AudioDG Windows LPE
Audiodg.exe DLL hijacking for LPE with reboot-free restart primitive. Executes code as LOCAL SERVICE, escalates to SYSTEM via Scheduled Tasks.
Blog: Abusing Windows Audio for Local Privilege Escalation
DLL hijacking in the context of the audiodg.exe process which may load vendor-supplied APO-related DLL dependencies from system paths. Through this it is possible to execute code as “NT AUTHORITY\LOCAL SERVICE” and subsequently escalate to SYSTEM using Scheduled Tasks and Potato techniques.
@IRCyberGuardians
Audiodg.exe DLL hijacking for LPE with reboot-free restart primitive. Executes code as LOCAL SERVICE, escalates to SYSTEM via Scheduled Tasks.
Blog: Abusing Windows Audio for Local Privilege Escalation
DLL hijacking in the context of the audiodg.exe process which may load vendor-supplied APO-related DLL dependencies from system paths. Through this it is possible to execute code as “NT AUTHORITY\LOCAL SERVICE” and subsequently escalate to SYSTEM using Scheduled Tasks and Potato techniques.
@IRCyberGuardians
https://github.com/zh54321/SharePointDumper
Enumerates all SharePoint sites/drives a user can access via Microsoft Graph, recursively downloads files, and logs every Graph + SharePoint HTTP request for SIEM correlation, detection engineering, and IR testing.
@IRCyberGuardians
Enumerates all SharePoint sites/drives a user can access via Microsoft Graph, recursively downloads files, and logs every Graph + SharePoint HTTP request for SIEM correlation, detection engineering, and IR testing.
@IRCyberGuardians
Swarmer
A tool for stealthy modification of Windows 10/11 Registry as a low privilege user via offline hive manipulation, avoiding detection by EDRs.
The workflow is straightforward:
• Export the target user’s HKCU registry (via reg export or our BOF-based approach)
• Make whatever modifications you want to the exported data
• Use Swarmer to convert the modified export into a binary hive
• Drop the resulting NTUSER.MAN file into the user’s profile directory
Or, if you want to add a startup entry in one shot:
Blog: Corrupting the Hive Mind: Persistence Through Forgotten Windows Internals
@IRCyberGuardians
A tool for stealthy modification of Windows 10/11 Registry as a low privilege user via offline hive manipulation, avoiding detection by EDRs.
The workflow is straightforward:
• Export the target user’s HKCU registry (via reg export or our BOF-based approach)
• Make whatever modifications you want to the exported data
• Use Swarmer to convert the modified export into a binary hive
• Drop the resulting NTUSER.MAN file into the user’s profile directory
swarmer.exe exported.reg NTUSER.MAN
Or, if you want to add a startup entry in one shot:
swarmer.exe --startup-key "Updater" --startup-value "C:\Path\To\payload.exe" exported.reg NTUSER.MAN
Blog: Corrupting the Hive Mind: Persistence Through Forgotten Windows Internals
@IRCyberGuardians
Dump LSASS via physical memory read primitives in vulnerable kernel drivers, bypassing traditional user-mode detection capabilities.
https://github.com/RainbowDynamix/GhostKatz
@IRCyberGuardians
https://github.com/RainbowDynamix/GhostKatz
@IRCyberGuardians
GitHub
GitHub - RainbowDynamix/GhostKatz: Dump LSASS via physical memory read primitives in vulnerable kernel drivers
Dump LSASS via physical memory read primitives in vulnerable kernel drivers - RainbowDynamix/GhostKatz
EDR-GhostLocker
AppLocker-Based EDR Neutralization
Blog: AppLocker Rules Abuse
Threat actors could abuse AppLocker to deploy rules that will prevent EDR processes from execution in order to execute arbitrary commands and software on the asset without EDR disruption.
@IRCyberGuardians
AppLocker-Based EDR Neutralization
Blog: AppLocker Rules Abuse
Threat actors could abuse AppLocker to deploy rules that will prevent EDR processes from execution in order to execute arbitrary commands and software on the asset without EDR disruption.
@IRCyberGuardians
AutoPtT
Enumerates Kerberos tickets and performs Pass-the-Ticket (PtT) attacks interactively or step by step. It is a standalone alternative to Rubeus or Mimikatz.
Blog: Automating the Pass-The-Ticket attack
@IRCyberGuardians
Enumerates Kerberos tickets and performs Pass-the-Ticket (PtT) attacks interactively or step by step. It is a standalone alternative to Rubeus or Mimikatz.
