bohops · Apr 5, 2022 · 12:29 PM UTC

bohops

496 Photos and videos

Pinned Tweet

bohops @bohops

5 Apr 2022

[Blog] Unmanaged Code Execution with .NET Dynamic PInvoke (Yes, you read that correctly - "Dynamic P/invoke" as in "Dynamic Platform Invoke") bohops.com/2022/04/02/unmana…

Unmanaged Code Execution with .NET Dynamic PInvoke

Yes, you read that correctly – “Dynamic Pinvoke” as in “Dynamic Platform Invoke” Background Recently, I was browsing through Microsoft documentation and other blogs to…

bohops.com

161

297

bohops · Jun 5, 2023 · 1:42 PM UTC

bohops @bohops

22h

I hate C, but I'm addicted...

bohops · Jun 3, 2023 · 6:44 PM UTC

bohops @bohops

Jun 3

I did not find my room

Elastic Security Labs · May 30, 2023 · 4:15 PM UTC

bohops retweeted

Elastic Security Labs @elasticseclabs

May 30

Kernel-level callstack visibility is essential for in-memory #ThreatDetection of #Malware and defense evasions, #ElasticSecurityLabs researchers @dez_, @GabrielLandau, and @SBousseaden explain the research behind this capability: go.es.io/42d0Mge

Upping the Ante: Detecting In-Memory Threats with Kernel Call Stacks

We aim to out-innovate adversaries and maintain protections against the cutting edge of attacker tradecraft. With Elastic Security 8.8, we added new kernel call stack based detections which provide...

elastic.co

123

bohops · May 28, 2023 · 10:58 PM UTC

bohops @bohops

May 28

GIF

bohops · May 28, 2023 · 10:37 PM UTC

bohops @bohops

May 28

It's about time to blow the dust off of the ol' blog and write a new post soon...👀

bohops · May 28, 2023 · 3:58 PM UTC

bohops @bohops

May 28

Invest in the things that actually matter: - the needs of your family, dependents, and yourself - experiences with those who are most important such as family and friends - the betterment of yourself in whatever drives you and makes you truly happy

SwiftOnSecurity @SwiftOnSecurity

May 28

Replying to @SwiftOnSecurity

Nice car? Trust me barely anybody even looks. It's four wheels, maybe you have a cool color. Nice watch? They assume it's fake. If you want these things and value them, you have to accept it will mostly just be you who cares. And that should be fine, because it's not for Them.

Show this thread

bohops · May 27, 2023 · 5:33 PM UTC

bohops @bohops

May 27

Start with Python to learn programming they say. That's good, but don't ever stop programming in Python. It is an amazing language for most disciplines in cyber. I still use it all the time.

bohops · May 27, 2023 · 2:40 AM UTC

bohops @bohops

May 27

💯 Those DCs aren't going anywhere...and they will still be there when orgs move away from the cloud and back to on-prem 🤣

Jeff McJunkin @jeffmcjunkin

May 26

Active Directory is being obsoleted and replaced by Azure AD in the same sense that IPv4 is obsoleted and replaced by IPv6

bohops · May 26, 2023 · 5:53 PM UTC

bohops retweeted

bohops @bohops

May 26

@frodosobon 's blog is quite good and very underrated Check it out 👇 waawaa.github.io/

Waawaa Blog

Labs & Research

waawaa.github.io

Kyle Avery · May 25, 2023 · 9:53 PM UTC

bohops retweeted

Kyle Avery @kyleavery_

May 25

Last week I ported TinyNuke HVNC to a Cobalt Strike BOF: github.com/WKL-Sec/HiddenDes…

GitHub - WKL-Sec/HiddenDesktop: HVNC for Cobalt Strike

HVNC for Cobalt Strike. Contribute to WKL-Sec/HiddenDesktop development by creating an account on GitHub.

github.com

149

415

Nasreddine Bencherchali · May 25, 2023 · 11:15 AM UTC

bohops retweeted

Nasreddine Bencherchali @nas_bench

May 25

A fun alternative way to find child process execution of a certain process via BAM. You can use the "HKLM\System\CurrentControlSet\Services\bam\State\UserSettings\<SID>\<Binary>" RegistrySet event to track child process created by a process. #dfir #detection

