Mike Felch (Stay Ready)
@ustayready
Followers
15,372
Following
1,882
Media
586
Statuses
8,343
Targeted Ops Red Team @ TrustedSec | Hacking since Renegade BBS backdoors | Prior CrowdStrike/BHIS | In Christ's grip | I speak for myself only.
Central Florida
Joined July 2013
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Telegram
• 1245361 Tweets
#خلصوا_صفقات_الهلال1
• 1227251 Tweets
Brazil
• 909926 Tweets
O Brasil
• 673758 Tweets
Elon Musk
• 664376 Tweets
Chelsea
• 514036 Tweets
Alexandre de Moraes
• 479925 Tweets
Osimhen
• 278244 Tweets
Sterling
• 200998 Tweets
Xandão
• 143250 Tweets
Napoli
• 134156 Tweets
Adeus Twitter
• 124643 Tweets
Ditadura
• 124505 Tweets
Threads
• 95139 Tweets
#مولد_ولي_العهد
• 86926 Tweets
Labor Day
• 65868 Tweets
Tchau
• 65537 Tweets
Anatel
• 63566 Tweets
Eddie
• 62083 Tweets
Nelson
• 53666 Tweets
Derrubaram o X
• 42526 Tweets
Bluesky
• 37982 Tweets
Tumblr
• 36343 Tweets
VPNs
• 35964 Tweets
Coreia do Norte
• 33429 Tweets
Benfica
• 32029 Tweets
CONGRATULATIONS RM
• 30461 Tweets
#الجناح_مطلب_اهلاوي
• 23809 Tweets
CONGRATULATIONS NAMJOON
• 22098 Tweets
Orkut
• 19059 Tweets
BARMY WITH BTS
• 15786 Tweets
Shelton
• 10363 Tweets
野菜の日
• 10349 Tweets
“Dad, I need hacker stickers on my laptop.” says 5yr old daughter.. she went through my stash and selected what she wanted lol
55
241
3K
Twitter has a "like" bug that lets you artificially inflate by repeatedly clicking the like button. Wrote quick POC, just copy the xpath from the heart of a tweet and paste in chrome console:
for (var i = 0; i < 100; i++) { var hax = document.evaluate(COPIED_XPATH, document,
14
53
1K
Full disk encryption bypass and root shell on TPM-protected Ubuntu 20.04…by pressing enter multiple times really fast.
23
234
932
Want to create great phishing links using an open-redirect on ? While they don't last forever, they are a great way to trick unsuspecting victims into clicking a legit looking URL before expiring! Follow the 🧵for how it works..
18
232
912
Dropping a new initial access technique via RDP that I dubbed "Rogue RDP". Use malicious .RDP files to bypass email/servers/security gateways and then run code to binary plant/exfil from your own RDP server, blinding EDR. Bonus: Target runs HyperV? RCE!
10
327
742
A quick method to bypass an EDR. Even aggressive EDR's can be bypassed. Allocate your shellcode, overwrite a WNF subscription callback in a userland process, and trigger the WNF state change.. Old but relevant example follow for more fun soon to come!
9
203
684
I got caught hacking the Buzz Lightyear ride at Disney by the in-game cameras. I was tired of my wife beating me every time so I took a picture of the high value target and repeatedly shot the picture on my phone. I had the idea too late to win but it’s game on next time! 🤓
30
118
652
FireProx has been released! If you're tired of using limited proxy servers or expensive EC2/VPS instances for rotating IP addresses then check out FireProx. It spins up a pass-through API Gateway proxy on AWS which will rotate your IP with every request!
6
272
597
Black Hat USA 2022 videos are released!
0
208
562
New process injection technique dropped from BlackHat EU! Freaking cool.
Dirty Vanity abuses the Windows forking (process reflection and snapshotting) to evade EDR using.
Slides:
POC:
Shout-out to
@eliran_nissan
!
11
222
558
Healthy reminder: there are troves of amazing infosec people that you have never heard of because they don’t speak at conferences or have a platform on Twitter... like troves..
