Security person who likes writing code
Joined August 2020
- Tweets 481
- Following 207
- Followers 936
- Likes 1,403
58 Photos and videos
Pinned Tweet
30 May 2025
I'm finally releasing a project that I've been working on for a little while now. Here's Boflink, a linker for Beacon Object Files. github.com/MEhrn00/boflink
Supporting blog post about it. blog.cybershenanigans.space/…
6
64
202
19,465
Matt Ehrnschwender retweeted
Jun 4
We think of WASM as a mechanism to run compiled code in your browser, but what if we shimmed in all the host APIs necessary to run full implants with ALL logic entirely in the WASM VM? This post walks through what that looks like.
praetorian.com/blog/wasmforg…
#wasm #malware #sliver
3
24
72
8,761
Matt Ehrnschwender retweeted
May 8
Some interesting new "Agent account model" APIs/structures in the current Canary build (28020).
Not exported anywhere yet - looks like the new "IsoEnvBroker.dll" calls 4 of them via NdrClientCall3 (RPC) to LSARPC:
- 146 (LsarCreateAgentAccount)
- 147 (LsarRetrieveAgentLogonCredential)
- 148 (LsarEnumerateAgentAccounts)
- 149 (LsarDeleteAgentAccount)
2
2
20
2,486
Apr 16
Got a "Hello World" PE file down to 620 bytes using regular tooling without handcrafting it. Could probably get it a little bit smaller by swapping out DLL imports for syscalls
gist.github.com/MEhrn00/d77b…
Small PE file
Small PE file. GitHub Gist: instantly share code, notes, and snippets.
gist.github.com
I'm sorry but 1024 bytes for an x86 Hello World PE is still way too big and bloated...
1
6
527
Matt Ehrnschwender retweeted
Apr 13
Had some fun making this credential dumper BOF implementing the Silent Harvest mechanism from @haider_kabibo . Thanks to him as well as @R0h1rr1m for his SilentNimvest implementation of the research!
github.com/Octoberfest7/Sile…
3
27
114
5,625
Matt Ehrnschwender retweeted
Apr 7
wiretap-rs is a Rust port of Wiretap, a transparent, VPN-like proxy server that tunnels traffic via WireGuard and requires no special privileges to run.
github.com/0xTriboulet/wiret…
1
28
110
7,220
Mar 31
Oh... well that's not good
🚨 CRITICAL: Active supply chain attack on axios -- one of npm's most depended-on packages.
The latest axios@1.14.1 now pulls in plain-crypto-js@4.2.1, a package that did not exist before today. This is a live compromise.
This is textbook supply chain installer malware. axios has 100M weekly downloads. Every npm install pulling the latest version is potentially compromised right now.
Socket AI analysis confirms this is malware. plain-crypto-js is an obfuscated dropper/loader that:
• Deobfuscates embedded payloads and operational strings at runtime
• Dynamically loads fs, os, and execSync to evade static analysis
• Executes decoded shell commands
• Stages and copies payload files into OS temp and Windows ProgramData directories
• Deletes and renames artifacts post-execution to destroy forensic evidence
If you use axios, pin your version immediately and audit your lockfiles. Do not upgrade.
9
13
228
75,265
Mar 28
I keep on forgetting how much of a joke C development is on Windows. They want to use wide strings for everything but can't even write a 'wprintf' function that works correctly. glibc on Linux and MinGW's ANSI stdio are right but ucrt is just broken
1
4
606
Mar 28
And the '%hs', '%Ts' modifiers are not even a real thing. This should work as is but MSVC is suggesting non-standard format specifiers that are not even needed...
171
Feb 14
The notepad vulnerability reminds me of this post on how you can embed file:// URIs in OSC8 escape sequences x.com/taviso/status/19456503…. Attempting to use procmon from sysinternals does not work through
Feb 12
Anyone else seeing that this hasn't been patched yet? Same for [clickme](file://live.sysinternals.com\tools\procmon.exe). Notepad.exe still at version 11.2510.14.0 for me.
1
2
1,789
Feb 11
This is one of the nice things I am aiming for with boflink. Removing the BOF specifics from the source code (DFR, restricted to a single TU) makes the code cleaner and allows access to higher level features like alloc::Vec and external libraries
Feb 11
Yet another sick contribution from one of the most cracked devs I have the privilege of knowing
github.com/joaoviictorti/rus…
1
5
373
Feb 11
Still have a lot of things to clean up and many other features to add but the core parts of it are there
3
130
Matt Ehrnschwender retweeted
Feb 11
I'm really proud of what Shane and I did here. I'm biased, but from the results I've seen, this is a hugely scalable way to improve offsec models.
It took a ton of engineering work to get it working, but the results speak for itself.
Feb 11
We fine-tuned an 8B model to pop a GOAD domain…using only synthetic training data. No real networks. No frontier model distillation. Just a world model that simulates AD environments and generates realistic pentesting trajectories.
See how @shncldwll and @0xdab0 did it: dreadnode.io/blog/worlds-a-s…
6
14
67
8,427
Bypassing Kernel32.dll for Fun and Nonprofit
ziglang.org/devlog/2026/#202…
35
74
855
339,006
Matt Ehrnschwender retweeted
Jan 26
May I present to you; a full copy of doom, running inside of a Rollercoaster Tycoon 1 save game exploit ✨
Thanks for everyone that came to check out our @DistrictCon Junkyard talk! We had a lot of fun putting it together. (check the thread for slides / exploit)
65
717
8,505
301,484
Matt Ehrnschwender retweeted
Jan 24
AI-slopped a functional C2 for an app's Lua plugin (no stdlib Lua) in about 24hrs~
had to use the app-specific network libs provided to accomplish a transport.
Functions: change sleep, run more Lua in mem, module output, exit/uninstall - most of what u need on a longhaul persist
3
15
1,194
Jan 22
Pushed up a few small fixes for boflink. Currently working on some other improvements which should make writing BOFs in higher level languages like C /Rust/Zig a lot more feasible without needing to add various different compiler/source code tricks github.com/MEhrn00/boflink/r…
1
2
4
256
Matt Ehrnschwender retweeted
25 Dec 2025
if anyone is too lazy to learn to use @M_alphaaa 's boflink and doesnt want to fight MSVC to stop using funny sections in your bofs, heres a drop in replacement for the TrustedSec BOF template that uses boflink (standalone) in the makefile
github.com/CodeXTF2/bof_temp…
2
16
77
4,041
Matt Ehrnschwender retweeted
8 Dec 2025
stop using ubuntu 24.04 to host your kernel pwn challenges lmao
kqx.io/post/qemu-nday/
5
88
562
71,425
Matt Ehrnschwender retweeted
3 Dec 2025
HEY EVERYONE. THE BLOG POST IS OUT.
I put an LLM in an AMSI provider and some cool stuff came out. Really excited to finally have this released.
3 Dec 2025
"Offense and defense aren't peers. Defense is offense's child." - @JohnLaTwC
We built an LLM-powered AMSI provider and paired it against a red team agent. Then, @0xdab0 wrote a blog about it: dreadnode.io/blog/llm-powere…
A few observations from the experiment:
>>> To advance, we must generate unique, ground-truth datasets.
>>> Defenses will need to live at the edge.
>>> The real potential lies in the interaction between red and blue.
>>> This is a blueprint for generative adversarial reinforcement learning.
4
16
74
12,163