oh COM on… hijacked AGAIN? 😅 Component Object Model (COM) is a Microsoft binary interface standard that lets software components talk to each other regardless of what language they were written in. And that interoperability? Attackers love it. Dahvid Schloss breaks down how COMDL32 can be weaponized to execute code and honestly, it's a must-watch if you're serious about understanding post-exploitation techniques. Want to go deeper? Check out this Windows Malware Development course: justhacking.com/course/wmd-6… #Malware #Hacking #MalwareDevelopment #CyberSecurity #Programming

Weaponizing Windows Drivers: A Hacker's Guide for Beginners - mechanics of Bring Your Own Vulnerable Driver (BYOVD) attacks. A post by @SecurityJoes Source: blog.securityjoes.com/post/w… #maldev #malwaredevelopment #redteam #blueteam

LdrShuffle - stealthy code execution, by Hugo Valette (@RWXstoned) It temporarily overwrites the EntryPoint of loaded DLL modules within the Windows PEB. When OS automatically invokes the modified module's EP, execution is successfully redirected to a payload of choice. Source: github.com/RWXstoned/LdrShuf… #maldev #malwaredevelopment #redteam #blueteam

Intercept Windows Named Pipes comms with HTTP proxy. pipe-intercept - a tool by Gabriel Sztejnworcel (@sztejnworcel) Source: github.com/gabriel-sztejnwor… #redteam #blueteam #maldev #malwaredevelopment

Bring Your Own Trusted Binary (BYOTB). Tools, tunnels and trusts, a post by David Kennedy (@JUMPSEC) Source: labs.jumpsec.com/bring-your-… #redteam #blueteam #maldev #malwaredevelopment

Most Python tutorials teach you to build things. This playlist teaches you how those things get weaponized. Encoder stubs. Ransomware. Nuitka-obfuscated stealers. AV bypass. All in Python. All explained at the code level. 🎥 Python for Offensive Security playlist: youtube.com/playlist?list=PL… #PythonMalware #Obfuscation #MalwareDevelopment #RedTeam #CyberSecurity #EthicalHacking #SuitUpAndHack

DarkGate - a modular persistent malware with evasion and creds collection capabilities. A post by Sapir Twig. Source: medium.com/@sapirtwig/inside… #redteam #blueteam #maldev #malwaredevelopment

Dumping the Linux Keyring from the Kernel. Process injection (ptrace) into sssd/sshd is loud. Modern EDRs catch it instantly but like Symbiote malware tried user-space LD_PRELOAD evasion so I went the opposite route. Built a fileless CO-RE eBPF implant: - Hooks sys_enter_add_key - Masquerades as a benign kworker thread - Intercepts LUKS/Kerberos secrets in transit (PoC below) - Smuggles AES-256 encrypted payloads via HTTPS C2 Zero disk I/O. Invisible to user-space telemetry. h/t Eloy (zer1t0) & @Nightbanes for the foundational ptrace research. #eBPF #RedTeam #Linux #MalwareDevelopment

Dynamic Shellcode Loader for Windows x64 AsmLdr - a tool by Abdallah Mohamed (@0xNinjaCyclone) Source: github.com/0xNinjaCyclone/As… #redteam #blueteam #maldev #malwaredevelopment

Building a kernel driver to play with AV. A post by Sender (@cerbersec ) and Jonas Bauters. Source: blog.nviso.eu/2021/10/21/ker… #redteam #blueteam #maldev #malwaredevelopment