14
55
543
CrowdStrike has some of the most sophisticated technology and smartest engineers I've ever known. I've seen the inside of the sensor and read through lots of eng docs when I worked there, it's just a simple mistake with huge ramifications.
58
37
469
Freaking cool open source real-time HTTP intrusion detection (logging, monitoring, and alerting) in the console
3
105
388
Check out a new tool I just released! An asynchronous password spraying tool in C# for Windows environments that takes into consideration fine grained password policies and can be ran over Cobalt Strike's execute-assembly.
6
164
376
Awesome IP rotator alternative to FireProx! This looks much more useful.. can’t wait to try it. .. shout out to georgeomnet
4
117
374
Excited to announce MITRE bypass coverage trials against EDR's are complete for 2022!
11
57
360
I didn't realize Google dropped a neat open-source vulnerability scanner written in Go. Looks like it scans lockfiles, packages, and commit hashes. Performs the scan using the OSV API.
2
103
353
I know a lot of people are always asking about good OSCP study resources. After stumbling onto this while looking for something else, I figured I’d share it in case others might find it useful.
Shout-out to
@sgtdede
!
19
95
352
I wanted to share some exciting news I've been sitting on. I recently started a new role at
@CrowdStrike
doing R&D for their red team. The last few years have been an amazing journey w/ BHIS, who will always be fam! My new direction has me back in the lab weaponizing TTPs. 👨🔬🧪💥
20
17
329
So.. I've picked up a new non-tech side hobby and am excited to finally launch! If you are a coffee drinker, check out my new Zero Day Roast at ! Also looking for swag sponsors who want to throw in infosec related swag. New roasts every Monday/Tuesday.
33
44
319
My life is a complete mess right now.. falling apart at the seams. Not even going to fake it. I know It’ll get better but right now, I’m not doing good. I know where my strength comes from tho, I got this - friends or no friends.
75
6
315
Gaining Access to AWS Web Console via stolen access keys & awscli in 7 steps. (thread)
Step 1) Create a temp user
aws iam create-user --user-name haxuser
1/7
7
135
305
I also dropped a fun POC for ChatGPT. AWS + ChatGPT = CloudGPT. Pull your AWS policies and check to see if they are vulnerable by asking ChatGPT. :) Just set your OpenAI key and configure your AWS CLI. A real tool will be released soon, webcast coming soon
4
74
295
First of many to come from the new
@CrowdStrike
Red Team Labs .. :) Some pretty awesome tradecraft for "Staying Off the Land" written by a co-worker of mine. Check it out!
4
104
299
My big news: Running a consulting firm is stressful, I've also grown weary of only cloud testing. I'm stoked to share, I joined the Targeted Operations Red Team at
@TrustedSec
💪🏼back to the red team grind! Shout out to an old friend,
@curi0usJack
, for the invite to join🫡
49
16
270
OpenAI is hiring for a red team lead up to $370k salary. Highest salary I’ve seen but I guess for San Francisco that’ll probably get you a nice size apartment.
18
26
265
Awesome! For Sublime Text 3 cached files it’s
Windows: C:\Users\user\AppData\Roaming\Sublime Text 3\Local
Mac: ~/Library/Application Support/Sublime Text 3/Local/
Linux: ~/.config/sublime-text-3/Local/
Red-Teamers:
[lazy]People like me use Notepad++ as a note-taking thing. We create a 'new', then never get around to saving them.
They get cached here:
C:\Users\{username}\AppData\Roaming\Notepad++\backup
If you hit a dev/sysadmin, you'll find all kinds of crazy stuff.
32
461
2K
2
78
259
My girls were practically begging me to teach them to skate so I busted out my board. Thought about you
@DAkacki
the entire time! First try in double digit years and I almost actually landed it hah
26
2
247
Released a new tool to password spray using AWS Lambdas for IP rotation across regions. Currently, it supports spraying GSuite accounts, be on the lookout for more plugins soon. It auto-provisions execution role, lambdas and the deployment package. Enjoy!
