🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

Blog Post Alert: Tale of Code Integrity & Driver Loads 🔸Reversing sc.exe and MS-SCMR 🔸Some RPC internals 🔸Debugging PPL process 🔸Tracing functions during a driver load event. sabotagesec.com/tale-of-code-i…

Saw Chetan Nayak (Brute Ratel C4 Author) post today on identifying C2 payloads based on stack telemetry. I have been working on private project myself ..something similar, a stack scanner. May be Chetan Nayak (Brute Ratel C4 Author) can share some insights .. sample detection of Havoc with sleepmask and stack dup enabled

Detection opportunity: Stack base Fluctuation. Tracing state of stack base address of threads provides a detecting opportunity to identify sleeping beacons whose stacks are spoofed. Havoc Stack dup feature in timer based obfuscation can be detected this way.

Gotta Catch ‘Em all! Catching Your Favorite C2s In Memory Using Stack & Thread Telemetry. Learning about abnormalities in commercial and (open source)C2s. Check blog down below: sabotagesec.com/gotta-catch-em…

This strange tweet got >25k retweets. The author sounds confident, and he uses lots of hex and jargon. There are red flags though... like what's up with the DEI stuff, and who says "stack trace dump"? Let's take a closer look... 🧵1/n

#crashstrike CrowdStrike incident brought attention to the mysterious "Channel files", since then I have been trying to make sense of their beast of a sensor kernel module. Here is my progress, there is a lot interesting things in the code... Channel file processing in action!

Finding arb r/w Zero days in 3rd party Windows drivers for fun and profit

New blog from me on manually manipulating Vectored Exception Handlers to evade some EDRs and perform threadless process injection. securityintelligence.com/x-force/using-… Accompanying code: github.com/xforcered/Vect…

Defender you cheeky bastard... :D

New blog! I hate you COM – Pitfalls of COM object activation! Addressing few issues in .NET unmanaged apis when used in offensive coding sabotagesec.com/i-hate-you-com…

A fun side project - Stack customizer payload generator. I will share more details in my next blog post Stay tuned :)

❗ Blog Alert ❗ 🔴 Introducing a thread hijacking ttp variant called Phantom call. 🔴Discussion on effect of stack alignment on SIM instructions/registers. 🔴In depth analysis of Win32 api RtlRemoteCall(). 🔴Weaponizing RtlRemoteCall sabotagesec.com/thread-hijacki…

Our red team is growing and we have a rare open position for a Principal RT Operator - if this sounds like you, get in touch 🙏 MDSec

Kept this one under wraps for a while, but happy to finally say 0SKR and Luci are joining Peter Winter-Smith, @modexpblog, dylan and S4ntiagoP in the MDSec R&D team next week... big things are coming 🥳

My new blog post 🥳 Improving AFD Socket Visibility for Windows Forensics & Troubleshooting It discusses the low-level API under Winsock (IOCTLs on \Device\Afd handles) and explores the workings of the new socket inspection feature in System Informer 🔥 huntandhackett.com/blog/improving…