Peter Winter-Smith
@peterwintrsmith
Followers
5,572
Following
2,652
Media
185
Statuses
1,753
Security researcher & implant developer @mdseclabs ; developing SAST @wsastsupport ; malware, code analysis, appsec, cryptography. Trying to follow Christ.
London, UK
Joined August 2010
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
GLOBAL SPOTLIGHT APO NATTAWIN
• 229487 Tweets
Morara
• 94613 Tweets
天使の日
• 73279 Tweets
علي النبي
• 71342 Tweets
Bomas
• 49947 Tweets
Hayırlı Cumalar
• 42784 Tweets
SB19 IS ACER READY
• 42090 Tweets
Kasmuel
• 33172 Tweets
Michel Blanc
• 26886 Tweets
#يوم_الجمعه
• 26275 Tweets
#リアルアキバボーイズ武道館
• 22676 Tweets
感謝マルチガチャ
• 21955 Tweets
ワートリ
• 21480 Tweets
Tariq
• 19818 Tweets
名探偵ピカチュウ
• 19329 Tweets
最大4体ゲット
• 17591 Tweets
人達同士
• 17337 Tweets
TJ Kajwang
• 15259 Tweets
BINI LAGING FUDGEE
• 12668 Tweets
所信表明演説
• 12209 Tweets
Pinned Tweet
Today I am pleased to announce the release of a code analyser I’ve been working in my free time - wSAST ()
wSAST aims to make code analysis easier for application security consultants by providing tools to graph relationships, find paths between functions,
16
164
453
I recently stumbled upon the code I had written for the Crystal Anti-Exploit Protection product back in 2011-2012 and decided to make it public! There’s lots of stuff in there for any fans of exploit dev/reversing/low level windows! Check it out:
6
68
170
Finally got this exciting new evasion technique working in Nighthawk! Had it working as a PoC for a while but now it seems stable enough for inclusion! Haven’t seen it done before and think the impact could be huge! 🥳🥳 more details soon hopefully!
9
10
138
Thanks everyone who messaged me wrt the
#libssh
bug! The root cause is that the libSSH server and client share a state machine, so packets designed only to be processed by and update the client state can update the server state. Auth bypass is the most obvious effect...
1
21
73
Finally able to offer an early version of what we’ve been working on
@MDSecLabs
😎 there’s a lot in there! And we are just getting started!
Hot off the production line, Nighthawk 0.1 is available for subscribers… check out our release post
0
62
162
4
7
57
At long last! We are finally able to release some of the R&D we’ve been working on
@MDSecLabs
! Getting some of this working twisted my brain into a pretzel on more than one occasion so glad it all panned out ok in the end! 🤯
Trick or Treat?
@MDSecLabs
have a very Hacky Halloween Treat for all Nighthawk customers, announcing "Nighthawk 0.2.1, Haunting Blue"
6
36
118
9
5
58
Pretty nice technique that we came with to hide Nighthawk in memory, it was a little more fiddly for x86 but got that working in the end too; since
@ilove2pwn_
released the details here is an implementation
Ekko
Sleep Obfuscation by using CreateTimerQueueTimer to queue the ROP Chain that performs the sleep obfuscation.
13
138
442
1
12
48
The awesome work for this one lays squarely with
@x86matthew
- amazing work and excited to add this to Nighthawk along with some other great new capabilities over the coming weeks!
Sneak peek of an upcoming
#Nighthawk
feature... full hidden desktop, transparent to the user - great work
@peterwintrsmith
and
@x86matthew
13
28
165
1
6
45
Thanks everyone who came out to
@IOActive
hack soho to see my talk on wSAST! I’ve put my slides online here:
4
21
43
Finally get to show some of the latest R&D we’ve been working on! 🥳 opsec CLR was long overdue! 😅
More innovation and beacon firsts for Nighthawk, great job team! 🔥🔥🔥
7
12
104
0
6
42
I can’t believe it’s been a year at
@MDSecLabs
already! It’s been a year full of interesting work, development projects and insight into the Red Teaming world the likes of which wouldn’t have received anywhere else. Do what you love and you never work a day in your life!