2
111
235
Wow that was quick.. looks like they patched it hah
2
1
233
@424f424f
and I dropped some new initial access TTP's for your red team engagement at
@WWHackinFest
. You can leverage RDP files to bypass email attachment blocklists to plant C2 binaries, exfil data & steal clipboards.. or just phish Azure tokens!
#wwhf
4
82
224
Haven't tested in a few months but here's a quick method to bypass a well-known EDR.
Compile your C# payload as a DLL, stage the DLL on a file share, create a loader that uses Assembly.LoadFile() with the file share path for the DLL and Invoke()!
Follow for more fun soon to come
5
48
226
I just released a tool I wrote awhile back called Gold Digger. It's nothing fancy but can be pretty helpful when needing to scan through a lot of files looking for credentials and other sensitive information. I use it on cloud pentests.
2
56
220
Password spraying AD? Check the badPwdCount for the account before trying a password and if doesn't increase afterwards then it's one of the previous 2 passwords.
8
51
222
Just dropped a super simple ChatGPT terminal client which uses the OpenAI API. It's nothing fancy but it's very useful. No more fighting users on the web interface or waiting for it to come back online. Enjoy!
6
71
219
Pentesting AWS? Don't forget to retrieve additional attack surface from the AWS Certificate Manager!
aws acm list-certificates --region us-east-1 | jq -r '.CertificateSummaryList[] | select (.DomainName) | .DomainName'
5
39
204
Like Evilginx? Like GoPhish? Check out
It even has the ability to leverage CloudFlare Turnstile for stopping bots and some new phishlets for O365, KnowBe4, and Cisco VPN.
3
71
197
On an AWS pentest, I found cleartext passwords in CloudFormation Stack Outputs. Here's an easy way to check:
for region in {"us-east-1","us-east-2"}; do aws --region $region cloudformation describe-stacks --query 'Stacks[*].[StackName, Description, Parameters, Outputs]'; done
3
43
198
Most people know about Assembly.Load() but there are a number of alternative System.Reflection Assembly loaders for C#:
UnsafeLoadFrom()
LoadFile()
LoadFrom()
LoadModule()
ReflectionOnlyLoad()
ReflectionOnlyLoadFrom()
Enjoy!
0
61
197
Tried running PowerView on an end-point with multiple EDR products.. detected and blocked as expected. Decided to copy/paste into notepad, search and replace
@harmj0y
and
@mattifestation
names along with the script name.. bypassed and worked fine. smh 🤦♂️
10
57
195
Someone was learning afl and fuzzed ping to find a 24 year old bug lol goes to show that just because you read about people finding cool stuff doesn’t mean there’s still not other cool stuff to find.
4
49
192
Here are my slides from "Welcome to the Jungle: Pentesting AWS" at
@BSidesTampa
today. Met a lot of cool people! Feel free to hit me up if you have questions about AWS pentesting.
6
57
193
So most of you know by now that I launched an infosec coffee last year and the support has been pretty legit. A lot of people asked for a dark roast and it's finally here! Check out the Intense dark roast using the coupon code REDTEAM
12
24
174
Pretty cool blog on finding gold in SCCM distribution points. I find these shares all the time but don't investigate them. Definitely not passing them up from now on, I've likely been missing creds, keys, certs, etc!
SCCMContentLib$ for the win
0
64
180
CloudGPT is now public! A vulnerability scanner for AWS customer-managed policies using ChatGPT w/ built-in account redaction and reconciliation. Enjoy!
1
61
173
There’s so much red team wisdom to capture from this one post that I bookmarked it. Nice work
@HackingLZ
! 💰💪🏻
3
52
174
I support
@defcon
in their mask policy, they should have the freedom to run the con how they see fit. Don’t like it? Don’t go. I don’t like it, it’s mainly why I stayed home. They followed their convictions and I can respect that. How about appreciating them for holding the con?
10
7
168
Looks like my relationship with Google has started the reconciliation process. :) They contacted and invited me into the Google Vulnerability Research Program then gave me a grant for my security research into GSuite! Awesome opportunity to work at making GSuite even stronger.