107

Brendan Chamberlain · May 25, 2023 · 10:00 AM UTC

bohops retweeted

Brendan Chamberlain @infosecb

May 25

I’m excited to kick the morning off by announcing the release of 🍎 Living Off the Orchard: macOS Binaries (LOOBins)! loobins.io You can find more details about the LOOBins project in my “Introducing LOOBins” Medium post here: infosecb.medium.com/introduc…

Introducing LOOBins

Announcing the release of LOOBins, a new living off the land open-source project.

infosecb.medium.com

196

519

Show this thread

Nathan McNulty · May 25, 2023 · 3:21 AM UTC

bohops retweeted

Nathan McNulty @NathanMcNulty

May 25

Replying to @bohops

And for those with Sentinel/Defender for Endpoint, here's a great example of how we can leverage this project in our queries :)

Nathan McNulty @NathanMcNulty

4 Oct 2022

Oh hell yeah, this is cool! DeviceNetworkEvents | where RemoteIPType == "Public" | where InitiatingProcessVersionInfoOriginalFileName in (( externaldata ( Name:string ) [ "lolbas-project.github.io/api…" ] with (format=csv, ignoreFirstRecord=true) | distinct Name )) #MDE

Show this thread

Dan Lussier · May 25, 2023 · 12:27 AM UTC

bohops retweeted

Dan Lussier @dansec_

May 25

cisa.gov/news-events/cyberse…

100

409

bohops · May 24, 2023 · 11:32 PM UTC

bohops @bohops

May 24

I've seen a lot of chatter about Living-Off-The-Land (LOL/LOTL) attacks and techniques on the socials this week. For background info, use cases, and offensive/defensive references, the LOLBAS project has you covered: lolbas-project.github.io/

bohops · May 24, 2023 · 5:18 AM UTC

bohops @bohops

May 24

Dynamic PInvoke without DefinePInvokeMethod ...👀

bohops · May 23, 2023 · 6:51 PM UTC

bohops @bohops

May 23

Really cool .NET loader for dynamic invocation and an excellent Yara rule. Great work @dr4k0nia!

dr4k0nia @dr4k0nia

May 22

I'm joining the dark side, today I'm publishing a malware loader called NixImports. It uses API-Hashing and dynamic invoking to evade static analysis. Check out my blog post for more details: dr4k0nia.github.io/posts/Nix…

Show this thread

SpyNetGirl 🍕 · May 18, 2023 · 10:23 PM UTC

bohops retweeted

SpyNetGirl 🍕 @SpyNetGirl

May 18

🔥Updated WDACConfig module. @M_haggis & @nas_bench you can now automatically create a base policy denying all #LOLDrivers and deploy it too if you want. More info on GitHub: github.com/HotCakeX/Harden-W… Download from PowerShell gallery (self-updates): powershellgallery.com/packag… #WDAC

1,519

Jim Sykora · May 23, 2023 · 2:38 PM UTC

bohops retweeted

Jim Sykora @JimSycurity

May 23

Slides from our Active Directory & DNS (ADIDNS) talk at BSidesCharm 2023 are up. AD & DNS: A Match Made in Heck I believe video will be released soon(ish).

Trimarc @TrimarcSecurity

May 23

Did you happen to miss @dotdotdotHorse & @JimSycurity @BSidesCharm? Well good news, you can view their abstract and download slides for their talk "AD & DNS: A Match Made In Heck" right now on the Trimarc content page. No registration required. Enjoy! hub.trimarcsecurity.com/post…

Show this thread

The DFIR Report · May 22, 2023 · 11:12 AM UTC

bohops retweeted

The DFIR Report @TheDFIRReport

May 22

IcedID Macro Ends in Nokoyawa Ransomware ➡️Initial Access: IcedID XLS Macro ➡️Credentials: LSASS, Creds in Files ➡️Persistence: Scheduled Task ➡️Lateral: RDP, SMB, WMI, WinRM, Psexec ➡️C2: IcedID, Cobalt Strike, VNC ➡️Impact: Nokoyawa Ransomware thedfirreport.com/2023/05/22… 1/X

IcedID Macro Ends in Nokoyawa Ransomware - The DFIR Report

Threat actors have moved to other means of initial access, such as ISO files combined with LNKs or OneNote payloads, but some appearances of VBA macros in Office documents can … Read More

thedfirreport.com

142

269

Show this thread