SwiftOnSecurity
180.7K posts

SwiftOnSecurity
@SwiftOnSecurity
computer security person. former helpdesk.
Cyber, USA Katılım Nisan 2014
9.2K Takip Edilen411.3K Takipçiler

What if you could put Active Directory into source control?
Join Fred Weinmann and me today at 2 PM ET for a live ADMF demo. Come see this PowerShell-backed tool in action and bring your questions!
youtube.com/watch?v=3lokn0…
#PowerShell

YouTube
English
SwiftOnSecurity retweetledi

@SwiftOnSecurity almost all cases i have seen of new AD deployments have entirely not needed it and it’s caused nothing but issues and increased blast radius of server compromise. tiered setups and red forest guidance almost always entirely ignored, to the new company’s peril
English

@MathematicaKen @BillQueens I'm just asking people starting new companies and configuring their IT did not word this well
English

@SwiftOnSecurity @BillQueens Like rationale for its requirement? Or configuration?
English
SwiftOnSecurity retweetledi

@SwiftOnSecurity See new Active Directory deploys all the time in manufacturing with onprem ERPs
Most are utilizing Entra Connect
English
SwiftOnSecurity retweetledi

Build cool shit.
But wear safety glasses.
"I haven't seen this before"... "like you took sandpaper to your eye", the doc said. Got a faceful of dust when pushing a panel of mineral wool insulation into a stud bay. Washed my eye out, went to the ER anyway since it keep itching.

Redmond, WA 🇺🇸 English

@DustinFinn Honestly that's probably the better choice but the patriot link has some other tools that do something slightly different so you're aware of them
English

@SwiftOnSecurity Serious question - cuz I cant keep track of anything anymore.
Is that better than this?
learn.microsoft.com/en-us/sysinter…
Is it the same?
Is this one of those history lessons where we learn where SysInternals and PowerToys were made from a "birds and the bees" talk ? :)
Love you.
English

This is probably so much easier than how you're doing it right now nirsoft.net/utils/live_tcp…
English

I just finished a 108-page whitepaper on a complex, air-gapped malware framework I found a while back. I'm calling it BeheMOF (you can check out the cover page below). I know a handful of other researchers are aware of this threat too. Getting my hands on a real, targeted APT framework like this (rather than the usual pseudo copy-and-paste stuff) is a dream for any malware researcher and it finally became a reality with this threat.
The whitepaper is a complete technical analysis of this multi-stage malware framework, covering its infection chain, persistence mechanisms, lateral movement, exfiltration channels, detection opportunities and remediation procedures. Because several components were missing from the analyzed files, parts of the overall architecture remain unknown.
The five-month analysis process was carried out as follows:
- Phase 1 (3 Months): Pure manual reverse engineering. Extracted, decrypted, decompiled and formatted all multi-stage payloads, scripts and configurations to get a basic understanding of the malware.
- Phase 2 (2 Months): AI-assisted analysis using Claude Code (Opus/Sonnet) and Gemini to map out the complex codebase relationships.
My takeaways on using AI for malware analysis:
When it did work, it was incredible helpful for understanding the malware's big picture, but it frequently hallucinated basic facts. The process started smoothly with Claude Opus 4.7, but requests were soon blocked by Anthropic's usage policies, even though the context was purely security research. Joining their Cyber Verification Program absolutely changed nothing, a problem that persisted when I tested Opus 4.8. Consequently, I shifted the analysis to Claude Sonnet 4.6 and later to Sonnet 5, which also triggered partial blocks. Thus, while AI is a powerful assistant for reverse engineering, almost every technical claim requires manual verification.
Given how sensitive and targeted this malware is, dropping the report publicly isn't an option right now (even a hypothetical TLP:CLEAR version is completely off the table). However, I am open to sharing it with verified infosec peers (real identities only) in exchange for similar complex malware analysis. If you're interested, feel free to reach out via DM here or through the contact info on my website.

English

@lauriewired @ID_AA_Carmack Wow Laurie and Carmack on the same thread? I would pay for this podcast 😀
English

@ID_AA_Carmack spot on, very close to what SK Hynix was discussing just a few months ago! (H3)

English

Memory cost and capacity are significant issues for AI accelerators.
Unlike game rendering, model inference can have a deterministic memory access pattern. You don’t need “random access memory” at all for model weights, and you could tolerate cold-start latencies in the multiple milliseconds, as long as continuous reads were delivered at the necessary bandwidth.
NAND flash is over 100 times cheaper per GB than HBM, so there should be opportunity there, even after giving a flash controller a 1024 bit interface with HBM bandwidth.
You could make a specialized pin protocol that just supported pipelined transfer of full 16KB+ pages from the flash to program-managed accelerator scratchpad memory and improve per-pin performance over HBM, but it might be more convenient to make it still look like a true random access memory with very fragile performance characteristics, where anything but sequential reads falls off a 1000x+ performance cliff.
That has the advantage of automatically using existing cache hierarchies, and providing a natural path to update the flash memory with new model weights. With the stream-to-scratch interface, code has to be completely rewritten before it works at all, while the ram-emulation interface will start off just extremely slow, and you can incrementally sort out the changes for full performance.
There may be cases where there isn’t enough scratchpad SRAM to hold the weights for a layer, which might force you to deploy the old optical drive optimization technique of duplicating data in multiple places on a sequential read to avoid seeking, but there would be capacity to burn.
It might be possible to do something like cuda graph capture to record a memory access trace and have everything magically remapped to a linear sequence, but deploying programmer / agent elbow grease to manage transfers and access in a scratch ram ring buffer would be lower risk.
A split memory system consisting of some channels of flash and some channels of HBM will probably be suboptimal compared to a uniform memory, but it could be much cheaper, and allow much larger models to be run.
I think th case is strong for inference, but you have to stretch more for training. You can still linearize all the weight memory accesses, both reads and writes, but flash memory would quickly wear out from the writes, even if they were all perfectly page aligned. Replacing low-latency HBM with massively parallel cheap(er) DRAM at high latency might still be a worthwhile cost savings.
English

"Special Agents executed a search warrant at the Airbnb where the group
was staying. Investigators recovered evidence of a large-scale financial fraud operation, including:
• More than 150 skimming devices
• 237 re-encoded gift cards"
dallascounty.org/Assets/uploads…
English
SwiftOnSecurity retweetledi

For the IT admins & security folks who are unaware...
In Windows Server 2025, RPC over named pipes (via SMB) for the Print Spooler is disabled by default. I believe this started with Windows Server 2022 23H2 and up.
Also EFS is now similar to WebClient where it can be targeted but has to be activated first. There's a netexec module to perform this one for inquiring minds...
It's also common to see DFS on Domain Controllers but of course it's not enabled by default.
So tools like Coercer seem to not be too successful against Server 2025 in basic out of the box configurations.


English

"Hide your SSID" being a dumb early protocol hack rather than an engineered privacy feature is a great example of how you need to be familiar with implementation and not labelling.
—————————————————————————————————————————dash🏴☠️@da5ch0
hiding your wifi SSID but then leaving wifi on your phone all the time when away means that your phone is screaming the SSID’s name constantly until it gets a response. wireless marco polo. hardly makes your SSID more private tbh, lmao
English
