19 Photos and videos
@KlezVirus and I got a Defcon talk accepted. We will talk about stack spoofing techniques we made with our friend @trickster012 and based on research from @namazso.
Hope to see you there!
11
14
117
27,989
Havoc Professional Finally Released! šøļøš·ļø
Since our last blog post introducing the Havoc Professional framework and the Kaine-Kit, we've been refining the framework behind the scenes while also welcoming @avx128 as a new member of our team. This blog post covers the numerous features included in the initial release of Havoc Professional.
I'm excited to finally share the work my team and I have put in over the past year. This is just the beginning of what we have planned.
infinitycurve.org/blog/releaā¦
29
73
344
42,302
waldoirc retweeted
Jan 8
Wrote a short blog post on how we pivoted from a windows workstation to AWS on a recent engagement via IoT greengrass. Do not worry, in the post I do not ask to "touch grass" lol :P
medium.com/seercurity-spotliā¦
1
9
16
1,328
Iāll be teaching how EDR REALLY works this Friday at BSIDES NOVA bsidesnova-2025.sessionize.cā¦. Itāll be a medium level course where we analyze malware and its telemetry found in EDR, then try to build hunts around it. Great for attackers and defenders. Hope to see you there!
7
42
4,244
waldoirc retweeted
21 Jun 2025
This is my research project in creating read, write and allocate primitives that can be turned into an injection in order to evade certain telemetry which I presented last year in RedTreat. I hope everyone likes it \m/.
trickster0.github.io/posts/Pā¦
6
92
260
32,762
waldoirc retweeted
5 Mar 2025
The code and tutorials are here if the link doesn't work! š github.com/google/security-rā¦
3
21
138
18,885
š New Blog & PoC: Abusing IDispatch for COM Object Access & PPL Injection
Leveraging STDFONT via IDispatch to inject into PPL processes & access LSASS. Inspired by James Forshaw's research!
š Blog: mohamed-fakroud.gitbook.io/rā¦
š» Code: github.com/T3nb3w/ComDotNetEā¦
7
165
424
52,158
waldoirc retweeted
3 Nov 2023
85
234
24,848
waldoirc retweeted
15 May 2023
Here is a little ETW based tool to play with different IOCs by ImageLoad events.
I feel like proxying Kernel32!LoadLibrary through Ntdll is a very strong IOC. :-)
github.com/thefLink/Hunt-Weiā¦
1
44
127
19,678
waldoirc retweeted
29 Oct 2023
[Blogpost] EvtPsst a small EventLog Process Mute tool without OpenProcess call to the EventLog process.
This blog shows how to elevate a SYNCHRONIZE handle to a full process handle with a process token of EventLog.
nothingspecialforu.github.ioā¦
#redteam
1
34
56
8,978
Just published a blog on the House of Force heap exploitation technique! Learned a ton about glibc's ptmalloc. Check it out! #HeapExploitation #vulnresearch
mohamed-fakroud.gitbook.io/rā¦
1
26
89
9,734
waldoirc retweeted
8 Aug 2023
Being in this class is blowing my mind! The material is amazing and the instructors are crushing it. If you're interested in attacking AI/ML, you have to check out this course!
Students are crushing the Blackhat Machine Learning training!
Gave students a cool book from @EdwardRaffML, environment was Mythic by @its_a_feature_ (AI C2 = ā¤ļø).
Tradecraft lessons from @drhyrum @ram_ssk and @NMspinach
Forged by @josephtlucas @ColdwaterQ @rharang
If you want the tldrā¦ youtu.be/fpWbMp6jz0U
#BlackHat2023
3
6
31
9,391
waldoirc retweeted
7 Aug 2023
The new Token Universe v0.5 can view and edit security descriptors on 30 types of securable objects. š„
It also knows how to handle complex ACLs with compound and callback ACEs, mandatory and trust labels, and more. Enjoy experimenting!
github.com/diversenok/TokenUā¦
2
31
72
11,784
Daily reminder that EDR is not AV and requires manned hunters to be effective (which is why they provide hunt portals). Bypassing or using only built in EDR alerts means youāre both doing it wrong. Theres a lot of telemetry here and hunting can be strong.
5
8
47
13,027
waldoirc retweeted
8 Apr 2023
No amount of R&D is enough in security. If you have a quick look at most TTPs you will realize that most EDRs will cover most of the most dangerous ones, but will leave lots of gaps. Good examaples would be malicious browser extensions which most EDRs don't inspect properly.
2
1
7
1,041
waldoirc retweeted
10 Jan 2023
About 5 years ago I started wondering if a malware C2 channel existed that embedded messages and data payloads inside the x509 cert used for the TLS handshake. I searched but never found this in the wild so this year I decided to write it myself.
github.com/jconwell/secret_hā¦
4
85
292
50,174
waldoirc retweeted
4 Jan 2023
New year, new tools! As part of my #KernelKarnage talk at @SANSOffensive #SANSPenTestHackFest back in November I'm happy to release: The CobaltWhispers Framework & Interceptor Kernel Driver!
github.com/NVISOsecurity/Cobā¦
github.com/NVISOsecurity/Intā¦
2
60
141
19,938