Dinosaur

6 posts

Dinosaur

@7uckzero

HajiMi Wo~ North South Green Bean...

Hong Kong, China Tham gia Şubat 2025

117 Đang theo dõi5 Người theo dõi

Dinosaur@7uckzero·9 Şub

@TwoSevenOneT My friend told me that this technique already appeared around 2014. Regardless, it is still worth researching, as EDR solutions tend to closely monitor the SERVICE_CONFIG_FAILURE_ACTIONS flag. trustedsignal.blogspot.com/2014/05/kansa-…

English

271

Two Seven One Three@TwoSevenOneT·8 Şub

You can exploit the Service Failure Recovery feature of Windows Service to execute a payload without ever touching the ImagePath. #antimalware #redteam #Pentesting

English

207

14.2K

Dinosaur@7uckzero·6 Şub

@Octoberfest73 I also implemented a POC that can achieve calls without NtContinue and optimized the call stack.I would appreciate your feedback on this project. github.com/7uckzero/Ghost…

English

216

Octoberfest7@Octoberfest73·6 Şub

I am now the proud owner of a version of Ekko that: - Uses threadpool timers - Conceals use of timers from the call stack - Does not use NtContinue/Ex I've learned that if you believe hard enough and use a shitload of ROP anything is possible.

Octoberfest7@Octoberfest73

@jamieantisocial This is finally motivating me to take a look at fibers again. I could be wrong, haven’t explored fully yet, but I’m pretty sure I see a path forward to use fibers with Ekko and eliminate its use of NtContinue

English

9.4K

Dinosaur@7uckzero·26 Oca

This is a sleep obfuscation proof of concept based on Ekko-SleepObf, which completely bypasses the detection of Hunt-Sleep-Beacon (HSB) github.com/7uckzero/Ghost…

English

Dinosaur@7uckzero·9 Oca

This is a proof-of-concept (PoC) for shellcode injection. It acquires a handle to the target process using only the PROCESS_CREATE_THREAD access right. Credit: blog.fndsec.net/2025/05/16/the… This PoC is based on this work and has been further expanded. github.com/7uckzero/Conte…

English

185

Dinosaur@7uckzero·8 Oca

@dis0rder_0x00 This reminds me of ContextOnly's blog post, and I think you can take a look at this. The two techniques can be combined to finally obtain a handle that only uses the "PROCESS_CREATE_THREAD" tag blog.fndsec.net/2025/05/16/the…

English

144

dis0rder@dis0rder_0x00·4 Oca

As promised here is my approach to using the Windows Debugging API to inject shellcode (w/o direct process read/write) Had a lot of fun playing with this! (Currently tested agains MDE & Elastic) github.com/dis0rder0x00/D…

English

115

421

38.5K

Dinosaur@7uckzero·30 Ara

@deceptiq_ His design is quite confusing. 😇 After using MAN, DAT cannot be used and MAN cannot be deleted. I also do not have a registry switch to specify whether to use MAN or DATA...

English

deceptiq@deceptiq_·27 Ara

Registry persistence is well-documented - and unsurprisingly well-detected. We explore a lesser-known technique for arbitrary registry writes against HKCU at medium integrity - without triggering registry callbacks. And in turn those detections. deceptiq.com/blog/ntuser-ma…

English

133

27K

Khám phá

@TwoSevenOneT @Octoberfest73 @dis0rder_0x00 @deceptiq_ @elonmusk @BarackObama @taylorswift13 @cristiano