2
1
42
Merry Christmas to all my infosec (and possibly few non-infosec) peers and colleagues! 🎄🎁
3
0
41
I finally finished this release. Lots of improvements and fixes. I hope to soon start releasing some tutorials and videos on how to get the most out of wSAST! I also hope to talk about it at an
@IOActive
hack soho event in the new year!
wSAST v0.1-alpha (release date 18-12-2023) is now public!
This release contains support for annotation-based rules, and support for filtering entry points when launching scans, as well as several important improvements to path finding, rule matching.
1
7
16
3
13
39
Thanks Dom! Been amazing working with
@_batsec_
and
@modexpblog
on this and so pleased it’s all finally coming to fruition! 😁 stay tuned!
Amazing work from
@peterwintrsmith
and
@_batsec_
in getting full BOF support in to the
@MDSecLabs
implant
#nighthawk
7
28
128
1
4
37
Candid from
@seanderegge
… code analysis is serious business as you can see from my expression 😠
7
3
35
Nighthawk opsec CLR FTW! 😎
.NET inline-assembly is better than execute-assembly if you don't want sacrificial process but it drops so many indicators in the memory. These were found within sleeping beacon and the ETW had been patched prior to execution.
Thanks to
@peterwintrsmith
for guidance.
2
4
37
1
4
33
Amazing work from the team! 🔥
Nighthawk 0.2.6 - Three Wise Monkeys, details of our upcoming new release for Nighthawk. See no evil, hear no evil, speak no evil.
8
62
209
6
2
34
Retweeting to raise awareness - I’ve been lucky enough to experience some of the Outflank office R&D and those guys are doing big things! 💪🏻
With his ability to stealthily get into houses, Santa is a natural red teamer, which is why he’s giving you the gift of offensive security!
Register now for a free training course on Microsoft Office tradecraft, taught by
@StanHacked
and
@ptrpieter
6
50
111
0
5
31
First solo on the electric ukulele (yes they exist 😂) perhaps a little ambitious - not sure whether Van Halen would approve! I’ll check back in in a few months! 😆
3
0
30
... but the entire state machine is at flaw here so there may be other, more subtle, methods of exploitation. So I most definitely recommend updating all libSSH services, even those not directly vulnerable to the auth bypass.
3
5
28
Single digit PID.. I think that’s a first for me!
2
0
27
@domchell
@modexpblog
Hard to show in a screenshot but Moneta gives it a completely clean bill of health. And as an added bonus a strings search of memory shows no C2 traffic residue etc. Finally getting there!
2
2
26
@_xpn_
… do that was one of the reasons I joined
@MDSecLabs
. I realised that by its very nature pure consulting for me is quite depressing because no matter how hard you work the output is forgotten weeks after you finish. I have to be working on something lasting to stay happy.
3
2
25
Hey guys you might like this exploit! Really fun bug if not the most impressive target:
http://t.co/uZ0l4Du3
3
58
25
Practising a new song in case I ever want to move to 🇺🇸 🦅
5
0
23
This looks 🔥 nice work!
After almost 2 years of working on NimPlant as a personal side project, I’m proud to release it to the public! NimPlant is a light-weight, first-stage C2 implant written in Nim, with a supporting Python server and Next.JS web GUI.
Available here now! 👇
32
209
636
1
1
24
@ilove2pwn_
…had implemented both independent of anything publicly released. We also have a few variations on this technique not using timers and have it working nicely for x86 in more recent versions. Motivates me to keep researching anyway - it’ll always be a race against analysis
0
0
24
I couldn’t recommend working
@MDSecLabs
highly enough! Great company, work environment and peers! I encourage anyone on the fence about a change to consider!
We have open positions for experienced AppSec consultants in our UK-based team - come join us
#infosecjobs
0
29
42
0
2
24
@ilove2pwn_
I thought it was a pretty good idea when I came up with it; I’m not the first person to use NtContinue() to make API calls but there was a nice benefit using timers which I hadn’t seen used - no chain of waiting funcs like APC, no messy stack like ROP etc though we previously…
1
0
23
@_xpn_
I have unlimited enthusiasm for certain types of research (those types do evolve) but I was in a serious motivational slump between 2013-2020 which I realised was due to not having a purpose in my research. Having my own project separate from work helped a lot and the freedom…
1
2
23
Just learned about
@CryptoHack__
- these guys have some great challenges for those maths & crypto inclined; challenges for all levels! Check them out!