• auto - Automated Pass-the-Ticket attack
• sessions - List logon sessions. Similar to running klist sessions
• klist - List tickets in the current session. Similar to running klist
• tickets - List tickets in all sessions (not only TGTs). Similar to running Rubeus.exe dump
• export - Export a TGT given the LogonId. Similar to running Rubeus.exe dump
• ptt - Import a ticket file given the file name. Similar to running Rubeus.exe ptt
Blog: Automating the Pass-The-Ticket attack
@IRCyberGuardians
Cobalt Strike BOF to freeze EDR/AV processes and dump LSASS using WerFaultSecure.exe PPL bypass.
https://github.com/0xsh3llf1r3/ColdWer
@IRCyberGuardians
https://github.com/0xsh3llf1r3/ColdWer
@IRCyberGuardians
GitHub
GitHub - 0xsh3llf1r3/ColdWer: Cobalt Strike BOF to freeze EDR/AV processes and dump LSASS using WerFaultSecure.exe PPL bypass
Cobalt Strike BOF to freeze EDR/AV processes and dump LSASS using WerFaultSecure.exe PPL bypass - 0xsh3llf1r3/ColdWer
CVE-2025-11730: Post‑authentication Remote Code Execution via DDNS configuration in ZYXEL ATP/USG Series (V5.41)
By configuring a DDNS Profile with a crafted URL, it is possible to obtain a root shell.
Exploit: https://github.com/rainpwn/exploits/blob/main/zyxel/rainpwn_cve-2025-11730_ddns_rce.py
@IRCyberGuardians
By configuring a DDNS Profile with a crafted URL, it is possible to obtain a root shell.
Exploit: https://github.com/rainpwn/exploits/blob/main/zyxel/rainpwn_cve-2025-11730_ddns_rce.py
@IRCyberGuardians
ZERO-DAY ALERT: Automated Discovery of Critical CWMP Stack Overflow in TP-Link Routers https://blog.byteray.co.uk/zero-day-alert-automated-discovery-of-critical-cwmp-stack-overflow-in-tp-link-routers-0bc495a08679
@IRCyberGuardians
@IRCyberGuardians
Medium
ZERO-DAY ALERT: Automated Discovery of Critical CWMP Stack Overflow in TP-Link Routers
ZERO-DAY ALERT: Automated Discovery of Critical CWMP Stack Overflow in TP-Link Routers Update CVE assigned: CVE-2025–9961 NVD Awaiting Analysis This CVE record has been marked for NVD enrichment …
Grafana CVE-2025-6023 Bypass: A Technical Deep Dive
https://blog.ethiack.com/blog/grafana-cve-2025-6023-bypass-a-technical-deep-dive
@IRCyberGuardians
https://blog.ethiack.com/blog/grafana-cve-2025-6023-bypass-a-technical-deep-dive
@IRCyberGuardians
Ethiack
Grafana CVE-2025-6023 Bypass: A Technical Deep Dive
How do you secure one of Europe’s largest universities against endless cyber threats? Discover how Universidade do Porto and Ethiack turned a sprawling, exposed attack surface into a controlled and proactive cybersecurity stronghold.
anti-patterns and patterns for achieving secure generation of code via AI
https://ghuntley.com/secure-codegen/
@IRCyberGuardians
https://ghuntley.com/secure-codegen/
@IRCyberGuardians
Geoffrey Huntley
anti-patterns and patterns for achieving secure generation of code via AI
I just finished up a phone call with a "stealth startup" that was pitching an idea that agents could generate code securely via an MCP server. Needless to say, the phone call did not go well. What follows is a recap of the conversation where I just shot down…
Leveraging Raw Disk Reads to Bypass EDR https://medium.com/workday-engineering/leveraging-raw-disk-reads-to-bypass-edr-f145838b0e6d
@IRCyberGuardians
@IRCyberGuardians
Medium
Leveraging Raw Disk Reads to Bypass EDR
Drivers are a common part of every Windows environment, and many of them provide low-level functionality. This blog details how to connect…
Stealthy Persistence With Non-Existent Executable File https://www.zerosalarium.com/2025/09/Stealthy-Persistence-With-Non-Existent-Executable-File.html
@IRCyberGuardians
@IRCyberGuardians
Zerosalarium
Stealthy Persistence With Non-Existent Executable File
Exploiting the mechanism that automatically searches for additional executable files when Windows detects that the requested file does not exist
iOS/macOS Critical DNG Image Processing Memory Corruption Exploitation https://pwn.guide/free/hardware/cve202543300
@IRCyberGuardians
@IRCyberGuardians