Oddvar Moe [MVP]

@Oddvarmoe

MVP,MCITP,MCT and GPEN certified. Chief Technical Architect at . Windows Security specialist, pentester and aspiring security researcher.

Norway
oddvar.moe
Joined September 2011
332 Photos and videos Photos and videos

Tweets

You blocked @Oddvarmoe

Are you sure you want to view these Tweets? Viewing Tweets won't unblock @Oddvarmoe

  1. Pinned Tweet
    Aug 8

    CVE 2017-8625 is out. Me proud? Oh yeah! Lifetime goal achieved. -

    15 replies 44 retweets 143 likes
  2. Retweeted
    23 hours ago

    How sure are you that "(Verified) Microsoft Windows" refers to a program that actually originates from Microsoft? Code Signing Certificate Cloning Attacks and Defenses

    2 replies 193 retweets 330 likes
  3. Dec 22

    AppLocker case study blogposts so far. More to come! AppLocker study 1 - AppLocker study 2 - Hardening based on study 1 - Hardening based on study 2 -

    7 replies 170 retweets 319 likes
  4. Retweeted
    Dec 21
    Replying to

    I have a metasploit module to test some of the bypasses you mention. Here is a link to the pull request if you are interested

    1 reply 2 retweets 4 likes
  5. Dec 21

    Harden Windows with AppLocker - Part 2 of my hardening posts -

    1 reply 16 retweets 22 likes
  6. Dec 21

    Another blogpost about my case study on AppLocker bypasses - Part 2 - - I could use some coding help from someone to verify 2 of the bypasses.

    1 reply 29 retweets 36 likes
  7. Dec 20

    Writing part 2 of my blog series "AppLocker - How insecure is it really?" - Just realized that .PS1 is no longer blocked by AppLocker, but rather depends on constrained language mode in PowerShell. Hopefully the blogpost will be done by tomorrow. Part 1 -

    1 reply 24 retweets 41 likes
  8. Retweeted
    Dec 20

    The wait is over! Registration for 2018 is now open. Places are limited so register today!

    32 retweets 47 likes
  9. Dec 19

    I got mixed feelings about this: My research on CMSTP.exe and awesome code is used as part of an auto elevating bot. I feel kind of honored and at the same time it feels very wrong. Anyways, great blogpost.

    1 reply 1 retweet 3 likes
  10. Retweeted
    Dec 19

    My "scrap" or junk code as an experiment. This was me writing a quick PoC hook to grab TLS Req/Resp from PowerShell memory, instead of with a proxy Take a look, experimental PoC only. May be helpful/interesting. Feedback Welcome. Still more to do...

    1 reply 34 retweets 65 likes
  11. Retweeted
    Dec 18

    ICYMI, Check out 's take on Data Quality for Threat Hunting!

    Are you really ready for ? What does your data look like? Data Availability != Data Quality
    4 retweets 9 likes
  12. Retweeted
    Dec 18

    DLL/Exe execution via Tracker.exe (Microsoft signed binary, part of Visual Studio) .\Tracker.exe /d .\calc.dll /c C:\Windows\write.exe Can be used outside of Visual Studio, needs a DLL "TrackerUI.dll" (again from VIsual Studio) present in a subfolder "1028"

    5 replies 126 retweets 153 likes
  13. Retweeted
    Dec 19

    I know you’ll appreciate this. A meme our Helpdesk created when something was broken with CM. 😬

    1 reply 1 retweet 4 likes
  14. Retweeted
    Dec 18

    DNSTrails The World's Largest Repository of historical DNS data

    5 replies 317 retweets 510 likes
  15. Retweeted
    Dec 18

    Oh Wow, this was a blast to write. In Memory SSL Intercept ;-). Thanks again mavinject! All your Encrypted PowerShell WebRequests Are Belong To Us ;-) Have Fun!

    3 replies 315 retweets 533 likes
    Show this thread
    Show this thread
  16. Retweeted
    Dec 18

    Simple DLL Inject UserMode Hook Example: Nice Complimentary pairing with mavinject.exe 🍷 In this example, we hook CreateProcess and prevent cmd.exe/taskmgr.exe PoC only, but you get the idea. More interesting would be to hook sspicli!EncryptMessage ;-)

    3 replies 165 retweets 302 likes
  17. Retweeted
    Dec 18

    [New Post] Microsoft Office – NTLM Hashes via Frameset

    56 retweets 85 likes
  18. Retweeted
    Dec 15

    I created a new Windows 10 VM with a pristine image from MSDN, and noticed a third party password manager is now installed by default. It didn't take long to find a critical vulnerability.

    41 replies 1,102 retweets 1,634 likes
    Show this thread
    Show this thread
  19. Retweeted
    Dec 16

    Not all DLLs are created equally. Learn the basics of the Windows architecture.

    1 reply 82 retweets 178 likes
  20. Retweeted
    Nov 27

    New Blog Post: Use to bypass Device Guard / Applocker

    2 replies 17 retweets 17 likes
  21. Retweeted
    Dec 15

    [New Post] Microsoft Office – Payloads in Document Properties

    40 retweets 74 likes

@Oddvarmoe hasn't Tweeted yet.

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

    You may also like

    ·