😈 [ db @whokilleddb ]
Just checking in: Has anyone talked about using LdrCallEnclave() to run shellcode before?
Technically you can also use CallEnclave() from Vertdll.dll or LdrpIssueEnclaveCall() from Ntdll.dll if you are about that unexported-function life.
PoC:
🔗 https://gist.github.com/whokilleddb/ef1f8c33947f6ceb90664ce38d3dcf04
🐥 [ tweet ]
Just checking in: Has anyone talked about using LdrCallEnclave() to run shellcode before?
Technically you can also use CallEnclave() from Vertdll.dll or LdrpIssueEnclaveCall() from Ntdll.dll if you are about that unexported-function life.
PoC:
🔗 https://gist.github.com/whokilleddb/ef1f8c33947f6ceb90664ce38d3dcf04
🐥 [ tweet ]
🔥4🤔3
😈 [ Olaf Hartong @olafhartong ]
During my #BHUSA talk I've released many ETW research tools, of which the most notable is BamboozlEDR. This tool allows you to inject events into ETW, allowing you to generate fake alerts and blind EDRs.
🔗 https://github.com/olafhartong/BamboozlEDR
Slides available here:
🔗 https://github.com/olafhartong/Presentations/blob/master/BHUS25-Olaf_Hartong_-_Im_in_your_logs_now.pdf
🐥 [ tweet ]
During my #BHUSA talk I've released many ETW research tools, of which the most notable is BamboozlEDR. This tool allows you to inject events into ETW, allowing you to generate fake alerts and blind EDRs.
🔗 https://github.com/olafhartong/BamboozlEDR
Slides available here:
🔗 https://github.com/olafhartong/Presentations/blob/master/BHUS25-Olaf_Hartong_-_Im_in_your_logs_now.pdf
🐥 [ tweet ]
🔥13👍3
😈 [ Gray Hats @the_yellow_fall ]
Kaspersky exposes a new AV killer leveraging the legitimate ThrottleStop.sys driver to disable antivirus software and deploy MedusaLocker ransomware in a BYOVD attack.
🔗 https://securityonline.info/byovd-attack-a-new-av-killer-exploits-a-legitimate-driver-to-neutralize-defenses-for-medusalocker-ransomware/
🐥 [ tweet ]
Kaspersky exposes a new AV killer leveraging the legitimate ThrottleStop.sys driver to disable antivirus software and deploy MedusaLocker ransomware in a BYOVD attack.
🔗 https://securityonline.info/byovd-attack-a-new-av-killer-exploits-a-legitimate-driver-to-neutralize-defenses-for-medusalocker-ransomware/
🐥 [ tweet ]
🔥5🤔5👍1
😈 [ Michael Weber @BouncyHat ]
Thanks to everyone who came out to see my talk! All of my code and the slides for my ChromeAlone presentation are available. If you're interested in developing malicious browser extensions give the code a look!
🔗 https://github.com/praetorian-inc/chromealone
🐥 [ tweet ]
Thanks to everyone who came out to see my talk! All of my code and the slides for my ChromeAlone presentation are available. If you're interested in developing malicious browser extensions give the code a look!
🔗 https://github.com/praetorian-inc/chromealone
🐥 [ tweet ]
🔥7😁1
😈 [ SpecterOps @SpecterOps ]
The AD CS security landscape keeps evolving, and so does our tooling. 🛠️
@bytewreck drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements.
🔗 https://specterops.io/blog/2025/08/11/certify-2-0/
🐥 [ tweet ]
The AD CS security landscape keeps evolving, and so does our tooling. 🛠️
@bytewreck drops info on Certify 2.0, including a suite of new capabilities and refined usability improvements.
🔗 https://specterops.io/blog/2025/08/11/certify-2-0/
🐥 [ tweet ]
🔥3
😈 [ Ilan Kalendarov @IKalendarov ]
My team has found another CVE!
