Director of DE&TH @HuntressLabs and custodian of secret histories. Posts are my own.
Joined October 2014
- Tweets 12,556
- Following 767
- Followers 8,033
- Likes 16,861
195 Photos and videos
Devon Kerr retweeted
Jun 11
Start tracking unusual client IDs principles ASN combinations for sign-in events. We’ve noticed repeated ASNs for Tycoon and Kali365 as well. Some popular ones we saw from Tycoon ops. #phishing
elastic.github.io/detection-…
5
9
686
Devon Kerr retweeted
Jun 10
it works! detection coverage for RoguePlanet - LPE via Windows Defender vulnerability
github.com/MSNightmare/Rogue…
1
23
122
8,298
Thanks @msftsecresponse for recognizing our work on Kerberos 💪
@exploitph was left out of the acknowledgments, but I’m sure we’ll get that fixed!
msrc.microsoft.com/update-gu…
msrc.microsoft.com/update-gu…
3
3
32
49,639
Devon Kerr retweeted
This is how researchers should operate. Better offensive security makes better defensive security and vice versa.
Iron sharpens iron.
Jun 8
EDRUnChoker😀registers a permanent WMI subscription with a 5-second timer runs embedded VBScript (fileless) that deletes malicious MSFT_NetQosPolicySettingData policies targeting known security products or aggressive app-path throttles.
github.com/sbousseaden/EDRUn…
3
27
4,311
Jun 9
My chats swell with chits this morning, and there’s a lot of D in my Ms— maybe that’s a reflection on the state of the industry, or my networks, or both.
Jun 8
Hi, I’m hiring a Director of Detection Engineering and Threat Hunting. It’s my role, so if your work history is like mine you might be a good candidate.
Read more: job-boards.greenhouse.io/hun…
5
1
19
3,735
Jun 8
Hi, I’m hiring a Director of Detection Engineering and Threat Hunting. It’s my role, so if your work history is like mine you might be a good candidate.
Read more: job-boards.greenhouse.io/hun…
9
44
157
26,908
Jun 8
I have two absolutely non-negotiable requirements for this hire:
- led enterprise detection engineering with experience in data-constrained environments
- demonstrated ability to cultivate high-performing teams
1
3
24
2,539
Devon Kerr retweeted
Jun 8
EDRUnChoker😀registers a permanent WMI subscription with a 5-second timer runs embedded VBScript (fileless) that deletes malicious MSFT_NetQosPolicySettingData policies targeting known security products or aggressive app-path throttles.
github.com/sbousseaden/EDRUn…
5
43
222
18,541
Devon Kerr retweeted
Jun 5
I recently published part 2 to the #Obsidian abuse to deliver a malicious #RAT #phantompulse, it contains more details of the inner working of the malware
elastic.co/security-labs/blo…
If you have not read the first blogpost about how a malicious group social engineered their way by abusing #Obsidian software, you can read it here:
elastic.co/security-labs/pha…
elastic.co/security-labs/blo…
#malware #reverseengineering #threatresearch #ThreatIntel
4
8
808
Devon Kerr retweeted
PHANTOMPULSE routes C2 through Ethereum/Base/Optimism transaction inputs.
The blockchain resolver has zero sender verification.
That means one transaction from a defender overrides the C2 URL for every active implant simultaneously.
@soolidsnakee reverse-engineered the full implant: three injection techniques, a shared HWBP primitive that kills AMSI/WLDP/ETW in a single handler, and a 580c XOR signature you can use to hunt sibling wallets right now.
go.es.io/43Puuep
13
25
2,012
Jun 7
This capability works crazy well when applied to deployed malware and data theft operations, EDR vendors. Wink wink nudge nudge.
New #redteam tool for blocking EDRs: EDRChoker
Instead of fully blocking the EDR agents' connections to their server, we can throttle their bandwidth so they consistently time out when sending data, which is effectively the same as blocking but avoids triggering "block" or "drop" packet events
#pentest #cybersecurity
Github: TwoSevenOneT/EDRChoker
ALT EDRChoker run throttling EDR process list
ALT Elastic EDR blocked by EDRChoker
ALT EDRChoker run remove throttling EDR process
9
87
15,337
Jun 6
I have this thing where I remember like…every experience. This is a super power, except when you’re at your wife’s 20 year college reunion and you perfectly remember dozens of people who have no idea who you are.
1
6
909
Jun 6
I feel like someone should study thrifting behavior as a subliminal expression of hunting/gathering species-memory and the perceived status of the individual.
1
4
404
Devon Kerr retweeted
Jun 4
Going to leave this for anyone who needs it (everyone)
learn.microsoft.com/en-us/en…
Please take the time to block device code authentication in your environments.
It'll instantly combat Device Code Phishing attacks. It's also advice given by the FBI and MS.
ic3.gov/PSA/2026/PSA260521
6
4
1,153
Devon Kerr retweeted
.NET malware? Still not my thing. Looking at it with Adam Mooney @HuntressLabs? Actually a good time :3
huntress.com/blog/malspam-to…
1
10
44
3,071
Round two!
Yesterday was one report, here’s another: an unpatched NTLM coercion via the Windows Search (search-ms://) URI handler.
Same questions about how it got handled. It’s all in the writeup, timeline included.
huntress.com/blog/unpatched-…
7
84
333
83,515