glid3s

If you study maldocs you know the Shell() function. Did you know about Interaction$.Shell@()? This malware does: https://www.virustotal.com/gui/file/8817300ae48966451e4090eb88225e70f083010f2f89b29854bdb78a5b7b0425 … Interesting to see how just calling Interaction$.Shell drops the detection rate: https://www.virustotal.com/gui/file/20eac82e2b7149190d868e26abcc244979a0ec478bc306e1cf071cbff572d0f7/detection … https://www.virustotal.com/gui/file/95c000ae085c4c227ea4812f101ffd0c3b062a8347566787bd95839835a159aa/detection …pic.twitter.com/dEG9jJwGqL

#FakeLogonScreen is a C# utility to steal a user's password using a fake Windows logon screen. This password will then be validated and saved to disk. Useful in combination with #CobaltStrike's execute-assembly command. https://github.com/bitsadmin/fakelogonscreen …pic.twitter.com/2pAOk9InLM

SettingSyncHost.exe as a LolBin http://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin/ … #LOLBIN cd %TEMP% & c:\windows\system32\SettingSyncHost.exe -LoadAndRunDiagScript foopic.twitter.com/dOM4EHq4Zu

PoC (Denial-of-Service) for CVE-2020-0609 & CVE-2020-0610 Please use for research and educational purpose only. https://github.com/ollypwn/BlueGate …pic.twitter.com/R43AHUwGV0

Ladies and gentlemen, I present you a working Remote Code Execution (RCE) exploit for the Remote Desktop Gateway (CVE-2020-0609 & CVE-2020-0610). Accidentally followed a few rabbit holes but got it to work! Time to write a blog post ;) Don't forget to patch!pic.twitter.com/FekupjS6qG

Steps for making a self-signed ECDSA certificate using a fake Microsoft Certificate Authority. This isn't the CVE-2020-0601 bug (somehow you sign using ECDSA and make a valid chain with other CA), but useful commands if you are experimenting with this for Authenticode bypassing.pic.twitter.com/1NgEPt3goE