This time on windows, it’s a NTLM credential leakage vulnerability that bypasses Microsoft’s patch for CVE-2025-24054
🔗 https://cymulate.com/blog/zero-click-one-ntlm-microsoft-security-patch-bypass-cve-2025-50154/
🐥 [ tweet ]
My team has found another CVE!
This time on windows, it’s a NTLM credential leakage vulnerability that bypasses Microsoft’s patch for CVE-2025-24054
🔗 https://cymulate.com/blog/zero-click-one-ntlm-microsoft-security-patch-bypass-cve-2025-50154/
🐥 [ tweet ]
👍1
😈 [ eversinc33 🤍🔪⋆。˚ ⋆ @eversinc33 ]
As a little follow up, I wrote a small blog post/tutorial on how to reverse engineer windows drivers with IDA - this is aimed at people that newer touched drivers before and covers IOCTL codes, IRPs and some IDA shenanigans with unions.
Enjoy :3
🔗 https://eversinc33.com/posts/driver-reversing.html
🐥 [ tweet ]
As a little follow up, I wrote a small blog post/tutorial on how to reverse engineer windows drivers with IDA - this is aimed at people that newer touched drivers before and covers IOCTL codes, IRPs and some IDA shenanigans with unions.
Enjoy :3
🔗 https://eversinc33.com/posts/driver-reversing.html
🐥 [ tweet ]
🔥11👍4
😈 [ Smukx.E @5mukx ]
Mega Malware Analysis Tutorial Featuring Donut
🔗 https://github.com/PaloAltoNetworks/Unit42-Threat-Intelligence-Article-Information/blob/main/Mega-Malware-Analysis-Tutorial-Featuring-Donut.pdf
TL;DR The purpose of this blog post is to walk our readers, particularly those who are just stepping into
the realm of malware analysis, through our process of analyzing a unique .NET PE malware
that loads.
🐥 [ tweet ]
Mega Malware Analysis Tutorial Featuring Donut
🔗 https://github.com/PaloAltoNetworks/Unit42-Threat-Intelligence-Article-Information/blob/main/Mega-Malware-Analysis-Tutorial-Featuring-Donut.pdf
TL;DR The purpose of this blog post is to walk our readers, particularly those who are just stepping into
the realm of malware analysis, through our process of analyzing a unique .NET PE malware
that loads.
🐥 [ tweet ]
🔥6
😈 [ Steven @0xthirteen ]
I wanted to find out if you could start the WebClient service remotely, so I ended up digging into it:
🔗 https://specterops.io/blog/2025/08/19/will-webclient-start/
🐥 [ tweet ]
I wanted to find out if you could start the WebClient service remotely, so I ended up digging into it:
🔗 https://specterops.io/blog/2025/08/19/will-webclient-start/
🐥 [ tweet ]
🔥7
😈 [ Daniel @0x64616e ]
I stumbled upon this tweet and dug a bit deeper into the internals of ksetup.exe:
🔗 https://pentest.party/posts/2025/ksetup-machine-password/
When you are local admin and need machine account credentials this could be a viable alternative to the good old LSA dump.
🐥 [ tweet ][ quote ]
I stumbled upon this tweet and dug a bit deeper into the internals of ksetup.exe:
🔗 https://pentest.party/posts/2025/ksetup-machine-password/
When you are local admin and need machine account credentials this could be a viable alternative to the good old LSA dump.
🐥 [ tweet ][ quote ]
🔥7
😈 [ Two Seven One Three @TwoSevenOneT ]
"clipup.exe" in System32 is very powerful. It can destroy the executable file of the EDR service 😉 Experimenting with overwriting the MsMpEng.exe file.
Proactively creating processes with Protected Process Light (PPL) protection will give you more opportunities to abuse these processes. Detailed article:
🔗 https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html
🐥 [ tweet ]
"clipup.exe" in System32 is very powerful. It can destroy the executable file of the EDR service 😉 Experimenting with overwriting the MsMpEng.exe file.