1
7
21
1
0
20
Now we can finally find peace 😂
3
1
21
@ilove2pwn_
@Mr_0rng
That’s why I only get my laptops direct from China, no chance of interference that way
2
0
19
This is a great presentation on WoW64 from
@aaaddress1
that tied up a few conceptual loose ends for me - well worth making time for!
1
3
20
@lpha3ch0
Just compile it with symbols and load into windbg, it should find the symbols automatically but if not you can set the path to them using .sympath+. Then run command “ln xxx” to list the symbols closes to the address xxx of your bad bytes
0
0
19
@ilove2pwn_
I think this will do really well as a lot of RTs still use or want to stick with CS but don’t have the skills in-house to customise it sufficiently to make it viable against hard targets. Sounds great!
0
0
17
Thank you appreciate it! And this isn’t even its final form! 😄
@FuzzySec
@MDSecLabs
@domchell
@peterwintrsmith
Amazing dev work
@peterwintrsmith
&
@modexpblog
. So much 🔥 and 🤯 during the demo.
1
1
8
0
0
17
One thing I am looking forward to when Nighthawk finally reaches a fixed point (agent extensibility, open API, open source reference beacon) is being able to churn out new techniques and variations for our evasions in real-time, it’ll provide a lot of value to customers and…
@ShellBind
Or in this case other’s TTPs 😄 though this particular threat hunting technique is easy to bypass we will add a bypass to 0.2.1
0
0
5
1
1
16
Nice work!
want a totally fileless EXE?
write a ghosting-launcher in ~200 lines!
1
214
562
0
1
16
Day off work today means only one thing - electric uke time! 🎸 after many failed attempts I realised the riff below (from sweet child) sounds wrong when played first hand, and ok when played back! So I just hope for the best 😂
2
0
16
Thanks everyone who came to watch! I’ll put the slides online later today!
Thank you to everyone who showed up last night to hack::soho! And a special thanks to Peter for his presentation. Check IOActive’s YouTube channel in the next few weeks to catch the presentation for anyone who wasn’t able to make it.
0
0
5
0
2
15
This is a good article!
Curious about what's happening in the Windows Kernel after a Syscall?
I just wrote this post following the worfkflow from the Syscall instruction to the target kernel routine ⬇️
Thanks again to
@Set_hyx
for the proofreading!
5
253
582
1
3
15
Anyone wanting to up their exploit writing game without too much prior experience couldn’t do better than to sign up to this!
I really enjoy teaching private classes! Even if you're just a small group (min. 4), willing to travel to Belgium, we can make it happen! I still have some timeslots in November & December. DM if interested
@corelanconsult
#windows
#exploitdev
#corelan
#nevergiveup
1
8
33
0
1
14
@0x09AL
@domchell
@FuzzySec
@HackingLZ
I was saving this for a time when I’d need it to blackmail you but now feels like an opportune moment 😂 cc:
@irsdl
3
0
13
Great stuff, and excited for 0.3!
Just completed another Nighthawk customer webinar. Great to engage with the
#Nighthawk
community, even if they do heckle my slides for using Comic Sans 😅
4
7
76
0
0
13
This part of the goofy goober solo was so painful to learn 😮💨 I just have to post it 😂
2
0
13
Nice work!
Here is the RefleXXion. It is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc.
Thank you
@peterwintrsmith
for sharing this technique.
2
139
309
0
0
13
It was really excellent, I can’t recommend it enough! I realised I have a lot to learn but luckily I’m at the best place to do it
@MDSecLabs
!
Just finished Adversary Simulation and Red Team Tactics training by
@MDSecLabs
. Amazing course would highly recommend; interesting lab content as well as great instructors (
@domchell
,
@_xpn_
,
@0x09AL
)
2
4
33
0
3
13
@mrgretzky
@x86matthew
@modexpblog
@domchell
@domchell
was worried about this when we first heard from Matt 😆 although now we’ve met him I’m fairly sure he’s not an APT (you can never be 100% certain though)
2
1
13
@domchell
@modexpblog
@dtmsecurity
@_batsec_
@BaffledJimmy
@0x09AL
@rbmaslen
@jfmeee
@5ub34x
Time to bring this back!
