#金曜ロードショー
• 37233 Tweets
#Mステ
• 35320 Tweets
YINWAR OVER THE HORIZON
• 18500 Tweets
バルス祭り
• 18129 Tweets
Antonelli
• 16831 Tweets
ブラックスワン
• 13957 Tweets
ロビン復刻
• 13806 Tweets
SILENT CRIES MV OUT NOW
• 11477 Tweets
トパーズ
• 10806 Tweets
Pinned Tweet
New blogpost and small tool release: Wrote a naive anti-rootkit driver that detects mapped drivers, and talk about some bypasses for those detections in part I of my new (anti-)-anti-rootkit series.
More research on rootkit evasion coming soon : )
14
128
354
Dumbest AMSI bypass I know so far, but it works: sideloading a fake amsi.dll to a copied version of powershell which simply return S_OK / AMSI_RESULT_CLEAN for every command. I would have thought that there was some kind of signature check upon loading amsi.dll but apparently not
18
273
921
Finally got it done to change my packer from nim to C++ and adding some new features.
Best feeling ever when the demon calls home and there are no alerts or detections from elastic EDR on full blast :)
27
117
730
If you are facing an EDR with PEB protection/obf which makes Ldr inaccessible & want to inject shellcode, just pass the VA of LoadLibrary (which is consistent across processes) to the shellcode via egg-hunting from your injector, enabling lib resolution without touching the PEB
10
135
599
Cool trick I learned from
@0gtweet
today: you can look up windows error codes, even in the -DEC form instead of hex, via certutil 🤯 Dont know if this was common knowledge but I used to convert it to hex and google it everytime
13
120
554
Small experiment today, inspired by
@kaganisildak
, using RCON protocol, as used by e.g. CS 1.6 as a C2 channel for the lulz
14
79
447
Wrote a blog post for my company on how we implement obfuscation for our C# post-exploitation arsenal. Discussing some detection opportunities and our ways around them. Special thx to
@Flangvik
for his video on SharpCollection, which is our pipelines base
7
159
409
For those of you that missed it or want to rewatch it, my "Intro to Syscalls for Windows Malware" talk in the
@preludeorg
discord got uploaded to their youtube channel today 🙂
Thanks again for having me!
5
113
347
Wrote a short blog post about implementing stealthy keylogging in the kernel with gafAsyncKeyState, inspired by
@chompie1337
's &
@FuzzySec
's blackhat talk
11
113
327
@offbeat
@kaganisildak
@vxunderground
Yea yea, EDR bypass this, VEH that, but have you every ran mimikatz while surfing in 1.6.? 😎😎
5
60
307
Excited to be giving a talk about syscalls for windows malware in the
@preludeorg
Discord this wednesday, April 12, 2 PM EST.
The talk is aimed at people new to malware dev & gives an overview about different syscall implementations 🙂 See you there!
4
70
257
If you are not using Max yet () I can very much recommend it to get more out of BloodHound.
Among other features, you can quickly mark a list of users as owned instead of doing it manually (useful e.g. after collecting creds from password spraying)
4
61
200
I was tired of manually creating wordlists or having to rely on python for pre2k sprays, so did some small adjustments to
@dafthack
's DomainPasswordSpray to run pre2k password spraying on all computer objects of a domain.
1
47
193
I documented some of my insights of learning about windows access tokens lately. Talking about how to get SYSTEM by token duplication and investigate potato exploits.
Had this blogpost lying around unfinished for a few weeks and got to finish it today :)
0
63
145
Just tagged v0.1.0. Major refactoring, mostly since I ditched IOCTL communications for shared memory and optimized for manual driver mapping. Still many todos, but somewhat usable now.
2
36
134
One of the best articles I've read recently, if you are interested in understanding call stack unwinding / spoofing.
0
46
126
I am probably just tripping, but I didnt find any C# implementation of the StartWebclient BOF from
@OutflankNL
on github (?) so I did a quick copy paste port to C# to make that windows privesc even more straightforward
3
48
122
Made some slight modifications to my HellsGate variant @ - now instead of simply trampoline-jumping to the first syscall instruction found in NTDLL it jumps to the one corresponding to the actual syscall (i.e the instruction after `mov eax, <syscallNr>`).
