Elevating your user-mode debugger into a Protected Process level, by Clément Labro (@itm4n):
https://itm4n.github.io/debugging-protected-processes/
🗣SEKTOR7net
🎖@malwr
https://itm4n.github.io/debugging-protected-processes/
🗣SEKTOR7net
🎖@malwr
itm4n’s blog
Debugging Protected Processes
Whenever I need to debug a protected process, I usually disable the protection in the Kernel so that I can attach a User-mode debugger. This has always served me well until it sort of backfired.
👍1
Happy Friday everyone! Want a ProcMon for macOS? Ever wish you had your own Endpoint Security client you could task? Want to peer behind the macOS EDR curtain? Have a go and let us know what you think!
https://github.com/redcanaryco/mac-monitor
🗣PartyD0lphin
🎖@malwr
https://github.com/redcanaryco/mac-monitor
🗣PartyD0lphin
🎖@malwr
GitHub
GitHub - redcanaryco/mac-monitor: Red Canary Mac Monitor is an advanced, stand-alone system monitoring tool tailor-made for macOS…
Red Canary Mac Monitor is an advanced, stand-alone system monitoring tool tailor-made for macOS security research. Beginning with Endpoint Security (ES), it collects and enriches system events, dis...
👍1
Setting Up QEMU Kernel-Mode Debugging using EXDI:
https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-qemu-kernel-mode-debugging-using-exdi
🗣gerhart_x
🎖@malwr
https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/setting-up-qemu-kernel-mode-debugging-using-exdi
🗣gerhart_x
🎖@malwr
Docs
Setting Up QEMU Kernel-Mode Debugging Using EXDI - Windows drivers
Debugging Tools for Windows supports debugging QEMU using EXDI. This topic describes how to setup QEMU kernel debugging using EXDI.
PatchlessCLRLoader - A fork of InlineExecute-Assembly to load .NET assembly and direct the output to mailslot https://github.com/VoldeSec/PatchlessCLRLoader #redteam
🗣netbiosX
🎖@malwr
🗣netbiosX
🎖@malwr
GitHub
GitHub - VoldeSec/PatchlessCLRLoader: .NET assembly loader with patchless AMSI and ETW bypass
.NET assembly loader with patchless AMSI and ETW bypass - VoldeSec/PatchlessCLRLoader
Discovering and #exploiting McAfee COM-objects by @Denis_Skvortcov
https://the-deniss.github.io/posts/2021/05/17/discovering-and-exploiting-mcafee-com-objects.html
🗣SinSinology
🎖@malwr
https://the-deniss.github.io/posts/2021/05/17/discovering-and-exploiting-mcafee-com-objects.html
🗣SinSinology
🎖@malwr
Introduction to offensive security (guide by @0xTriboulet)
https://steve-s.gitbook.io/0xtriboulet/
#offensivesecurity
🗣0xor0ne
🎖@malwr
https://steve-s.gitbook.io/0xtriboulet/
#offensivesecurity
🗣0xor0ne
🎖@malwr
This is an absolutely dope mindmap for attacking AD.
https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2023_02.svg
Source: https://github.com/Orange-Cyberdefense/ocd-mindmaps
🗣Jhaddix
🎖@malwr
https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2023_02.svg
Source: https://github.com/Orange-Cyberdefense/ocd-mindmaps
🗣Jhaddix
🎖@malwr
👍2
A Journey of Finding #Vulnerabilities in #Drivers by @omertsarfati of @CyberArk
https://www.cyberark.com/resources/threat-research-blog/inglourious-drivers-a-journey-of-finding-vulnerabilities-in-drivers
🗣SinSinology
🎖@malwr
https://www.cyberark.com/resources/threat-research-blog/inglourious-drivers-a-journey-of-finding-vulnerabilities-in-drivers
🗣SinSinology
🎖@malwr
Frida 16.0.14 is out! 🎉 This one is all about stability improvements on Linux/Android, and brand new ARMv8 BTI interoperability:
https://frida.re/news/2023/04/18/frida-16-0-14-released/
🗣fridadotre
🎖@malwr
https://frida.re/news/2023/04/18/frida-16-0-14-released/
🗣fridadotre
🎖@malwr
Frida • A world-class dynamic instrumentation toolkit
Frida 16.0.14 Released
Observe and reprogram running programs on Windows, macOS, GNU/Linux, iOS, watchOS, tvOS, Android, FreeBSD, and QNX
Here is a ETW based POC to monitor for (some) direct and indirect syscalls. Should find multiple open source implementations trying to avoid userlandhooks.
https://github.com/thefLink/Hunt-Weird-Syscalls
🗣thefLinkk
🎖@malwr
https://github.com/thefLink/Hunt-Weird-Syscalls
🗣thefLinkk
🎖@malwr
GitHub
GitHub - thefLink/Hunt-Weird-Syscalls: ETW based POC to identify direct and indirect syscalls
ETW based POC to identify direct and indirect syscalls - thefLink/Hunt-Weird-Syscalls
👍1
Hey, FIRSTies! After much dedicated work, the #EthicsSIG has published their #CaseStudies to the FIRST website! Check out the encompassing document here: http://ow.ly/rG2S50NNbJt
🗣FIRSTdotOrg
🎖@malwr
🗣FIRSTdotOrg
🎖@malwr
FIRST — Forum of Incident Response and Security Teams
Ethics for Incident Response and Security Teams - Case Studies
c2detect: Search for c2 servers by listener outside https://github.com/michael2to3/c2-search-netlas
🗣_r_netsec
🎖@malwr
🗣_r_netsec
🎖@malwr
ESET researchers have discovered a new Lazarus #OperationDreamJob campaign targeting Linux users. As far as we know, this is the first public mention of this major threat actor using Linux malware as part of this operation. 🐧
https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/?utm_source=twitter&utm_medium=cpc&utm_campaign=wls&utm_term=lazarus-linux-malware
#ESETresearch #ProgressProtected #Cybersecurity
🗣ESET
🎖@malwr
https://www.welivesecurity.com/2023/04/20/linux-malware-strengthens-links-lazarus-3cx-supply-chain-attack/?utm_source=twitter&utm_medium=cpc&utm_campaign=wls&utm_term=lazarus-linux-malware
#ESETresearch #ProgressProtected #Cybersecurity
🗣ESET
🎖@malwr
Welivesecurity
Linux malware strengthens links between Lazarus and the 3CX supply-chain attack
Similarities with newly discovered Linux malware used in Operation DreamJob corroborate the theory that the infamous North Korea-aligned group is behind the 3CX supply-chain attack