Oddvar Moe [MVP]

@Oddvarmoe

MVP,MCITP,MCT and GPEN certified. Chief Technical Architect at . Windows Security specialist, pentester and aspiring security researcher.

Norway
Joined September 2011

Tweets

You blocked @Oddvarmoe

Are you sure you want to view these Tweets? Viewing Tweets won't unblock @Oddvarmoe

  1. Pinned Tweet
    Aug 8
  2. Retweeted
    23 hours ago

    How sure are you that "(Verified) Microsoft Windows" refers to a program that actually originates from Microsoft? Code Signing Certificate Cloning Attacks and Defenses

  3. Retweeted
    Dec 21
    Replying to

    I have a metasploit module to test some of the bypasses you mention. Here is a link to the pull request if you are interested

  4. Dec 21
  5. Dec 21

    Another blogpost about my case study on AppLocker bypasses - Part 2 - - I could use some coding help from someone to verify 2 of the bypasses.

  6. Dec 20

    Writing part 2 of my blog series "AppLocker - How insecure is it really?" - Just realized that .PS1 is no longer blocked by AppLocker, but rather depends on constrained language mode in PowerShell. Hopefully the blogpost will be done by tomorrow. Part 1 -

  7. Retweeted
    Dec 20

    The wait is over! Registration for 2018 is now open. Places are limited so register today!

  8. Dec 19

    I got mixed feelings about this: My research on CMSTP.exe and awesome code is used as part of an auto elevating bot. I feel kind of honored and at the same time it feels very wrong. Anyways, great blogpost.

  9. Retweeted
    Dec 19

    My "scrap" or junk code as an experiment. This was me writing a quick PoC hook to grab TLS Req/Resp from PowerShell memory, instead of with a proxy Take a look, experimental PoC only. May be helpful/interesting. Feedback Welcome. Still more to do...

  10. Retweeted
    Dec 18

    ICYMI, Check out 's take on Data Quality for Threat Hunting!

  11. Retweeted
    Dec 18

    DLL/Exe execution via Tracker.exe (Microsoft signed binary, part of Visual Studio) .\Tracker.exe /d .\calc.dll /c C:\Windows\write.exe Can be used outside of Visual Studio, needs a DLL "TrackerUI.dll" (again from VIsual Studio) present in a subfolder "1028"

  12. Retweeted
    Dec 19

    I know you’ll appreciate this. A meme our Helpdesk created when something was broken with CM. 😬

  13. Retweeted
    Dec 18

    DNSTrails The World's Largest Repository of historical DNS data

  14. Retweeted
    Dec 18

    Oh Wow, this was a blast to write. In Memory SSL Intercept ;-). Thanks again mavinject! All your Encrypted PowerShell WebRequests Are Belong To Us ;-) Have Fun!

    Show this thread
  15. Retweeted
    Dec 18

    Simple DLL Inject UserMode Hook Example: Nice Complimentary pairing with mavinject.exe 🍷 In this example, we hook CreateProcess and prevent cmd.exe/taskmgr.exe PoC only, but you get the idea. More interesting would be to hook sspicli!EncryptMessage ;-)

  16. Retweeted
    Dec 18
  17. Retweeted
    Dec 15

    I created a new Windows 10 VM with a pristine image from MSDN, and noticed a third party password manager is now installed by default. It didn't take long to find a critical vulnerability.

    Show this thread
  18. Retweeted
    Dec 16

    Not all DLLs are created equally. Learn the basics of the Windows architecture.

  19. Retweeted
    Nov 27
  20. Retweeted
    Dec 15

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

    You may also like

    ·