My @x33fcon talk has been published! youtube.com/watch?v=_TEnBLt2… If you prefer reading, here's the blogpost: naksyn.com/edr evasion/202… Thanks to all the hard-worker x33fcon organizers for such an awesome conference, definitely my best conf experience to date.

Wrapped up Stanford CS336 (Language Models from Scratch), taught with an amazing team @tatsu_hashimoto @marcelroed @neilbband @rckpudi. Researchers are becoming detached from the technical details of how LMs work. In CS336, we try to fix that by having students build everything:

MS research on AI Impact on Critical Thinking… the results will shock you! microsoft.com/en-us/research…

This has been one of my favorites for a while, but now it's time to let it go. Here's my preferred way of getting the KeePass db that we often hunt for: downgrade the executable to version 2.53, use CVE-2023-24055 and wait for the busy admin to trigger the dump of the database. The target can remain clean and you can simply check for the dump creation. KeePass version 2.53 can still open kdbx created with the version 2.57 and if using a proper xml the user will likely notice nothing. Update alerts can also be disabled within the xml. gist.github.com/naksyn/6d566…

Recently, I wanted to quickly test some sleep obfuscation ideas against @jdu2600's EtwTi-FluctuationMonitor using Beacon, without dealing with UDRL debugging. At the end of the journey, I ended up with: - A way to generate and load, via a PE loader, a UDRL-less Beacon payload. - A generic PE loader to hook Sleep and quickly prototype evasion ideas. - Two different (though not necessarily novel) sleep obfuscation techniques, which allowed me to evade EtwTi-FluctuationMonitor and other scanners. I dubbed these techniques MemoryBouncing and MemoryHopping. They both involve moving to another area of memory at every sleep and/or freeing the PE memory. Here’s the blog post: naksyn.com/cobalt strike/2… And the PE loader used, dubbed Dojoloader: github.com/naksyn/DojoLoader In his BH Asia presentation, @jdu2600 gave some hints on how the RX->RW detection could be bypassed. It sounded fun to test, and it was indeed a fascinating challenge for me. A huge thanks to him and his tools for sparking my curiosity.

the grind is real...took me more than 7 months to climb from 1200 to 1300 in blitz chess. Let's knock on the 1400 ELO monsters door now ♟️

One thing I always look for when starting in a network without AD creds is user enumeration with RPC null sessions. impacket SAMR (samrdump) and LSARPC (lookupsid) tools will give you only a small part of the story. Here's my minimal RID cycling script gist.github.com/naksyn/8204c… that outplayed everything else, enabling me to find some crackable ASREP-roastable DA accounts hiding with RID > 50000 that were unable to be found using other tools. I am using chunks to avoid DoS and getting NT_STATUS_INSUFFICIENT_RESOURCES, ofc you can tweak it according to your YOLO level. there will be a new RPC connection for every chunk, it's a bit better than cycling and using rpcclient every time and always starting RPC connections from scratch. However, RID cycling with rpcclient will generate a ton of STATUS_NO_SUCH_USER responses that are sus, if someone is looking and knows what to look for ofc

Sad day especially for millennials. RIP Sensei

Here's a new project and some Pyramid features: Embedder lets you create small (go | nim | C# | C ) executables that load Python interpreter to execute Python code using the embedding functionality. github.com/naksyn/Embedder Embedder can be easily paired with Pyramid that now has a more OPSEC Pythonmemorymodule with full-in-memory import and all the download chain using Wininet API to reduce the imports to the minimum and smile to those pesky NTLM proxies along the way. Pyramid updates are on the dev branch, plan merging to main soon. Here's a video that shows a 13 kB C# embedder assembly bootstrapping Pyramid to execute mimikatz. Who needs python.exe when you can bring Python to the world? 🌍

who needs python.exe? 😈

Check out this amazing research pushed by my friend Petar. I'm so happy to see him killing it like this 👊👊👊

Here's Process Stomping injection and how you can use it in a Mockingjay-ish way to load a Beacon on a exe's RWX section using sRDI. Check it out! Blog: naksyn.com/edr evasion/202… Tool: github.com/naksyn/ProcessSto… Thanks to @hasherezade and @monoxgas for their awesome work

It's a bittersweet moment, but our series of "Attacking an EDR" has come to an end! Me and @dottor_morte hope that you had as much fun reading it as we had writing it. her0ness.github.io/2023-11-0…

LatLoader is a PoC Havoc module that performs lateral movement via DLL sideloading while evading default Elastic EDR rules. Making it was a great learning exercise, and I'm hoping others can learn from it too. Enjoy! ✌️ github.com/icyguider/LatLoad…

I'm gonna celebrate my 1200 rate at blitz chess tonight🎉🎉🎉

I just got fired from my job today without warning. 😬 Really crazy. Anyway... If anyone is looking for a pentester, red teamer, or likes my public work, please don't hesitate to reach out. Thanks in advance everyone. 😔