CoFounder & CTO at @AirlockDigital. Practical Execution Control & Allowlisting.
Joined June 2009
- Tweets 1,477
- Following 1,467
- Followers 1,043
- Likes 1,707
226 Photos and videos
May 20
Looking forward to presenting at the AUSCert conference tomorrow on the Gold Coast main stage. Putting together a high level talk about denying attackers moves to win the game in-line with the conference theme has been fun.
2
59
Daniel Schell retweeted
May 7
#JDOWNLOADER compromised installers
One dev answers questions and provides updates 👍, and shared compromised installers #happyhunting
#threathunt
↘️
reddit.com/r/jdownloader/com…
1
2
252
Daniel Schell retweeted
May 4
They made everyone upgrade to TPM 2.0 compatible hardware for this
Microsoft Edge loads all your saved passwords into memory in cleartext — even when you’re not using them.
38
638
8,499
183,616
May 5
No detections on this one pretending to be mstsc.exe and signed by "Tencent Technology (Shenzhen)".
virustotal.com/gui/file/8bfb…
May 5
I've put up a blog on the DigiCert incident as well as the Microsoft definition false positive. This includes some analysis and VT links to samples that have actually been signed by the compromised certificates. airlockdigital.com/airlock-b…
1
192
May 5
I've put up a blog on the DigiCert incident as well as the Microsoft definition false positive. This includes some analysis and VT links to samples that have actually been signed by the compromised certificates. airlockdigital.com/airlock-b…
1
4
1,481
May 5
Does anyone know what source of malware samples for the path D:\auto_black_abuse is to VT? Is this a vendor sample share feed?
91
Daniel Schell retweeted
Apr 30
why is she inside of a installshield installer
Apr 23
Ambassador Gingrich is pleased to lead the delegation from Switzerland and Liechtenstein to the SelectUSA Investment Summit, May 3-6, in National Harbor, Maryland. Apply now:
ow.ly/s4E950YOvTo
58
1,187
12,262
326,732
Apr 27
Signature-based control breaks down with agentic AI.
Block one path → it tries another. Different method. Same outcome.
That’s why control needs to be on the endpoint - and focus on capability AND execution.
My blog (with videos) here:
airlockdigital.com/airlock-b…
1
1
6
98
Apr 13
Video showing how @AirlockDigital prevents TTPs such as the DLL search order used to load an attacker controlled DLL into a trusted application from the compromised CPU-Z website last week.
airlockdigital.com/airlock-b…
6
17
3,377
Apr 10
Yeah okay, that's pretty wild. The attackers only replaced the zip downloads on the site. At first look the included executables are signed, but malware is the additional CRYPTBASE.dll which would side loaded on app startup
2
4
807
Apr 10
CPUID via winget is still legitimate but assuming the attackers control the site they could replace the binary anytime.
191
Daniel Schell retweeted
Mar 22
We have two choices:
We can broadly adopt app control, or we can continue to get our asses kicked.
If we keep persisting in choosing the latter course, the only real question is whether the kicking will be about the same as now or whether it will get substantially worse.
Mar 21
Happy Saturday!
Exposed attack surface on the internet has been shifting from legacy appliances and Windows boxes directly on the internet into cloud for years now (Thanks Citrix, Fortinet, MoveIt, etc). The excitement around LLMs findin vulnerabilities and the incoming apocalypse is legitimate, however directly exposed attack surface has been decreasing(Thanks App proxy, zscaler, etc) and now you have more eyes on what was already a shrinking target. Bugs found on the cloud side have a shorter life and once identified, generally patched for everyone at once.
Down the line from that you can certainly use LLMs to go after endpoint bugs in Microsoft where you generally lack source and it requires a higher level of human directed iteration, on top of dealing with EDR/AV if your target is enterprise.
No doubt people can iterate faster and find more bugs, I've found a ton of these personally, but many bugs have limited to no real world impact. Configurations you won't see in the wild, code paths you can't reach without auth you don't have, features that are off by default.
Overlooked in all of this is the ease at which you can reverse and dismantle security products, many of which are forced into design choices by the OS, or into exclusions to avoid drowning clients in false positives. Things like extracting the local ML models from products isn't a big leap these days. It certainly makes the case for application control being a bigger priority going forward, even if it doesn't make for a great funding pitch.
1
3
12
1,987
Mar 14
Another great RiskyBiz discussion. "It took a decade, but allowlisting is cool again" - That thumbnail though😅youtube.com/watch?v=1ztwRRcJ…
2
84
Feb 24
Haven't had a chance to look yet, but 🇦🇺 gov have released Azul open source. github.com/AustralianCyberSe… "Azul is a malware repository for reverse engineers, incident responders and everyone in-between"
2
11
44
7,288
Feb 11
Created a short demo showing a simulation of modern day ClickOnce Assembly sideload phishing campaigns we’re seeing targeting finance orgs in the wild. Comments showing @AirlockDigital app control on same method in comments.
1
2
2
126
Feb 11
With @AirlockDigital in Enforcement mode with .NET Assembly reflection protection enabled. It’s also possible to only allow clickonce applications by domain.
2
81
Daniel Schell retweeted
Feb 2
Notepad , the popular text editor used by programmers, was hacked by the Chinese government…
54
215
1,413
164,825
Jan 16
David and I joined RiskyBiz this week to discuss novel ClickOnce tradecraft we’re seeing targeting the finance sector, plus a wider conversation on the role of AI in application control. Check it out here: youtu.be/5fsZklyapss?t=2533
2
106