5
40
119
First steps in rootkit/kernel land 😍Just some classics that are super easy to implement: arbitrarily changing process protection levels (by directly modifying EPROCESS struct) and killing processes (calling ZwTerminate from kernel land). Very fun to work from the kernel though.
3
15
114
Had some time lately and got back to my rootkit, so here are some minor updates: Can now remove kernel callbacks by replacing the function pointer in the respective EX_CALLBACK_ROUTINE_BLOCK with a ptr to an empty callback (Could also completely remove or zero it instead)
3
13
79
Had some fun implementing the trampoline technique to make sure all syscalls go through NTDLL into the Nim HellsGate implementation by zimawhit3. Thank you
@passthehashbrwn
for the blog on hiding syscalls! ()
1
30
78
Found a machine that can be pwned via RBCD but machineAccountQuota is set to 0?
Run some pre2k-account passwort spraying (e.g. with or using Kerbrute) to compromise a machine account which you can use instead
2
13
74
@luciascarlet
That is catchy saw line. You may not like it, but this is what peak EDM sounds like
1
0
64
Implemented process hiding as well (even though that is dangerous due to patch guard) and improved upon usability and stability. Next up is refactoring the driver code from C to C++ in order to make it more maintainable :) Code is available at
4
16
69
Looks like
@ShitSecure
and me are giving a workshop at
@x33fcon
this year👀We will be talking about packer development and help you to build your own packer for dropping malware in protected environments. Be there or be square🟥
Yeeah! 🔥🔥🔥🔥 Looks like
@eversinc33
and I will give a Maldev Workshop at
@x33fcon
2024! 😎Looking forward for that but also for this conference in general 🥰 Pirate Ship, we are ready 🏴☠️🦜
8
9
108
5
10
69
You can also use the grimresource technique discovered by
@dez_
&
@SBousseaden
for lateral movement to WinServer<=2012, using the MMC.Application.1 DCOM object and the _Application::Load method:
1
11
66
Nice tool:) Reminded me of a script I wrote a while ago, which is for those environments where users have to change their pws every X months, resulting in passwords like January2022. The script simply uses the LDAP pwdLastSet attr to generate a wordlist.
You are doing your pentest engagements from a Windows machine?
#LDAPWordlistHarvester
is now available in powershell!
➡️
Happy password cracking!
2
19
72
0
15
53
2
13
52
Me using WinDivert and MobaXterm portable to relay a DC auth through 2 layers of Linux hosts to bypass the network segmentation and firewalls to get domain admin through ADCS today
4
0
54
Experimented with some phishing ideas last night. Pretty sure not many would fall for this fake web based logonscreen, but fun exercise nevertheless :'D (Un)fortunately, fullscreen mode has to be initiated by a user interaction, such as a click, and cant be initiated without
4
4
48
I was researching abusing the GPU for malware lately and wrote down some of my musings about it in a short post: I show how OpenCL can be used for shellcode decryption and list some of the related projects I found. If you know more, please lmk!
1
11
43
As always, code on github. The code needs a lot of work, but its fun to be back in kernel land again. Hopefully I can keep my motivation up for some
more features
1
12
37
@vxunderground
>has to use tg desktop
>has to click on pyzw
>has to have python installed on host
I doubt it
0
0
37
Is there a tool/website for identifying windows structs when reverse engineering? E.g., I know that the struct im analysing contains the PID at offset XYZ, thus I want it to list all structures that contain a parameter called ProcessId at offset XYZ, to narrow my search
3
1
37
Implementing the process mockingjay technique or whatever you may called it really helped with getting rid of the "Code from unbacked region" alert. s/o
@SecurityJoes
for the article.