A fun architectural puzzle from the lab this week involving kernel-level EDR evasion and the Windows Service Control Manager (SCM).  During a recent simulated engagement, we deployed a custom BYOVD (Bring Your Own Vulnerable Driver) module to achieve Ring 0 execution and neutralize a notoriously aggressive NGAV/EPP stack. The driver successfully bypassed PPL (Protected Process Light) and violently terminated the AV’s core user-mode processes in memory. The payload then attempted to blind the SCM by zeroing out the service’s FailureActions (to prevent an automatic respawn). However, the API calls failed with ERROR_ACCESS_DENIED. Why? The AV vendor had applied a restrictive Discretionary Access Control List (DACL) directly to the SCM object, denying SERVICE_CHANGE_CONFIG even to NT AUTHORITY\SYSTEM. "No problem," we thought. "... We'll bypass the SCM and hit the registry directly." We instructed the payload to write to HKLM\SYSTEM\CurrentControlSet\Services\... to change the Start type to Disabled. (Access Denied. Again) .. It turns out, even though the user-mode AV processes were dead, the vendor’s kernel driver had survived. It had installed a kernel-mode registry callback (CmRegisterCallbackEx) that intercepted and blocked any KEY_SET_VALUE attempts to its protected hive. So, how do you permanently kill a service when the kernel locks the configuration and the SCM is programmed to resurrect it? You use the SCM's own rules against it.  We audited the SCM configuration and found the AV only had two configured RESTART actions with a 5000ms delay. If  a process dies three times, the SCM exhausts its recovery quota and gives up forever. We modified our payload to act as a continuous Ring 0 watchdog for a fixed 30-second window. It waited for the SCM to resurrect the AV, brutally terminated it, waited for the second resurrection, and terminated it again. Quota exhausted. The AV stayed permanently dead, without us ever needing to fight the kernel registry callbacks. Sometimes, the best way to defeat a highly protected defensive mechanism isn't to break its locks, it's to patiently exhaust its recovery logic. Always test your assumptions in the lab. The gap between theory and execution is where the real engineering happens. #RedTeaming #OffensiveSecurity #WindowsInternals #MalwareDevelopment #BYOVD #CyberSecurity #ThreatSimulation #EDREvasion

Coercing Windows - a collection of relay attacks with valid AD account. A post by @RedTeamPT Source: blog.redteam-pentesting.de/2… #redteam #blueteam #maldev #malwaredevelopment

Taming the Windows Module Loading for Stealthy Injection. A talk by Hugo Valette (@RWXstoned) from last year's @x33fcon. Source: youtube.com/watch?v=OQGhZ38A… #redteam #blueteam #maldev #malwaredevelopment.

From Windows driver to custom EDR. A journey through building own EDR-like solution with a historical perspective - a post by Aurélien Chalot (@Defte_). Source: blog.whiteflag.io/blog/from-… #redteam #blueteam #maldev #malwaredevelopment

Compile-time C obfuscator. Macro-header for obfuscating C code at time of compilation, targeting TCC on Windows x86/x64, a tool by DosX-dev Source: github.com/DosX-dev/obfus.h #redteam #blueteam #maldev #malwaredevelopment

NativeDump Minidumps using native API only to dump LSASS memory, a tool by Ricardo Ruiz (@RicardoJoseRF ) Source: github.com/ricardojoserf/Nat… #redteam #blueteam #maldev #malwaredevelopment

Silencing the EDR Silencers Analysis of techniques to disable or silence EDR agents and some countermeasures, a post by Jonathan Johnson (@JonnyJohnson_ ) Source: huntress.com/blog/silencing-… #redteam #blueteam #maldev #malwaredevelopment

Wyrm for Red Teams A Rust-based post exploitation, open source, Red Team security testing framework, by @0xfluxsec Source: docs.wyrm-c2.com/ #redteam #blueteam #maldev #malwaredevelopment

Remote EDR Discovery. Methods for detecting remote EDR deployments without local agent presence, a post by Jonathan Johnson (@JonnyJohnson_ ) Source: jonny-johnson.medium.com/no-… #redteam #blueteam #maldev #malwaredevelopment

Wallpaper cycler as malware cover: DLL XOR-split across 3 BMP RGB channels, reflectively loaded. Shellcode then delivered through the wallpaper requests themselves. Architecture was a headache, kinda, but yeah at least I got calc to popup. #infosec #malwaredevelopment #redteam