Olivia
Online
Hare Sudhan
@cyb3rbuff
Software engineer in cybersecurity. Living the best of both worlds. Open Source Contributor and Maintainer of #AtomicRedTeam
Joined July 2020
349 Following
175 Followers
79 Posts
Same tools in every breach report for a decade. ScreenConnect. AnyDesk. Signed drivers nobody patched. The binaries Windows ships by default. Cyber security industry built LOLRMM, LOLDrivers, and LOLBAS to catalog all of it, and every year the techniques came back. Blockable. Just not being blocked by anyone.
Turns out it was on us.
June 9th · 2PM EST · The founders go live.
🎙️Join us: https://t.co/MkaQeQ9CEE
Register here for updates: https://t.co/6feNkfHsDv
Stop wrestling with complex tool syntax. 🛠️
By leveraging MCP for Atomic Red Team, Hare shows off a "fuzzy API" that streamlines your adversary emulation workflow.
Speed up your testing—check out our latest episode of SecOps Weekly: https://t.co/1eMD4LOyPc
The https://t.co/GQYFpObADC project just had its biggest month ever. 🙌
In April alone, we merged 12 PRs adding 90+ new vulnerable kernel driver entries to the database. LOLDrivers now tracks 615 unique drivers across 2,121 known vulnerable samples.
Here’s what the updated security metrics dashboard shows:
✅460 samples (21.7%) load despite HVCI / Memory Integrity being enabled
✅1,523 samples (72.7%) are LOLDrivers-exclusive, meaning they are NOT covered by Microsoft’s recommended vulnerable driver blocklist
✅Only 573 samples overlap with Microsoft’s block rules
That gap matters. Legitimate signed drivers from Intel, AMD, HP, Corsair, ASUS, Dell, Clevo, Beckhoff, National Instruments, and dozens of other vendors are being actively weaponized in BYOVD (Bring Your Own Vulnerable Driver) attacks. Threat actors use these drivers to disable EDR/AV, escalate privileges, and bypass kernel security controls, all with validly signed code that Windows trusts by default.
ESET’s March 2026 research documented 54 EDR killers exploiting 35 vulnerable drivers. Akira and MedusaLocker ransomware operators are abusing ThrottleStop.sys. Process-kill drivers like DsArk64.sys (WHQL Microsoft-signed) can terminate PPL-protected processes with a single 4-byte IOCTL.
If your organization isn’t actively managing application control policies that address vulnerable drivers, you have a significant blind spot. Tools like LOLDrivers give defenders the data they need to close it.
Huge thanks to the security researchers who made this sprint possible, your contributions directly improve the defensive community’s ability to detect and block these threats.
Special thanks to @weezerOSINT , @rainbowdynamix , @DbgPrint and the KeServiceDescriptorTable project.
#BYOVD #LOLDrivers #WDAC #KernelSecurity #ThreatIntel #EDR #VulnerableDrivers
I wanted to follow-up and let @M_haggis @nas_bench @Kostastsale @cyb3rbuff @_josehelps know that the Sysmon config for the LOLRMM framework is "effectively" complete for the primary areas of focus. I have intentions to add more filtering to it but it is.
https://t.co/pjGhu9Q9c4
Who to follow
Max Rogers
@MaxRogers5
Sr. Director of SOC at Huntress. Ex-Mandiant/FireEye. Bringing security to the Fortune 5,000,000.
Jose Rodriguez 🇵🇪
@Cyb3rPandaH
#CyberDefense #AI #DataScience @GeorgeMasonU @NOVAcommcollege @pucp
Abzee
@AbzeeSaminu
Hunting | PNPT | Security Researcher l VAPT | Mobile Pentester | CTF Creator | ¯\_(ツ)_/¯ |
🚀 Introducing LOAS: Living Off the Orchard - AppleScript
Excited to open-source LOAS (Living Off the Orchard: AppleScript) - a comprehensive library of AppleScript and JXA tests mapped to the MITRE ATT&CK® framework for macOS security testing.