1
5
31
@LRVT7
Sure! Its literally just the code from the picture plus the stub from SharpDllProxy though:
1
1
31
Non-infosec post, but not gonna lie, this was probably the most satisfying moment in my programming life so far: I got my PS1-Emulator (which I have been working on as a side project for quite some time on&off) get through the BIOS to the point where it renders the SONY logo 😍
1
1
31
Can only recommend reading this blog series by
@compasssecurity
if you are interested in the inner workings of BloodHound, e.g. how it enumerates certain things and what privileges are needed. Really great read.
0
15
28
Late 2 the party but my 2 cents:
- Yes you probably should know about programming and be somewhat of an expert in many technologies if you want to pentest. That's not gatekeeping but the reality if you want to be more than a script runner (== replacable)
1/x
I wrote this to try to bring some reality to people trying to break into cyber. People will disagree with some (all) of it but hopefully somebody benefits from what I saw when I worked as a pentester.
54
194
800
1
3
28
What are reasons why a silver ticket would not work?
I have a machine accounts NT hash (valid) and create the ticket with , but I cant use it to authenticate (neither cifs/wmi/..), always access denied. Only on this one client though, for others it works
6
1
26
Any recommendations for red teaming courses/certs that focus more on the operator side instead of the payloads? I did CRTO I which was great, but I feel like CRTO II is more focused on payloads. Im thinking about lateral movement technques, persistence etc.
10
2
24
Since DS-Replication-Get-Changes as well as DS-Replication-Get-Changes-All are needed to DC Sync, am I right in my understanding that a user with only DS-Replication-Get-Changes alone can not be leveraged in any way?
1
0
17
I also fiddled a bit with file protections, hooking the NTFS drivers FileCreate, to deny access to the rootkits file. This doesnt hide the file, but prevents any user from accessing it. This is rather non-elegant tho and I will look at filter drivers instead as a next step...
1
1
16
Do I have any malware friends in austria? I just moved to vienna, If u wanna link, my dms are open <3
2
0
13
Going live in an hour!
Excited to be giving a talk about syscalls for windows malware in the
@preludeorg
Discord this wednesday, April 12, 2 PM EST.
The talk is aimed at people new to malware dev & gives an overview about different syscall implementations 🙂 See you there!
4
70
257
3
2
15
@0xTriboulet
You probably already have templates for injectors that you use, start by automating the process of crypting a payload and building the injector. Also look at other packers and watch this talk
0
0
15
4
0
14
@deadvolvo
Neat, COM has a lot of potential for such things. You can also avoid the handle/suspension by getting the DLL to unhook from the MS symbol servers. Cool thing is, it works for any MS DLL, you can just calculate the url from the headers of the DLL in memory
1
1
14
@DebugPrivilege
Actually, !process 0 0 already shows the handle count for each. No scripting needed :)
2
1
14
Also implemented "burying" a process, meaning to stop it from restarting, by adding a kernel callback to opening of processes and blocking the image name as well as token manipulation, again by modifying EPROCESS. Way to much fun, but now time to sleep 💤
2
3
13
@J3rge
Awesome, love seeing gpu malware. You can also offload decryption to the gpu for fun, wrote about it here:
0
1
13
Ok lol, adding a small delay up to 3 seconds before maximizing seems to be allowed by firefox. Makes it a bit more convincing since it doesnt feel like a reaction to the click.
1
2
13
Does anyone know if loading drivers to paged memory with ZwSetSystemInformation and SystemLoadAndCallImage still works on Win >= 10? I am getting a privilege not held error, even with all privileges enabled
1
1
13
@GuyCustomer
@tabaahi_
@hacker_
dude everybody knows he means cache poisoning and hes obviously not english native. stop being a dick to someone for making errors when speaking their second or third language
0
0
12
Finally: If your company treats you like he was treated, leave & get a job in a small boutique pentesting shop and enjoy life ;)
4/4
0
0
12
@domchell
Virtualize on an external system and RDP/Whatever into it. Seriously, save yourself the headaches of emulation and cross compilation ^^
2
0
11
@woodby_sean
@424f424f
Depends on where you are at knowledge wise, but I recommend reading vx underground papers, reading source code and blogs of tools and techniques, and if you are just starting out, this series was great back then:
0
1
11
Also:
- You dont need to know anything about what is detected and what not when pentesting. A pentest shouldnt care about that, I think pentesting and red teaming was mixed up a bit here...
