@re_and_more Another tip to maybe save folks some time. Sometimes shellcode assumes the presence of certain libraries in memory. If you see segfaults with ip=0 this can be an indicator that some dynamic import code broke due to using GetModuleHandleA or PEB loaded modules for library imports.
Curious about what's happening in the Windows Kernel after a Syscall?
I just wrote this post following the worfkflow from the Syscall instruction to the target kernel routine ⬇️
https://t.co/PDc5eXZCyk
Thanks again to @Set_hyx for the proofreading!
Following CERT-UA reports of phishing targeting ukr[.]net accounts of Ukrainian military personnel, Proofpoint identified a suspected compromised ukr[.]net account sending an evacuation themed malicious Excel document to a European government.
As you're reading this, note this point: adversaries likely had control of the AD server already. They were already in. There's a broader intrusion chain beyond just the wiper, it just isn't publicly known yet. I'm watching for any details on what happens BEFORE wiper deployment.
9 years ago I released my first project on GitHub: 'rp++' yet another ROP gadget finder 😊
I've finally carved out time to clean up the codebase and push the v2, check it out 🔥!
https://t.co/mnKlNwjZZl
APT31 is one of the most relevant attacker groups for political organizations in Western Europe.
This report contains details about the later killchain phases that were not yet publicly known.
Also some insights into the backdoor that controls the routers for anonymization.
We are #hiring Sr. Threat Detection Engineer https://t.co/rqnzCGdo7B You like PCAP? We got it. Write IDS rules for the Snort and Suricata platform.
Work with the open source community to maintain the ETOpen ruleset.
Research malware, exploit kits and vulns. #infosecjobs
I have some thoughts about https://t.co/AfXbh35cf7
They are claiming to make a scientific contribution with a novel class of vulnerabilities.
But that is not really true. Thread 🧵
Wanna disable Defender when enabled Isolated Core and Tamper protection?
Its a bit more trouble- but doable, without ruining Isolated Core/Secureboot etc.
Defenders process will run as a unkillable protected service- so new tricks needed.
Here we go:
My teammate @_humpalum published a script for #010Editor that takes the currently selected bytes and puts them in a @virustotal "content"-search
We recommend assigning a keyboard shortcut to access it more quickly
https://t.co/q3CpOcGwe9
The exploit developer that Kaspersky tracks as "Moses" is Exodus Intelligence...
From Kaspersky: "we believe at least six vulnerabilities observed in the wild in the last two years have originated from Moses"¹
https://t.co/aUTkJL9POC
¹ https://t.co/lCdPNvb4kl
Thanks to @revskills for a cool idea, CVE-2021-40444 reached over most of Windows browsers. 2 clicks needed to exploit this. This chain uses a new bug i've just informed to MS hours ago and patches for affected browsers incoming soon. Further details once fully fixed.
I'm too late at CVE-2021-40444 party. But i just wanted to take a look at MSIE exploitation. Awesome to see a full exploit (RCE w/ sandbox escape) only using 6 lines of javascript code. Cool no doubt.