Sec Controls: The Art of Breaking Through
#malware #evasion
The definitive red team guide to understanding and bypassing Windows security controls: Windows Defender (static + AMSI + behavioral), AppLocker, WDAC, SmartScreen, ASR Rules, Credential Guard (VBS/LSAIso), Sysmon, PPL, and a comprehensive EDR deep-dive covering kernel callbacks, ETW-TI, API hooks, BYOVD, EDRKillShifter, EDRSilencer, sleep obfuscation, call stack spoofing, process injection, and the complete EDR kill chain. Every bypass mapped to MITRE ATT&CK.
#malware #evasion
👍7👾5
Media is too big
VIEW IN TELEGRAM
🔥My new project 😁
Lor-C2 — A Custom C2 Framework
Operate. Execute. Stay focused.
Lor-C2 lets you run red team operations while enjoying Lori music.
Lor-C2 — A Custom C2 Framework
Operate. Execute. Stay focused.
Lor-C2 lets you run red team operations while enjoying Lori music.
😁10🔥7🕊2
Approaching stealers devs: a brief interview with notnullOSX (ex-0xfff)
https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-notnullosx-ex-0xfff-4ca8f1600ac0
#stealer
https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-notnullosx-ex-0xfff-4ca8f1600ac0
#stealer
👾4
Forwarded from Mirza Σλθ 🧙♂️
A Go implementation (With ELF, PE, Mach-o releases) of the original pymauistore tool for extracting assemblies from .NET MAUI 9 binary blobs such as
https://github.com/kousha1999/gomauistore
libassemblies.arm64-v8a.blob.so.https://github.com/kousha1999/gomauistore
GitHub
GitHub - kousha1999/gomauistore: A Go implementation of the original "pymauistore" tool for extracting assemblies from .NET MAUI…
A Go implementation of the original "pymauistore" tool for extracting assemblies from .NET MAUI 9 binary blobs such as libassemblies.arm64-v8a.blob.so. - kousha1999/gomauistore
👍3👎1
Good write-up on building a kernel-based EDR and understanding how Windows telemetry is actually implemented.
https://blog.whiteflag.io/blog/from-windows-drivers-to-a-almost-fully-working-edr/
Focus is on real detection primitives like:PsSetCreateProcessNotifyRoutine(Ex)for process lifecycle monitoringPsSetLoadImageNotifyRoutinefor image/DLL trackingObRegisterCallbacksfor process/thread handle filtering
kernel → user-mode communication via IOCTL + agent design
https://blog.whiteflag.io/blog/from-windows-drivers-to-a-almost-fully-working-edr/
👾2
TL;DR: Two command injection vulnerabilities exist in the Windows Explorer “Open PowerShell window here” context menu due to improper quoting and command injection through user-controlled folder paths. By creating folders with crafted names (e.g., folder; calc), an attacker can trigger arbitrary PowerShell command execution when a user uses Shift + Right-Click → Open PowerShell window here. One variant affects modern Windows 11 builds, while another existed since Windows 10 1703 (2017).
You can find the scenarios and the slides of the Insomni’hack 2026 talk in https://github.com/p0dalirius/Shift-Happens-Uncovering-to-builtin-command-injection-in-Windows-context-menus
👍2
Malware, Cats and Cryptography
2026-cocomelonc-bsideslux.pdf
Let me keep it short… use uncommon stuff for static
(here is my conference ┐( ∵ )┌)
chain things smart to get past behavior detection.