Initially I faced issues searching for Cybersecurity relevant Discord servers, most of them were "native - user" based community servers, and often not active. The list below can skyrocket anyone who wishes to network and learn more via exploring different domains of Cybersec
I have curated a long list of amazing discord servers which feature plentiful of domains in Cybersecurity, ranging from Threat Hunting & Incident response, penetration testing, bug bounties and so on
https://t.co/pGBgPph262
Feel free to join them!
Had a blast talking with @Teach2Breach about offsec topics :D Take a look!
Especially enjoyed sharing my experience and the amazing people I learned from.
The Gentlemen ransomware, in a BYOVD attack, used a zero-day exploit to kill EDRs before deploying their payload. The driver they abused wasn't on any public blocklist. Here's our analysis of their techniques. 🧵
One of the most rewarding parts of offensive security is building the tooling by yourself
I’ve just finished writing a course that walks through developing a C2 framework from scratch, covering:
• GUI server architecture
�� HTTP/HTTPS beacon implementation
• Filters redirector implementation and designing
• Tasking and communication protocols
• Client/Server architecture
…. and more
Understanding how these components work internally provides a much deeper perspective than simply using existing frameworks
Thank you @WKL_cyber for the trust and the opportunity to develop and deliver this course
Course link:
https://t.co/1yhoLra95B
Here are the slides from our @WEareTROOPERS presentation - "Modern Adventures in Azure Privilege Escalation"
This was a fantastic conference and I'm so glad that we finally got to do this. I have a few more thoughts on it in the thread 🧵
https://t.co/Oo79xv2SDb
Hey guys! Been tinkering a lot with Claude Code and MCP in Python and thought it'd be fun to code a makeshift C2. My latest blog post goes over the ins and outs of what I came up with. This is for educational/learning purposes as always. Thanks!
https://t.co/6YGjWXvdLh
Following on our series: An Introduction to Modern Malware Development for Red Teams, today's episode is all about Portable Executables.
In this blog post, I walk you through what are PEs, what known file types are, in fact, PEs, what is their structure and what are the detection opportunities security products leverage to stop your tooling from executing even before it gets a chance to start.
Up next we will be diving into Process and Threads so we can set the stage for process injection techniques. Stay tune.
You can read the article here: https://t.co/ORKHtl4Uww
Keep hacking,
Sp1d3rM_*^!
Ever wanted to find hot single SOC analysts in your area? TrollStackSpoofing now has built in one-way messaging for all your operational needs.
(I'll stop now, Sorry)
Releasing WindowsSentinel v1. A WDAC deployment and hardening tool for Windows where it blocks untrusted and unsigned executables at the kernel level before they ever run. Built for sysadmins, SOC teams, and red teamers
GitHub: https://t.co/KjVE3K3PFD
For sysadmins: One guided wizard, one reboot and fully locked down and controlled system
The tool scans your installed apps, auto-detects your AV/EDR, builds a whitelist using publisher certificate rules, lets you select which LOLBAS binaries to deny, then deploys the policy
For SOC teams: Deploy in Audit Mode and let it run for a few days before enforcing. Then run: Deploy-WDAC.bat /report
The report gives you:
→Event ID 3076: this the audit mode event which everything that WOULD be blocked
→ Event ID 3077: this is the enforce mode event where everything actively blocked after enforce
Review audit event carefully and any legitimate process appearing there needs to be whitelisted before you enforce the policy otherwise you'll block something that matters
Once satisfied run with /enforce or /harden lock everything and have full controlled environment
For red teamers: Want to sharpen your skills in a hardened Windows environment? Set up a lab VM and deploy the tool with maximum restrictions, here is my recommendation for you:
In step 2, select A for file extensions (all extensions enforced)
In step 3 for VMware Tools input Y (so you can still copy files into the VM)
In step 6 LOLBAS, select A (all 31 binaries denied), then run with /enforce flag and try to run your binary or load your DLL 😎
Once that task is achieved, run with /harden flag, a full lockdown and controlled environment. Publisher rules only are set and LOLBAS are denied. NTFS ACLs on every blocked binary, Desktop and Downloads blocked as execution paths
Here's the honest part:
WDAC is bypassable, there are known limitations in *****-based rules 🫣 and certain edge cases in the ConfigCI engine. If you find a bypass in this setup you have a good mind set, then go again with /harden and see if the additional layers stop you or not 😎
Good luck.
You'll need it👊💀
WinGet 📍
Microsoft’s command-line for discovering, installing, upgrading, configuring, and removing applications on Windows. It is commonly used by Administrators and developers to automate software deployment and system setup.
However, it can be abused to proxy execution and evade detection. Threat actors can execute arbitrary PowerShell scripts in the form of YAML files without invoking standard PowerShell processes which endpoint detection and response technologies heavily monitor.
Read: https://t.co/x6lYtYj8eI
EDRUnChoker😀registers a permanent WMI subscription with a 5-second timer runs embedded VBScript (fileless) that deletes malicious MSFT_NetQosPolicySettingData policies targeting known security products or aggressive app-path throttles.
https://t.co/A1hcrpav2X
Round two!
Yesterday was one report, here’s another: an unpatched NTLM coercion via the Windows Search (search-ms://) URI handler.
Same questions about how it got handled. It’s all in the writeup, timeline included.
https://t.co/eMbyEGbx8b
This guy sucks. At my first Pwn2Own he asked me over and over if it was my first CVE. I said no but he kept insisting, in front of everyone, he’d never seen my name credited before. Turns out he was confusing me with another woman in infosec. In charge of security research engagement for MSRC btw
🚨 Supply Chain ALERT New Phase of “Miasma: The Spreading Blight” 🚨
A new wave of the npm supply chain campaign, Miasma: The Spreading Blight
Targets include @vapi-ai/server-sdk & ai-sdk-ollama. Attackers are using a new autorun install method exploiting node-gyp shell expansion.
We have updated our previous blog:
https://t.co/gFhlSCFzOu
While we implemented this protocol in Responder we didn't even test such lame fuzzing, assuming MSFT would have batch tested username len over the past 30 years..
We're in Novell Netware territory:
https://t.co/Kh7qoo4cvv
At @BsidesHbg yesterday I did a talk about how I built a modular asset discovery framework by using open source tooling to help automate my work when handling large engagements.
That tool is called cygor: https://t.co/5weW4QnQr5
FWIW I tried using oxidiser to see how good it was at de-virtualising the vtable dynamic dispatch, and it basically did the same as Ida.
So, I tried making a basic Ida plugin to find and de-virtualise vtables, then swapped to Claude cos tokens go brrrrrrrt and i'm tired. It did a pretty good job, made it write a fairly complex rust program using lots of different types of dynamic dispatch patterns, and with each iteration of complexity added, claude was able to retrospectively add better algorithms to detect report it.
Honestly, impressed. AI tooling and vibe coding for malware analysis, reverse engineering, really speeds things up. If I were to code all this by hand you are talking days of work really to understand the plugin ecosystem, then how to use all the many APIs and then tune the algorithms etc etc etc.. cool stuff.
Screenshots attached, and it also wrote a cool GUI page with a summary of the vtables.
My Wyrm C2 made some use of dynamic dispatch so when I get some more energy I might do a before / after analysis of it in Ida without and with the plugin. I also need to see if this works for C++ vtables, as its now basically vibe coded.. I do not know lol D: