_guzzy @cbh_security - Twitter Profile

about 1 month ago

@malmoeb @hackerkartellet Hi Stephan, I know its been a while since this was posted, but found it through Asger, and wanted to share that i've dug a but more into the tool and described the functionality here: https://t.co/luG2MYPsey

0

1

0

44

_guzzy @cbh_security

about 1 month ago

Faced GetScreen on a recent engagement, not much to find on it, decided to put some time documenting it. https://t.co/luG2MYPsey

0

20

cbh_security retweeted

DHH

@dhh

3 months ago

Best advice you can now give Danish entrepreneurs is to leave the country before anything gets off the ground. Danes better hope Novo never falters.

53

1K

44

90

127K

_guzzy @cbh_security

5 months ago

During an active ransomware case, we observed a threat actor silently install CodeMeter Runtime 8.20 from a user's temp directory and abuse it for local privilege escalation (CVE-2025-47809). Haven't seen this before, pretty neat. https://t.co/wxEAyjD3KM

0

1

0

124

Who to follow

n0zk

@n0zk__

Purple teamer | Privacy fighter | A lazy CTF player | I build, make and break weird stuff

Martin Sohn Christensen

@martinsohndk

Security Researcher @ SpecterOps

_guzzy @cbh_security

6 months ago

@cemaxecuter What did you use to publish to ATAK?

1

0

159

_guzzy @cbh_security

7 months ago

@_Gendy_ @IntCyberDigest Do we have any sources on this?

0

187

cbh_security retweeted

SpecterOps @SpecterOps

7 months ago

Credential Guard was supposed to end credential dumping. It didn't. @bytewreck just dropped a new blog post detailing techniques for extracting credentials on fully patched Windows 11 & Server 2025 with modern protections enabled. Read for more ⤵️ https://t.co/mYPHg1mTKj

11

737

335

486

137K

_guzzy @cbh_security

10 months ago

🧪 Microsoft has just rolled out a new addition to their logs, called Linkable token identifiers, which will help with tracing user sessions across most of their M365 services. https://t.co/cN5N8QuvSJ

0

2

0

54

_guzzy @cbh_security

11 months ago

https://t.co/YB56GE74jA

0

37

_guzzy @cbh_security

11 months ago

My 5 cents on the FileFix POC https://t.co/cNf4boqGDv

1

4

1

0

293

_guzzy @cbh_security

over 1 year ago

Source: https://t.co/8R4NvVQvN8

0

28

_guzzy @cbh_security

over 1 year ago

Was responding to a customer noticing outbound RDP connections originating from their DCs. After a few hours we noticed that MS Defender for Identity was present on the DCs, which we started digging further into, and found this in their documentation. Is this common knowledge?

cbh_security's tweet photo. Was responding to a customer noticing outbound RDP connections originating from their DCs. After a few hours we noticed that MS Defender for Identity was present on the DCs, which we started digging further into, and found this in their documentation. Is this common knowledge? https://t.co/XZ2lgAm9ps

1

0

96

_guzzy @cbh_security

over 1 year ago

@ForcepointSec also made a nice article about this campaign: XWorm Malware Targets United Kingdom’s Hospitality Sector- Forcepoint

0

1

0

57

_guzzy @cbh_security

over 1 year ago

Interesting phishing campaign delivering XWorm RAT. Infection chain: Phishing email --> User redirected to fake https://t.co/tlvImjSPlZ site --> Tricked to go through CAPTCHA with opening Win +R and pasting their clipboard --> Leads to mshta.exe downloading XWorm RAT #xworm

cbh_security's tweet photo. Interesting phishing campaign delivering XWorm RAT.

Infection chain:
Phishing email --> User redirected to fake https://t.co/tlvImjSPlZ site --> Tricked to go through CAPTCHA with opening Win +R and pasting their clipboard --> Leads to mshta.exe downloading XWorm RAT
#xworm https://t.co/v5sj7mTxKx

2

1

0

112

_guzzy @cbh_security

over 1 year ago

The TA was also utilizing NtSetValueKey native API to create a hidden auto run key for persistence. This is throws an error when displayed in regedit or Velociraptor. But opening with registry explorer reveals the key.

0

40