Forwarded from road to OSCP
[ Living Off the Land: Windows Post-Exploitation Without Tools ]
Blog about post-exploitation using only built-in, signed Microsoft tools (PowerShell, WMI, certutil, bitsadmin, and more), without uploading any custom binaries or dropping suspicious artifacts.
https://xbz0n.sh/blog/living-off-the-land-windows
(note from admin: don't forget that PS/WMIC and other things that are described in this article will also be detected)
Blog about post-exploitation using only built-in, signed Microsoft tools (PowerShell, WMI, certutil, bitsadmin, and more), without uploading any custom binaries or dropping suspicious artifacts.
https://xbz0n.sh/blog/living-off-the-land-windows
(note from admin: don't forget that PS/WMIC and other things that are described in this article will also be detected)
1👾8🔥1
Forwarded from Source Byte
K7 Antivirus: Named pipe abuse, registry manipulation and privilege escalation
https://blog.quarkslab.com/k7-antivirus-named-pipe-abuse-registry-manipulation-and-privilege-escalation.html
#CVE-2024-36424
https://blog.quarkslab.com/k7-antivirus-named-pipe-abuse-registry-manipulation-and-privilege-escalation.html
#CVE-2024-36424
🔥5
MuddyWater: Snakes by the riverbank
MuddyWater targets critical infrastructure in Israel and Egypt, relying on custom malware, improved tactics, and a predictable playbook
MuddyWater targets critical infrastructure in Israel and Egypt, relying on custom malware, improved tactics, and a predictable playbook
🔥5
Reverse Dungeon
https://securelist.ru/sovmestnye-ataki-4bid-bo-team-red-likho/114124
This media is not supported in your browser
VIEW IN TELEGRAM
👾2
Forwarded from Offensive-SEC
Trainsec - MAoS – Malware Analysis on Steroids Bundle
🔗 Download
Info : https://trainsec.net/courses/maos-malware-analysis-on-steroids-bundle/
@offenciveSec
🔗 Download
Info : https://trainsec.net/courses/maos-malware-analysis-on-steroids-bundle/
@offenciveSec
👍8
CLR Unhooking Tool
Matthew Graeber (@mattifestation) - Reverse engineering InternalCall methods and CLR internals
#clr #bypass #rev
Note: For this to have the effect of a clean CLR, you’d need to manually map the DLL from disk into memory. You cannot use LoadLibraryA/W, because antivirus solutions will detect the DLL load event and may hook it immediately. If you want this behavior, you can look up existing manual mappers on GitHub and integrate one into your codebase. I’m not including one here, as AV vendors generally don’t appreciate thatA native C++ utility that bypasses EDR/AV hooks in the .NET Common Language Runtime by restoring the original nLoadImage function implementation.
Matthew Graeber (@mattifestation) - Reverse engineering InternalCall methods and CLR internals
#clr #bypass #rev
👾3🕊1
LazyHook is a stealthy API hooking framework that bypasses Host Intrusion Prevention Systems (HIPS) through call stack spoofing. By leveraging CPU-level hardware breakpoints and Vectored Exception Handling, it executes arbitrary code as if it originated from trusted, Microsoft-signed modules—completely fooling behavioral analysis engines that rely on call stack inspection and module origin verification.
#callstackspoofing #edr
Evade behavioral analysis by executing malicious code within trusted Microsoft call stacks
Uses hardware breakpoints + VEH to hijack legitimate functions and spoof module origins
│ 1. Target Function Call
│ ↓
│ 2. CPU Debug Register Triggers (DR0-DR3) │
│ ↓
│ 3. EXCEPTION_SINGLE_STEP Raised │
│ ↓
│ 4. VEH Handler Intercepts Exception │
│ ↓
│ 5. Execution Redirected to Hook Function │
│ ↓
│ 6. CallOriginal() Temporarily Disables Breakpoint
│ ↓
│ 7. Original Function Executes │
│ ↓
│ 8. Breakpoint Re-enabled
#callstackspoofing #edr
👾5
👾6
Prince of Persia: A Decade of Iranian Nation-State APT Campaign Activity under the Microscope
See how a SafeBreach researcher tracked the malicious threat actor to achieve unprecedented visibility into the group’s ongoing operations, including activity as recently as December 2025.
🔥4