All opinions expressed here are mine only (not of my employer etc). Developer @MDSecLabs
Joined May 2020
- Tweets 1,440
- Following 451
- Followers 3,964
- Likes 5,582
modexp retweeted
SonicWall researchers recently observed a new variant of GuLoader. They look at unpacking its shellcodes, a new anti-debug technique it deploys, and its custom Vectored Exception Handler. securitynews.sonicwall.com/x…
6
44
1
84
modexp retweeted
file copy is usually logged as a file creation by EDR/sysmon, using call stack helps target this behv, coupled with DLL sideload (same dir) & the copied PE is MS signed is a use case always wanted to try, ex of matches (UAC bypass & WerFault sideload):
github.com/elastic/protectio…
1
24
2
93
modexp retweeted
Hundreds of models of Gigabyte motherboards, used in gaming and other high-performance computers, have a backdoor in their firmware that invisibly downloads code to the machine at startup—and does so insecurely, leaving the feature open to abuse. wired.com/story/gigabyte-mot…
16
269
32
541
modexp retweeted
New process injection technique through entry points hijacking.
- Threadless or threaded, at will.
- No hooking.
- No RWX memory permissions.
- No new threads with start address pointing to the injected shellcode.
github.com/Kudaes/EPI
8
173
3
453
modexp retweeted
Clever ‘File Archiver In The Browser’ phishing trick uses ZIP domains - @LawrenceAbrams
bleepingcomputer.com/news/se…
7
98
11
223
modexp retweeted
WinDiff - Browse and compare exports, debug symbols and debug types of PEs between Windows versions.
WinDiff is a streamlined revamp of ntdiff, wired directly to Winbindex to fetch Windows updates and PEs automatically.
App: windiff.vercel.app
Repo: github.com/ergrelet/windiff
4
129
1
425
modexp retweeted
Akamai researchers have identified 3 vulnerabilities in MS-RPC runtime, all with a base score of 8.1.
In our latest blogpost, see how an integer overflow in a dynamic array can lead to RCE in the RPC runtime.
Write-up:
akamai.com/blog/security-res…
2
123
7
379
modexp retweeted
Tired by EDRs and AVs continuously flagging your executables? This program terminates protected anti-malware processes by exploiting the GMER driver
github.com/ZeroMemoryEx/Blac…
7
171
8
532
modexp retweeted
SectorC: a C Compiler written in x86-16 assembly that fits within the 512 byte boot sector of an x86 machine. In a base64 encoding, it looks like this: xorvoid.com/sectorc.html
36
347
34
1,501
modexp retweeted
New Blog - Unmasking Ransomware Using Stylometric Analysis: Shadow, 8BASE, Rancoz
A useful CTI trick that can be used much further than for just ransom note comparison, but hopefully it illustrates the potential of Stylometric Analysis!
🔗 blog.bushidotoken.net/2023/0… #CTI
3
57
4
180
modexp retweeted
170 of the loldrivers.io drivers load with the most recent HVCI driver blocklist. Do with this information what you will.
8
92
2
365
modexp retweeted
"A 64-bit mode-only architecture removes some older appendages of the architecture, reducing the overall complexity of the software and hardware architecture."
intel.com/content/www/us/en/… #iamintel
5
49
8
122
modexp retweeted
Awhile ago I got inspired by my good friend @yarden_shafir's blog post on RE'ing Export Address Filtering (windows-internals.com/an-exe…). Here is a rough POC I put together of my implementation of this, called EATGuard, which analyzes access to kernel32's EAT: github.com/connormcgarr/EATG…
3
58
155
modexp retweeted
Intel wants to go full 64 bits and drop legacy modes… cdrdv2-public.intel.com/7766…
24
77
16
432
modexp retweeted
The implant, named "Horse Shell", provides attackers with remote shell access, file transfer abilities, and tunneling capabilities. Although compiled for MIPS, it is meticulously designed to be firmware-agnostic, indicating potential use in various vendors. >>
1
4
19
modexp retweeted
Microsoft open-sources a new AI library that connects to open-source GPTs, not just OpenAI. github.com/microsoft/guidanc…
20
175
12
805
modexp retweeted
Checkpoint researchers have discovered & analysed a malicious firmware implant tailored for TP-Link routers, used in campaigns linked to Chinese APT group Camaro Dragon. The Horse Shell router implant provides remote shell, file transfer & SOCKS tunneling research.checkpoint.com/2023…
1
16
1
37
modexp retweeted
Here is a little ETW based tool to play with different IOCs by ImageLoad events.
I feel like proxying Kernel32!LoadLibrary through Ntdll is a very strong IOC. :-)
github.com/thefLink/Hunt-Wei…
36
100
modexp retweeted
Excited to have several of our engineers @offensive_con this week! Among them will be @yarden_shafir, who gives us an intro to Windows Notification Facility's (WNF) Code Integrity features in our latest blog post.
blog.trailofbits.com/2023/05…
1
27
1
80