Proactively creating processes with Protected Process Light (PPL) protection will give you more opportunities to abuse these processes. Detailed article:
🔗 https://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html
🐥 [ tweet ]
🔥12😁1
😈 [ spencer @techspence ]
A quick and easy way to find services with unquoted service paths is to open up PowerShell and run the following:
🐥 [ tweet ]
A quick and easy way to find services with unquoted service paths is to open up PowerShell and run the following:
Get-WmiObject win32_service | select Name,PathName,StartMode,StartName | where {$_.StartMode -ne "Disabled" -and $_.StartName -eq "LocalSystem" -and $_.PathName🐥 [ tweet ]
👍21🍌7
😈 [ SpecterOps @SpecterOps ]
Cookie theft has evolved 🍪
Over the last year, stealing cookies on Windows devices has changed significantly for Chromium browsers like Chrome and Edge. Andrew Gomez dives into these changes, how threat actors adapt, & new detection opportunities.
🔗 https://specterops.io/blog/2025/08/27/dough-no-revisiting-cookie-theft/
🐥 [ tweet ]
Cookie theft has evolved 🍪
Over the last year, stealing cookies on Windows devices has changed significantly for Chromium browsers like Chrome and Edge. Andrew Gomez dives into these changes, how threat actors adapt, & new detection opportunities.
🔗 https://specterops.io/blog/2025/08/27/dough-no-revisiting-cookie-theft/
🐥 [ tweet ]
🔥11
😈 [ Yuval Gordon @YuG0rd ]
BadSuccessor is dead… or is it?
The patch for CVE-2025-53779 fixed the priv-esc. While no longer a vulnerability, the tactic still applies in certain scenarios.
Defenders should be aware of it.
Details:
🔗 https://www.akamai.com/blog/security-research/badsuccessor-is-dead-analyzing-badsuccessor-patch
🐥 [ tweet ]
BadSuccessor is dead… or is it?
The patch for CVE-2025-53779 fixed the priv-esc. While no longer a vulnerability, the tactic still applies in certain scenarios.
Defenders should be aware of it.
Details:
🔗 https://www.akamai.com/blog/security-research/badsuccessor-is-dead-analyzing-badsuccessor-patch
🐥 [ tweet ]
👍2🔥2
This media is not supported in your browser
VIEW IN TELEGRAM
😈 [ Tijme Gommers @tijme ]
Exciting times. I'm publishing Dittobytes today after presenting it at @OrangeCon_nl !
Dittobytes is a true metamorphic cross-compiler aimed at evasion. Use Dittobytes to compile your malware. Each compilation produces unique, functional shellcode.
🔗 https://github.com/tijme/dittobytes
🐥 [ tweet ]
Exciting times. I'm publishing Dittobytes today after presenting it at @OrangeCon_nl !
Dittobytes is a true metamorphic cross-compiler aimed at evasion. Use Dittobytes to compile your malware. Each compilation produces unique, functional shellcode.
🔗 https://github.com/tijme/dittobytes
🐥 [ tweet ]
🔥14👍2
😈 [ Kurosh Dabbagh @_Kudaes_ ]
I just released MFTool, an NTFS parser that builds an in-memory map of a volume, allowing you to:
- Read any file without opening a handle
- Get the contents of locked/deleted files (registry hives, pagefile.sys, etc)
- Perform fast, in-memory searches across the entire disk
Although direct access to disk is not new at all, especially when it comes to forensics, I think this approach could be useful in a number of contexts during a RT engagement.
🔗 https://github.com/Kudaes/MFTool
🐥 [ tweet ]
I just released MFTool, an NTFS parser that builds an in-memory map of a volume, allowing you to:
- Read any file without opening a handle
- Get the contents of locked/deleted files (registry hives, pagefile.sys, etc)
- Perform fast, in-memory searches across the entire disk
Although direct access to disk is not new at all, especially when it comes to forensics, I think this approach could be useful in a number of contexts during a RT engagement.
🔗 https://github.com/Kudaes/MFTool
🐥 [ tweet ]
🔥13👍2