André

Aether is a Windows memory-forensics and threat hunting tool that scans live process memory for malicious pattern, detect injection techniques, implant signatures, reflectively loaded .NET assemblies. it works with a multi-layer confidence model that dramatically reduce the false positive rate and hunt for malicious behaviour. https://t.co/3rZVu9gvVl

We know what probably happened. From what we see publicly, NightmareEclipse doesn't communicate well, is emotionally immature, and appears to want to extort Microsoft. Almost certainly, this played a part in the conflict between them and Microsoft -- it's probably as much NightmareEclipse's fault as Microsoft's. With that said, everything Florian says is correct. It doesn't excuse Microsoft's failures. They are supposed to be the responsible one, When there is miscommunication or dispute, it's always allowable to drop 0day, regardless whose fault it is. It's Microsoft's job to avoid that, even when they really aren't at fault for the miscommunication. But Microsoft has convinced themselves of the opposite, that "responsible" disclosure means only the responsibilities of the vuln finder. Vuln finders have no responsibility. Dropping 0day is responsible. Responsible companies don't have so many bugs. We let industry subvert the disclosure process. Instead of working to secure their code, vendors have tricked people into believing in the myth of "responsible disclosure", that vendors should be given time to fix and patch their bugs so they are never to blame for the bugs to begin with. That's why you have customers still buying Fortinet appliances even though their bugs continue to be major sources of customers getting hacked. Customers shrug their shoulders: as long as Fortinet has a vulnerability disclosure program and releases patches, they aren't responsible for when hackers keep breaking into their boxes. This is garbage. Vendors are still responsible for preventing bugs in the first place, a responsibility that doesn't go away just because they patch. Regardless of what happened, Microsoft's threats are a gross violation of ethics in the industry.

Tools like Snaffler are great, but crawling SMB shares creates a telemetry nightmare. You instantly light up the SIEM with : - 5140 / 5145 (Network Share Access) - 4656 / 4663 (Object & File Access) So I built Invoke-WindowsSearch to query the native Windows Search DB (OLE DB) directly via WinRM/RPC, It extracts the targets without touching the actual files, completely bypassing the 4663 and 5145 detection footprint. Trade-offs: Requires the WSearch service (disabled by default on Server OS) and lacks complex regex capabilities. Know your environment before execution. #RedTeam #ActiveDirectory #OPSEC #ThreatHunting #PowerShell