12
5
170
Dropped a small utility that splits a large BloodHound/AzureHound JSON file into a bunch of smaller files. Is helpful when you encounter a large environment and have a multi-gb JSON file.
2
44
164
I've been coding all weekend and using ChatGPT for everything from converting SQLite queries into Python3 classes to having ChatGPT generate a bunch of safe queries. It's way better than using StackOverflow and Google. It turns all the tedious work into copy/paste.
10
13
163
Excellent summary from my co-workers on some quick wins using misconfigurations for red teamers to leverage on an engagements. It also has some great feedback for IT/security remediations .. definitely worth the read!
0
51
158
Excellent post from
@424f424f
on using DirectSend to spoof Microsoft 365! Special shout out to
@33y0re
&
@jack_halon
for introducing me to this originally.
If you knew about this but not why it works in some cases but not others, check out the post.
2
79
162
Using ChatGPT to write launch high quality phishing campaigns. Pretty cool stuff!
2
43
160
I don’t expect to have to wear a tie again for along time but this… is amazing.
4
18
152
Hacking Azure? Don't miss creds in Runbooks!
Get-AzAutomationAccount|foreach{Get-AzAutomationRunbook $_.ResourceGroupName $_.AutomationAccountName|foreach{Export-AzAutomationRunbook $_.ResourceGroupName $_.AutomationAccountName $_.Name}}
6
46
153
Welp.. first day of spring. You know what that means.. time to change your password spraying defaults to include Spring2018 😁
#firstdayofspring
3
57
136
I haven’t touched a computer in 2 weeks and I’m not sad.
4
1
130
Anyone else get anxiety closing a browser with dozens of tabs for some reason?
12
2
130
Pretty simple to track vehicles using the Tire Pressure Monitoring System with just a RTLSDR. We will be creating a
@WWHackinFest
lab for this!
2
36
131
RCE privilege escalation in Global Protect VPN for Windows/Linux/Mac.. awesome 2 part series from a co-worker of mine at
@crowdstrike
and
2
56
127
27 days left until I begin the life of a farmer. It’s kind of surreal yet exciting! Solar powered farming + crypto mining on a homestead ran by technology. I also think I’ve convinced the wife to let me call it “Crypto Farms” 🤠 maybe I’ll start blogging again ..
15
5
126
I'm convinced AWS insecurity with open policies is actually because no one wants to burn 4 hours trying to configure VPC's, NAT gateways, route tables, subnets, security groups, elastic IP's, and internet gateways just so a lambda can talk to internal/external resources
#ragequit
8
27
119
As we promised at
@WWHackinFest
, CredSniper is released! Better documentation and credential storage coming soon.
2
97
120
Just to answer a few q’s.. CrowdStrike is a great company with great talent and a great product, it was just a wrong turn for me personally. I decided to accept my mistakes and cut my loss now so I can recalibrate on what matters. I’ve received so much love from the community! ❤️
7
1
116
If you admin AWS, you should check to make sure none of your AMIs are set to public if you don't want them mounted/exfil'd by an attacker who gains access to the AMI ID. An attacker launching an EC2 instance w/ a public AMI from a free tier account is easy w/ huge implications 🤷♂️
5
31
112
For those that requested, here are the slides from the "Red Team Tactics for Cracking the GSuite Perimeter" presentation at
@CactusCon
.
5
44
110
Here’s your friendly reminder.. today is the first day of winter so don’t forget to password spray with Winter2019 and soon to be Winter2020. 🤓
4
23
106
This is bad. Don't do this..
"Action": "SNS:Publish",
"Effect": "Allow",
"Principal": { "AWS": "*" }
If you this on an AWS pentest, you can publish to a topic and potentially trigger phishing email/SMS notifications to distribution groups. All from a free tier AWS account. 😏
5
14
108
👀🤯 M365 tool drop. Lot's of fire coming from BH/DC this year.
tool drop time! powerpwn is an offensive/defensive security toolset for Microsoft 365 focused on Power Platform
give it a guest account to get full dumps of sql/azure data you shouldn't have access to
but wait, there's more
#BHUSA
@BlackHatEvents
@defcon615
1
61
201
1
25
104
More GPT gold! IATelligence extracts the import address table from a portable executable then uses GPT to provide context around the Windows API and cross-references to Mitre ATT&CK techniques. Shout-out to
@fr0gger_
3
29
105
2nd day back skateboarding after double digit years. Almost road away from my hardflip .. bummed I only have a few trick attempts before being drained of energy.