- You dont even need to know AD, if you just do web, there are many jobs available.
3/x
2
0
10
- Many just like the idea of being a "hacker" but dont want to put in the work. If you dont enjoy the grind, this career probably isnt for you (and that's fine). There are many other roles in IT and infosec that will pay just the same or better + u have to grind less for
2/x
1
0
10
Also some basics that are already familiar from userland: resolve functions dynamically by parsing the ntoskrnl EAT. After all, its just another regular PE
1
2
10
@vxunderground
@sirifu4k1
Plus on the account theres another repo calles hellsgate, which is literally copy paste from zimawhit3, except for the "author" comment at the top lol
1
0
10
@q8fawazo
@dazzyddos
@kyleavery_
Or you just install random products from microsoft and scan for DLLs again - I found microsoft signed DLLs with rwx regions big enough to host full mimikatz donut shellcode
2
2
9
@andre_lugt
@hacker_
Uber pays their drivers the bare minimum and keeps police from investigating their shady business (they even have kill switches if they have a police raid, look it up). So hacktivism + 4 the lulz I guess. See the hashtag in the slack msg posted by the hackers when they announced
1
1
9
@icyguider
My favorite part of development is when you reach a working state that justifies adding ascii art haha <3
1
0
8
Does anyone have .gdt files for WDF structs in ghidra? I am only aware of the WDM ones
2
3
8
@techspence
Yep:) and many EDRs will obviously flag the copied powershell.exe, but as someone who tends to overthink/overcomplicate things it blew my mind that this worked. I presumed amsi was in KnownDlls
1
0
8
Ah nevermind, I figured it out. This is now kernel mode only and otherwise fails with privilege not held
0
0
8
@D4RKR4BB1T47
Why not let people learn instead of gatekeeping/shaming? Point them in a right direction instead? I think weve all been there and at least they took the courage to ask someone for help
1
0
8
@vysecurity
@0xocdsec
Because describing the research, discovery and the bug itself can inspire research that discovers new vulnerabilities?
0
0
8
Refactoring to C++ is done, next was adding enumeration of kernel callbacks. For now only for process creation. Learned some nice reversing techniques and got some more windbg practice. Thanks to a great blog by
@yarden_shafir
: 😄
1
0
8
@Defte_
Hacky solution: Spin up VM, import reg export file to import reg entores, run reg save on VM?
2
0
6
@dez_
@SBousseaden
On up2date systems, MMC DCOM is firewall blocked by default though and its most likely flagged by every EDR because MMC lateral movement is ancient "¯\_(ツ)_/¯"
1
1
7
fuck the ghidra C parser, but I think I am very close to a working .gdt file
1
0
7
@GTKlondike
Great rip. I rarely see this mentioned, but this is exactly what I tell people when they want to get into pentesting. Learn to build what you want to break. Same goes for internal pentesting and setting up an AD yourself (no setup scripts, all by hand).
0
0
6
AllExtendedRights and WriteAccRestrictions on a Unix system joined to the domain (netgear nas). No ssh open. Any ideas how this can be exploited to gain code exec?
0
1
6
@pruno9
Hell no haha I rewrote it from scratch, I just reused the builder script. I used ChatGPT only for one thing, but it failed gloriously (porting some winapi stuff to syscalls) and in the end I wrote that part myself as well.
1
0
6
0
0
6
@sixtyvividtails
SentinelOne does IIRC. Not sure about others, but I remember ocassionally running into problems with PEB->Ldr resolution. This idea just came randomly when speaking to a friend & wasnt tied to a specific EDR though
3
0
6
@HackingLZ
Skill issue, add good fruit, nuts, avocado etc. and, depending on the toppings, spices such as cinnamon, cardamon, cloves and maybe a lil bit of natural sweetener such as agave syrup, boom, tasty af
1
0
4