1
0
13
Excuse the promotional tweet this capability has been frying my brain for the past few weeks and I’m so happy I hopefully won’t have to look at it again 😂
0
0
13
I’m not claustrophobic but this makes me feel sick! 🤢
4
0
12
1
0
12
@__mez0__
@rad9800
@MDSecLabs
@threatinsight
Just having a clean call stack when inspected during image loads, tracing back to ntdll!
3
1
11
Haha at last, the famous “mamma mia” makes its debut! 😂 let’s hope it doesn’t bring as much bad luck as it did during my first demo attempt 😆
@peterwintrsmith
@modexpblog
@tiraniddo
@BBCylance
Does your C2 speak Italian?
#Nighthawk
does...
#Nighthawk
profiles are hot swappable, and the C2 can be entirely customised in rDLL or .NET... watch how to use a .NET encoder to convert our C2 traffic to Italian 🇮🇹
7
9
58
2
3
12
Welcome guys! Excited to be working with you both!
Today we’re super excited to welcome Donut core dev
@modexpblog
() and shad0w c2 dev
@_batsec_
() to the
@MDSecLabs
team
#watchthisspace
27
18
143
0
0
12
@C5pider
@ShellBind
@domchell
@modexpblog
Thanks mate, and incredible work from you too in general with your C2; I wish I was that good at coding when I was 17! 😄
3
0
12
@MichaelJRanaldo
@MDSecLabs
@irsdl
Haha Soroush is one of our biggest proponents of the petemoji cause and this show of dedication may push him into the Sacred Council of the Petemoji 🏅
3
0
11
@AnubisOnSec
I would do something ambitious and meaningful for yourself outside of just consulting work for your employer; you may enjoy that but it’s so ephemeral and it’s never something you own. Having my code analyser side project greatly lifted my own mood and productivity!
0
0
11
@domchell
@N1ckDunn
@C5pider
@x86matthew
@modexpblog
That’s me right now after all the debugging I’ve had to endure 😂
2
0
11
My fave so far 😂
0
4
11
@5m00v
Hey mate! Honestly probably not but I think it’s a good learning project and involves a lot of interesting tangents such as the user/kernel mode boundary and how Windows works under the hood. The only novel thing I’ve seen in the past few years is the address sorting trick
1
0
11
@N1ckDunn
Yeah thanks mate you’ve borne the brunt of my mandatory lectures on what I’ve been doing and how it works under the hood 😂 appreciate it mate the support and the ideas, and endless enthusiasm for it it all helps me keep going! I should give
@NullMode_
a shout out too for bearing
1
0
11
@domchell
@modexpblog
And as a peek at our gitlab shows the fun has only just begun! So many more ideas for extensibility, opsec and evasion and features in the pipeline!
0
0
11
2
0
11
I had an idea for
@wsastsupport
- I might write a “parser” that allows you to specify language components in a regex form (how to extract a class name, method, statements, expressions, etc.) and have wSAST look up based on the source file extension how to do this “light” form of
0
3
10
Just want to give a shout-out to
@hackedpodcast
these guys make cybersecurity highly entertaining and can tell a great story! Definitely one of my favourite podcasts in the space.
1
0
10
I’m planning to talk about wSAST at the next
@IOActive
hack::soho! I hope to see some of you there!
1
0
10
I don’t tweet often but this book deserves a shout: Engineering a Compiler by Keith Cooper and Lisa Torczon. It’s so well written that reading it made me wonder why I ever struggled to understand parsing algorithms! Engineering a Compiler
1
1
10
2
0
10
@techspence
It’s not exactly an EDR but
@morphisec
have some interesting ideas and are steering things more in the direction I’d like to see them go (from the perspective of actually making half an effort to trap malicious code)
4
0
9
@ImposeCost
We know where the IR authors for big companies that have been breached can trace their prosaic lineage 😂
0
0
10
Fantastic blog post from
@modexpblog
In our final blog post of 2020,
@modexpblog
catalogues a variety of methods for bypassing user-mode hooks for red teams We'll be back in 2021....
#happynewyear
6
98
170
0
0
10
Loved the first part excited to tune into this tomorrow 😎
New episode! Patriotic hackers, the Chinese military, industrial espionage, online heists, and the civilian side of China’s hacking program. This is the story of Wicked Rose, the Network Crack Program Hacker Group & part two of our China hacking series.
0
3
13
1
0
10
2
0
10