#skatesec
#almost40hardflip
13
2
103
Nice EDR bypass using file names.. may or may not be more like this if you look hard.
Bypassing AV & EDR detection by playing with file names. The security tools think the files MUST end in .exe or .dll, but they don't.
Currently, it's bypass Defender AV & EDR, Crowdstrike, and Palo.
Thanks for
@mrd0x
for this info!
10
184
494
2
18
103
My wife and I have been home schooling our kids for a number of years and I work from home. If anyone needs any advice, recommendations, or just wants to chat.. shoots DM my way and I’ll help support you through this. Love y’all!
6
16
102
Interested in leaking NTLM v1/v2 hashes over the internet w/ MS Office? Check out how
@dafthack
and I pulled it off in this weeks episode of Tradecraft Security Weekly Episode 21
3
35
102
JQ is a tool I can’t live without. I use it daily. Great cheat sheet!
JQ - is one of the most popular command line utilities for extracting and processing data from JSON files.
Here is a ultimate cheatsheet to the most useful JQ functions for
#osint
,
#dfir
, and
#forensics
:
Contributors
@SANSInstitute
@DavidSzili
0
91
282
2
17
99
Can’t wait to try this from
@knavesec
! Combined FireProx and CredKing into a single tool for password spraying.
1
28
97
Excellent post from
@kxngcodes
using a modified version of
@SwiftOnSecurity
Sysmon config to catch Rogue RDP! Other good intel discussed too. Worth a read
0
36
94
TeamFiltration: Enum, spray, exfil, and persistence in Office365 Azure Active Directory accounts.
An awesome tool from
@Flangvik
!
1
22
91
When new pentesters aren’t prepared for real life roadblocks because the cert testing environments they practiced in are by default vulnerable, they lose hope. Don’t give up when you hit a wall, take a break and know it’s broken somewhere... you just have to find where.
Tennis player loses match, reacts with virtuosic racket smash:
151
300
1K
7
18
87
Quick and easy way to retrieve emails for all git commit authors. There's probably an easier way, but this worked.
git log | grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" | sort | uniq -c | sort -nr
10
19
87
Need a tool to circumvent firewall restrictions? I built FireProx so people could rotate their IP using AWS, to access websites without restrictions. Be sure to add/set the header My-X-Forwarded-For so your IP doesn’t leak. Stay safe out there.
1
38
85
Any pentesters need a reason to play
#SANSHolidayHack
at work? Here ya go! Merry Christmas :)
2
36
86
For everyone that asked about slides or didn't get to attend
@joff_thyer
& I's talk at BSides Tampa, here is the deck/repo. The talk was recorded and will be made available!
Offensive Python for Pentesting
1
29
84
This is a neat AMSI neutering using opcode scanning.
0
30
82
Super grateful for the opportunity to share back with the community through the invitation of
@TribeOfHackers
!
#redteamedition
Can't wait to get my copy, I am glad to be a part of the book and look forward to reading the stories of those I admire in the industry.
4
12
82
Found this pretty useful cheatsheet/deep-dive that explains firewalls by referencing the ufw wrapper for iptables. Figured I'd share since it brought me some value.
1
19
82
Grace is when your wife wakes up for breakfast only to find you left all the groceries in the trunk after grocery shopping the evening before, everything is spoiled, and she doesn't kill you but laughs it off instead. 💀
7
5
80
Pretty sure this just nuked all non-attrib infrastructure for red teams.. 🤔
15
21
78
Solid call stack spoofing implementation that uses cool techniques to hide the original stack, remove the base image, and a ROP gadget to restore everything. Really good work and research in this area! Shout-out to
@waldoirc
@KlezVirus
and
@trickster012
1
24
79