ar0x

100 posts

ar0x banner
ar0x

ar0x

@_ar0x4

CyberSec Enthusiast

Vienna Katılım Ekim 2023
550 Takip Edilen275 Takipçiler
ar0x retweetledi
Logan Goins
Logan Goins@_logangoins·
We used this technique on an op recently, and I wanted to create a simple resource on it due to it being seldom covered but very useful. It's a cool way to get around various NTLM relay constraints when operating over C2 from low-privilege. See it here: specterops.io/blog/2026/07/1…
English
1
26
94
4.4K
ar0x retweetledi
Fabian Bader
Fabian Bader@fabian_bader·
The improved enforcement for All resources policies with resource exclusions in Entra ID is coming to your tenant. You can use the KQL query in this gist to verify if there might be impact in your tenant. gist.github.com/f-bader/c3de57…
Fabian Bader tweet media
English
1
15
62
5K
International Cyber Digest
International Cyber Digest@IntCyberDigest·
Someone released what is basically an offline VirusTotal without burning your payload: a security researcher reverse-engineered four major EDRs (SentinelOne, Cortex XDR, CrowdStrike, and Sophos) and extracted their detection logic from on-disk agent binaries, ML models, YARA rules, and behavioral scripts. The project rebuilds the kernel telemetry stack those products run on, including Windows process, thread, registry, and handle callbacks plus a file-system minifilter. It even reconstructs access to the ETW Threat Intelligence provider that Windows normally reserves for protected anti-malware processes. Thus, both the detection rules and the sensor layer can be replicated outside the vendor’s agent.
International Cyber Digest tweet media
English
35
153
1.3K
87.5K
ar0x retweetledi
Kiwids
Kiwids@mhskai2017·
Released a new tool yesterday that will help reverse engineering on Windows through Time Travel Debugging MCP server. specterops.io/blog/2026/06/2…
English
2
25
133
8.4K
ar0x
ar0x@_ar0x4·
Already published the first two parts of the GSA –Tunnel Vision Series, hope you guys enjoy it and find it useful. The third part covers the rogue client and I'm hoping to finish it by end of the week. ar0x.com/posts/what-is-…
English
0
11
22
2.4K
ar0x retweetledi
Dirk-jan
Dirk-jan@_dirkjan·
I just wrote a new blog on bypassing CA policies in Entra ID that have a resource exclusion, and why you probably want to enable baseline enforcement if you have such policies. Enjoy! dirkjanm.io/bypassing-cond…
English
7
159
419
35.6K
ar0x
ar0x@_ar0x4·
@fabian_bader @x33fcon "GlobalSecureAccessTunnelingService.exe" embeds the full protobuf schema as a serialized FileDescriptorProto. Pulled that blob out of the binary and decoded it back into the .proto with protoc
English
0
0
1
62
Fabian Bader
Fabian Bader@fabian_bader·
@_ar0x4 @x33fcon This looks like great research. Is the slide deck already available? How did you decode the Protobuf of GSA?
English
2
1
2
2K
ar0x
ar0x@_ar0x4·
Releasing Tunnel Vision Toolkit, part of my @x33fcon talk on Microsoft Global Secure Access. Includes BOFs to assist in engagements where you face GSA, plus a rogue client that lets you connect to internal resources from unmanaged devices. github.com/ar0x4/tunnel-v…
English
2
41
96
13K
ar0x
ar0x@_ar0x4·
@fabian_bader @x33fcon Thanks! The slide deck is not publicly available yet, but I will share it soon. In the meantime, I'll publish some blog posts about it and update the current version of the Rouge client (probably within the next one to two weeks).
English
1
0
3
255
ar0x retweetledi
S3cur3Th1sSh1t
S3cur3Th1sSh1t@ShitSecure·
After “The Art of Evasion” @x33fcon I’m publishing NimSyscallPacker to the public. This is the most advanced public Packer/Loader I’m aware of: github.com/S3cur3Th1sSh1t…
English
6
116
379
32.9K
ar0x retweetledi
Adam Chester 🏴‍☠️
Everyone losing their minds over the Visual Studio Code payload hitting GitHub. The research was published on @MDSecLabs site in 2023! Red Teams have used this on assessments for ages!! Microsoft knows all of this and didn't bother to fix it!!! IT'S BEEN IN INITIAL-ACCESS FRAMEWORKS FOR YEARS!!!! mdsec.co.uk/2023/08/levera…
English
9
43
172
24.1K
ar0x
ar0x@_ar0x4·
@sekurlsa_pw 😂😂😂 but it’s effective
English
0
0
3
161
🕳