Why LOAS?
Attackers increasingly leverage built-in macOS tools like AppleScript and JXA to access credentials, capture screenshots, and establish persistence—all without custom malware/tools. LOAS helps security teams test if their defenses can detect these living-off-the-land techniques.
Key Features:
🔴 Execute AppleScript and JXA tests
📦 Multiple Execution Methods: osascript, Swift, compiled binaries—each generating different endpoint logs
🔗 Atomic Red Team Integration: Pre-converted Atomic Red Team YAML format available in GitHub releases. If you already use Atomic Red Team, this would fit right into your workflow.
🤖 LLM-Ready: Compatible with Claude, ChatGPT, and Gemini for interactive exploration.
Prompt your AI to "Read https://t.co/d9V8mXUlrC. I would like to ask questions about it"
Getting Started:
Download pre-built tests from GitHub releases(https://t.co/Ai5pCxLLus) and start testing immediately. Full documentation and LLM-optimized guides available at https://t.co/8VpLJrJbCZ
🔗 GitHub: https://t.co/qjwf8NQTpC
📖 Docs: https://t.co/8VpLJrJbCZ
📝 Blog: https://t.co/GUW0KbshxT
Feedback and contributions welcome! #macOS #RedTeam #BlueTeam #AdversaryEmulation #applescript
Looking to up your nation state AI agent hacking?
Check out @cyb3rbuff MCP for Atomic Red Team.
For all we know, this is what Anthropic detected!
Thanks @_JohnHammond for spreading the word about Atomic Red Team MCP! Grateful to have advocates like you and @M_haggis amplifying this tool.
For anyone curious about AI powered security testing, check out the project here:
https://t.co/lhFRGLIOya
Associated Blogposts:
https://t.co/5p5H91Cnbo
https://t.co/eaoRP2tEem
Hat tip, kudos and credit where credit is due to @cyb3rbuff , big thanks for his tool and work on this Atomic Red Team MCP server! https://t.co/SQGMwq5cdT
🚀 Part 2 is here! "Atomic Red Team MCP #2: Claude becomes C2" - Breaking Everything, Everywhere, All at Once
Taking the next step from Part 1, Part 2 shows how to orchestrate atomic tests across multiple operating systems simultaneously.
🔧 What's new:
- Deploy MCP servers on Windows, Linux, and macOS
- Centralized AI control of distributed testing infrastructure
- Cross-platform attack scenarios with unified reporting
- Purple team workflows that combine attack + detection validation
💡 Real-world example: "Execute Cloudflare tunnel atomic on Windows, Linux, and macOS. Query Splunk MCP for any Cloudflare alerts and create Jira tickets for any detection gaps found."
🎯 Why this matters: Traditional BAS tools like Caldera and OpenAEV handle multi-platform execution, but require complex configuration and manual result correlation. AI-powered orchestration brings conversational intelligence to security testing - adapting scenarios based on results and reasoning through next steps.
🔗 Repository: https://t.co/lhFRGLIOya
📖 Read the full article here: https://t.co/LFIWpNCP4K
#AtomicRedTeam #MCP #AdversaryEmulation
🚀 Just released the Atomic Red Team MCP Server!
Brings 1500+ atomic tests directly into AI assistants like Claude. Search, create & validate security tests with natural language.
✨ "Show me all mimikatz tests"
✨ "Create atomic test for Chrome credential extraction"
✨ "Generate tests from this threat intel report"
Repo: https://t.co/lhFRGLIOya
🔴 @M_haggis is demoing it on YouTube today at 1 PM EST!
📖 Read the full story to learn more about the MCP: "Claude becomes the APT"
https://t.co/32ai9ZA3Sy
#atomicredteam #mcp #adversaryemulation
Special thanks to @OrOneEqualsOne and @M_haggis for beta testing and invaluable feedback!
🎃 Going live in 30 minutes!
