0r3ak

KustoHawk. incident triage and response tool for Microsoft Defender XDR and Sentinel environments, by @BertJanCyber #DFIR github.com/Bert-JanP/Kust…

ADWSDomainDump. Active Directory information dumper via ADWS (Active Directory Web Services) github.com/mverschu/adwsd…

Exim 4.99.3 is out, patching CVE-2026-45185, a critical RCE found by XBOW! Check out our post linked in the reply; I'll summarize some details in this thread.

From Windows drivers to a almost fully working EDR. TL;DR: This blog will take a look at the history of anti viruse, why they relied on kernel driver then how to create a custom kernel driver and finally how to turn it into a almost fully working EDR. blog.whiteflag.io/blog/from-wind…

让你在只能走 HTTP 的受限环境里搭加密代理隧道，绕过 TCP 封锁用上 SOCKS5/HTTP 代理。 github.com/aeroxy/tunnix tunnix 用 Rust 写的，把 SOCKS5/HTTP 代理流量塞进 HTTP/SSE 通道，ChaCha20-Poly1305 加密全程保护。

把 IDA Pro 的静态分析能力通过 MCP 暴露出去，AI Agent 能直接查 IDB 里的反汇编、反编译、交叉引用这些东西 github.com/saileaxh/iida-… iida-mcp 是个 IDA Pro 插件，本地起个 HTTP MCP 服务（端口 13897），79 个工具把 IDB 的静态分析能力全暴露给 AI 客户端。涵盖文件信息、PE/ELF 解析、函数、反汇编、CFG、交叉引用、Hex-Rays 反编译、结构体枚举、搜索重命名注释补丁等。

HashDump-BypassEDR：github.com/AabyssZG/HashD… 通过系统白程序 Reg.exe 的拓展应用，巧妙绕过EDR的拦截点，实现绕过EDR从而DumpHash😈 该方法针对Windows系列均有效，操作难度不大，具有实战价值🥳 本项目实战文章：blog.zgsec.cn/archives/EDR-D… 源代码和Release已发布，师傅们麻烦点个Star，万分感谢！😍

Speed up your Active Directory pentesting with ADScan and ADPulse hackers-arise.com/offensive-secu… @three_cube @_aircorridor @co11ateral

BitlockMove. Lateral Movement via Bitlocker DCOM & COM Hijacking, by @ShitSecure github.com/rtecCyberSec/B…

用 AI 做投资研究，查股票、看财报、分析数据。 github.com/virattt/ai-fin… AI Financial Agent 是一个实验性项目，看看 AI 能怎么帮人做投资研究。技术栈是 Next.js + TypeScript，接了 Financial Datasets API 拿市场数据——美股 30 多年历史，财务报表、股价、期权、内部交易这些都有。可以 Vercel 一键部署，也有在线 Demo 先试试。纯教育用途，别拿去真交易。

有人用 vibe coding 写了一个内幕交易追踪器： > 它会读取每一份高管买入自家股票的 SEC 备案文件 > 标记出多位高管同时买入的集群情况 > 每天开盘前将前 3 名交易通过邮件发送给他们

⚠️ A defense evasion tool called ExEngine is being sold as a service, marketed as an AV/EDR killer that disables mainstream consumer security software including Windows Defender, Malwarebytes, Bitdefender, and Avast. The tool combines AV termination with a Ring-3 rootkit, UAC bypass, and decoy payload delivery to support stealthy initial access operations. ⠀ ‣ Threat Actor: ryewx1 ‣ Category: Defense Evasion Tool / Killer ‣ Offering: ExEngine AV/EDR Killer ‣ Industry: Malware Tooling ⠀ The seller claims ExEngine actively terminates security software rather than only obfuscating payloads, granting attackers a longer window of undetected operation. The tool supports Windows 10 and 11 builds and is sold per-build at $150 to $250. ⠀ Advertised capabilities: ⠀ ▪️ AV/EDR termination with primary and fallback techniques ▪️ UAC bypass with automatic privilege escalation ▪️ Ring-3 rootkit functionality to hide files, processes, registry keys, and network connections ▪️ Discord webhook logging for victim machine info and execution status ▪️ Secondary decoy payload (game/document/installer) to keep targets unaware ▪️ Persistence across reboots and logouts ▪️ Anti-VM and anti-debug detection with fake error message exit ▪️ Universal Windows 10/11 support, all payload types ⠀ Risk to defenders: ⠀ ▪️ Active termination of consumer AV products including Windows Defender means traditional endpoint protections cannot be relied on once ExEngine executes successfully ▪️ Decoy payload pattern is designed to delay user-driven incident reporting, lengthening attacker dwell time ▪️ Ring-3 rootkit hiding of files, processes, and network connections complicates incident response triage on compromised hosts ▪️ Discord webhook telemetry indicates the operator is targeting consumer and SMB victims at scale rather than running individual targeted campaigns ▪️ Sold per-build at low cost ($150 to $250), making it accessible to low-skill operators who can pair it with commodity stealers, RATs, or loaders

今天发现一个项目：纯 C++ 和 Qt 原生开发的高性能金融终端（不是 Electron 那种臃肿货），嵌入 Python 做复杂分析。单文件运行，体验丝滑，堪称免费开源版的彭博终端。亮点： - 37个AI Agents（可模仿巴菲特、格雷厄姆等） - 100+数据源 + 实时交易 - CFA级DCF、量化工具、节点编辑器 - 支持本地LLM，完全免费开源 - 界面炫酷 github.com/Fincept-Corpor…

🚨 Anthropic 刚放出一门免费的 2 小时 Claude Code 大师课 不是概念课， 是真教你怎么用 AI 写代码、跑自动化、做项目。 如果你想把 AI 真正接进开发流程， 这门课非常值得收藏。 🔗 anthropic.skilljar.com/claude-code-in…

Automated DLL Hijacking Discovery, Validation, and Confirmation. Turning local misconfigurations into weaponized, confirmed attack paths. github.com/ghostvectoraca…

又一个中国人，把 bot 跑出来了 上个月，$54 → $350,000 但几乎没人讨论他 这个账户是 2026 年开始搭 bot，前两个月还在调系统，之后才开始真金白银下场 结果很直接： 3,237 笔预测 平均每天 65 笔 单月 +$300,027 单周 +$30,000 今天 +$9,218 更夸张的是，这套东西的胜率据说做到 95% 他的策略也不复杂，几乎全是短线结构： 追踪快速上涨 / 下跌 10c–30c 买 UP 40c–50c 卖 UP 80c–90c 买 DOWN 60c–80c 卖 DOWN 你会发现，他不是在等结算 而是在吃中间那一段价格移动 也就是说，真正赚的钱不是“猜最终结果”，而是市场在短时间里的再定价 这类打法最可怕的地方就在这里： 一天 65 笔，高频，高胜率，而且每一笔都在重复同一个逻辑 不是靠某一笔暴击 是把同一个 edge，不断放大 $54 做到 $350,000， 你觉得这更像是“会写 bot 的人变多了”， 还是 Polymarket 本身的短周期市场， 还远没有被吃干净？

🚨 Bug Bounty / Red Team Tip CVE-2026-21643 — Critical Pre-Auth SQL Injection (CVSS 9.1) in FortiClient EMS 7.4.4 (multi-tenant mode only) Unauthenticated attackers can inject arbitrary SQL via the Site HTTP header to the public endpoint /api/v1/init_consts (or login endpoint). This happens before authentication and hits the PostgreSQL backend with superuser-level access in many setups → full DB dump, schema extraction, or RCE (via PostgreSQL features like COPY FROM PROGRAM). - Affected: Only FortiClient EMS 7.4.4 (multi-tenant/Sites feature enabled) - Not affected: 7.2.x, 8.0.x, single-site deployments - Fixed: Upgrade to 7.4.5 or later - Status: Actively exploited in the wild + public PoCs available Main Detail Article (Highly Recommended): Bishop Fox deep-dive with exploitation paths, payloads (e.g., pg_sleep(5) for blind testing), and lab results → bishopfox.com/blog/cve-2026-… Public PoC (GitHub): github.com/0xBlackash/CVE… Useful Google/Shodan Dorks: - http.title:"FortiClient EMS" "7.4.4" - http.html:"FortiClient Enterprise Management Server" - http.favicon.hash: -specific-hash (or search for EMS login page) - Shodan: "Model: FCTEMS" or "FortiClient EMS" Quick Check: If your EMS login page is internet-facing and running 7.4.4 with multi-tenant enabled → patch ASAP or block public access. Thousands of instances are exposed (Shadowserver ~2k+, Shodan ~1k+). High-value target for hunters. Patch or restrict immediately! #BugBounty #RedTeam #Fortinet #CVE202621643 #SQLi

时隔四年更新一个大版本😃 github.com/SummerSec/Shir…