🕳@sekurlsa_pw·
Abusing ESC1 to get domain admin.
English
2
5
79
6.8K
ar0x retweetledi
r0BIT
r0BIT@0xr0BIT·
shipping: WinSSHound maps SSH access in AD as BloodHound paths. because Windows OpenSSH cheerfully ignores your "Deny Logon" GPOs (pre-2025) and on a default sshd_config every Authenticated User in the domain can walk right in. Why? Because Microsoft. github.com/1r0BIT/WinSSHo…
English
0
68
209
12.5K
ar0x retweetledi
Anneshu Nag
Anneshu Nag@anneshu_nag·
> March Claude users: "Opus has been feeling noticeably dumber lately. Something's off." Claude team: "You're all just imagining it. Classic user delusion. Touch grass. Maybe try not being bad at prompting." > 1 month later Claude team: "After extensive internal analysis, we can now confirm that Opus was, in fact, dumber for the past 31 days. Here's our 47-page technical report with graphs, appendices, and a very polite explanation of the mysterious regression that definitely wasn't our fault." ps: "Also since today GPT-5.5 dropped here's a limit reset just to distract y'all from our failures."
English
19
75
1.3K
117.2K
ar0x
ar0x@_ar0x4·
@PhilipTsukerman Yup, same here. Looks like they tightened the guardrails.
English
0
0
1
441
Philip Tsukerman
Philip Tsukerman@PhilipTsukerman·
Anyone using Opus 4.6 for vuln research (the disclosure type, not the sploity-selly type) and started getting consistent refusal responses from Claude since Friday? Anthropic approved my use-case form, but there hasn't been any noticeable change in the refusal policy since...
English
16
4
80
17K
ar0x retweetledi
vx-underground
vx-underground@vxunderground·
Time to nerd schizo rant for a second. "Hxr1" writes you can abuse the newly minted Windows Machine Learning API to execute shellcode in-memory without having to invoke VirtualAlloc. That is wrong ... because he himself in his proof-of-concept invokes VirtualAlloc, so I don't know why he wrote that. However, this paper is an interesting concept on smuggling malicious code and/or payloads. Without going on a deeper schizo rant however, I'd really like to emphasize this proof-of-concept does indeed work, but it has bugs... but, whatever. Basically Windows Runtime has a thingie that allows you to run pretty shrimple AI models (ONNX). It's called the Windows Machine Learning API (WinML). These are so lightweight it doesn't really require 9000 GPUs and 120pb (Peanut Butters) of memory. It is written using Windows Runtime so it is accessible from C, C++, and anything in the .NET family. It will work natively across the Windows platform (although it is a pain in the ass in C). If you're writing this in C/C++, the application flow goes as follows: 1. RoInitialize (although the original author did it all weird and ass backwards) 2. Get ONNX bytes (ReadFile, download, whatever) 3. Do dumb stream stuff 4. CreateFromStream (ONNX stream stuff) 5. LearningModelStatics->LoadFromStream In the simplest terms possible, load the ONNX stuff into memory using the fancy-schmany Windows Runtime stuff and let the Windows ML API hang out with it. In Hxr1's proof-of-concept the ONNX file (shrimple AI model) has a malicious payload baked inside of it. However, memory allocated from the dumb stream stuff, and the memory used by LearningModelStatics is NOT executable. To compensate for this, Hxr1 reads the content from the loaded ONNX file, copies it to a buffer allocated by VirtualAlloc, changes the allocated buffer to RWX, then does the malicious stuff. This fact contradicts his entire paper. In essence, all the WinML API is doing in this context is a really roundabout way to do ReadFile. He also misses out on some other interesting opportunities. 1. Using the WinML is it (probably) possible to make an AI model that evaluates the machine to determine if it is a VM. @0xTriboulet did something similar where he used the WinML to hunt for credentials in documents on machines. 2. It may be possible to change the memory characteristics from LearningModelStatics to be RWX. However, I haven't tested this and this contains a massive asterisk because several conditions need to be met which I haven't evaluated. hxr1.ghost.io/abusing-winml-…
English
11
36
344
33.1K