RistBS

@yarden_shafir here's a good one, it's redplait.blogspot.com by @real_redp

I get lots of requests for recommended resources for learning Windows, exploitation, VR, etc. I have some good links but there’s lots of others I don’t know or forgot about. Give me your best suggestions please! Feel free to link your own stuff, I wanna see it!

@0xEr3bus @_0xDeku nice work 👍

Just crafted a beacon object file for the 8th variant of the powerful process injection technique by @_0xDeku. An exciting journey into the Windows Thread Pool! github.com/0xEr3bus/PoolP… #cybersecurity #redteam #infosec #cobaltstrike

Windows Authentication - Credential Providers - Part 1 - A primer on writing a credential provider in Windows. dennisbabkin.com/blog/?i=AAA123…

@aahmad097 very nice project, I brought a PoC based on the same concept a while ago but with only ContextMenuHandlers shell extension

My latest blog I worked on “Hunting for A New Stealthy Universal Rootkit Loader”, We discovered a threat actor we believe is the same actor behind FiveSys is actively abusing WHQL portal for signing 75 kernel drivers in 2022/2023. trendmicro.com/en_us/research…

I confirm that we can use NtCreateWorkerFactory to execute our shellcode, it's just another way to do it :D gist.github.com/RistBS/fd4243d…

@Jhaddix Thank you for that, I appreciated it 😼

📕 Check out @RistBs 's Red Team OPSEC Guide. Tons of good tips in there to profile defenses and stay under the radar. ristbs.github.io/2023/02/08/you…

I have updated the Win32 offensive #cheatsheet with more techniques such as : - Module Stomping - Process Instrumentation Callback - Heap Encryption - Sleep Obfuscation #malware #redteam #cybersecurity github.com/matthieu-hackw…

@Imghostfaceee @0gtweet this should work if you use EtwEventWriteNoRegistration like 0gtweet said 🙂

@0gtweet I can't start the service, even with admin priv

Kinda (too?) complex persistency: WDI. The DLL specified in Control\WDI\DiagnosticModules is loaded in the LocalSystem context by the WDISystemHost when the proper message arrives to ALPC specified by Control\WDI\Config\ServerName. Such ALPC can be sent by an unprivileged user.

@fawazo @NinjaParanoid anyways, I give them both credit for their work.

@fawazo @NinjaParanoid no I don't have access to his training it's too expensive 🥲 but I helped myself a lot from this repo available on github github.com/rikka0w0/Explo…

new post released! Learn how I hijacked the explorer context menu to execute my beacon at each right click on a file/folder -> ristbs.github.io/2023/02/15/hij… #malware #redteam #cybersecurity

It's been a long time since I updated my cheatsheet, here is a small update that contains a list about malware dev. The biggest update is coming soon :) github.com/RistBS/Awesome… #malware #redteam #cheatsheet

@_Euzebius thx, glad to hear that😄

Really nice article, defo take a look at it ;)

I've released a new post about #opsec in #redteam go check it out and give me your feedback! ristbs.github.io/2023/02/08/you…

@NUL0x4C @modexpblog the only implementation of the structure I have seen so far is #L63" target="_blank" rel="nofollow noopener">github.com/JKornev/NTlib/…

@RistBs @modexpblog yupp, my goal is to use it for that purpose, but its not clear how

does anyone know anything about the "ProcessSystemCallFilterPolicy" flag /utilizing it for a mitigation policy

@_nwodtuhs @Alh4zr3d So, better calls the ticket that comes after TGS_REP a Service Ticket (ST) instead of TGS

@Alh4zr3d Difference between TGT and TGS is that the TGT is a ticket and the TGS is a service 😉

@NinjaParanoid @cyberwabz IDA pro on kernel32/kernelbase/ntdll -> quick filter -> "Callback" and it's stonks :D

@cyberwabz 😂 27 more windows functions which no one knows about and can do the same thing that I showed in the blog.

Here it goes. A detailed blog on proxying your DLL loads and hiding the original callstack from userland hooks/ETW with a new set of undocumented API and some hacky tricks. Code is on my Github repository. This one was a brain buster 🔥 0xdarkvortex.dev/proxying-dll-l…

@lowleveldesign nice, that's amazing