Atomics on a Friday: Night of the Living Indicators - join us for live emulations, haunted artifacts, and MCP mayhem.
See you there… or on the recording. 👻⚛️
Twitch: https://t.co/54yXPSVO42
X
Linkedin
YT: https://t.co/B3kuKvoMyF
🚀 Just released the Atomic Red Team MCP Server!
Brings 1500+ atomic tests directly into AI assistants like Claude. Search, create & validate security tests with natural language.
✨ "Show me all mimikatz tests"
✨ "Create atomic test for Chrome credential extraction"
✨ "Generate tests from this threat intel report"
Repo: https://t.co/lhFRGLIOya
🔴 @M_haggis is demoing it on YouTube today at 1 PM EST!
📖 Read the full story to learn more about the MCP: "Claude becomes the APT"
https://t.co/32ai9ZA3Sy
#atomicredteam #mcp #adversaryemulation
Special thanks to @OrOneEqualsOne and @M_haggis for beta testing and invaluable feedback!
🧪 Deep in the lab, something modular is stirring...
This Friday, on Atomics on a Friday,
we’re unleashing @cyb3rbuff Atomic Red Team MCP 💥
Think of it as the Frankenstein’s lab of atomic testing - built for automation, precision, and chaos.
https://t.co/B3kuKvoeJ7
🧪 Deep in the lab, something modular is stirring...
This Friday, on Atomics on a Friday,
we’re unleashing @cyb3rbuff Atomic Red Team MCP 💥
Think of it as the Frankenstein’s lab of atomic testing - built for automation, precision, and chaos.
https://t.co/B3kuKvoeJ7
Grateful that a community project like LOLRMM went from this weekend hackathon to full blown project now mentioned by CISA:
https://t.co/If5R36n1aR
Thanks to @cyb3rbuff you can now leverage https://t.co/lVBYPiftK8's contents via Invoke-ArgFuscator.
Simply install the latest version from the PowerShell Gallery and use '-Command' to specify any of the supported commands (https://t.co/kJD0dU1Twd).
🤘 https://t.co/YzGda3tqzd
Two openings for AI Security Distinguished Engineers at Walmart. I have worked for Walmart for 7 years and I love it. I have also worked for the hiring manger and he is awesome. https://t.co/I6EnuZBgAe
🚨 The RMM threat landscape is evolving! 🚨
Recent attacks, like those highlighted by @HuntressLabs 🛡️ & CERT-UA 🇺🇦, show how adversaries 🎭 weaponize RMM tools 🛠️ for persistence 🔒 & lateral movement ↔️.
🔍 Enter LOLRMM: your 🧙♂️ ally in detecting 👀 & preventing 🚫 RMM abuse. From identifying unauthorized tools 🚨 to building robust defenses 🛡️, LOLRMM equips your SOC with the insights 📈 needed to stay ahead of attackers.
🛡️ Stay vigilant. Stay protected.
CERT-UA: https://t.co/jZzaQaRnLD
Huntress: https://t.co/atejQguRYp
🌐 Learn more: https://t.co/nr8hZE3Zcy
#RMM #ThreatDetection #LOLRMM #Cybersecurity
It Ends with Us. 💪🔥
@M_haggis I love the grouping option https://t.co/wAtjw64PSX where you can just mention a pattern(can be wildcard too) and it groups all the dependency updates in a single PR.
⚛️ https://t.co/cZhrIXPqRm got a facelift! Our new #AtomicRedTeam testing interface features improved search and filtering, easier test execution, and more!
📽️ Here's a guided tour: https://t.co/hgdLbFOGFZ
🛠️ Announcing LOLRMM
Living Off The Land Remote Monitoring and Management
A centralized platform for tracking and managing RMM software that often get abused by threat actors
By @M_haggis, @_josehelps, @cyb3rbuff, @Kostastsale, @nas_bench
https://t.co/Odc82GXeuX
Trends for you
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.9M followers
Taylor Swift
@taylorswift13
80.7M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.2M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers