Matt Hand

@matterpreter

Red team guy at | Aut viam inveniam aut faciam

USA
Vrijeme pridruživanja: lipanj 2010.

Tweetovi

Blokirali ste korisnika/cu @matterpreter

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @matterpreter

  1. Prikvačeni tweet
    13. sij

    I've been poking around the Windows kernel a lot lately and one of my favorite samples I've referenced is Mimikatz's driver, Mimidrv. I took some time and documented all of its functions and included some write-ups on important kernel structures. Post: 1/3

    Prikaži ovu nit
    Poništi
  2. proslijedio/la je Tweet
    31. sij

    Fuck it, I can't focus at all today. It's a mess, sorry.. I've also uploaded the discussed bug to github. Maybe someone can make sense of it. It's a junction bug that's a little more complicated then a simple "bait and switch". Hope it's useful to someone.

    Prikaži ovu nit
    Poništi
  3. proslijedio/la je Tweet
    22. sij

    Revisiting RDP lateral movement and releasing a project that will be part of a bigger tool coming next week

    Poništi
  4. proslijedio/la je Tweet
    21. sij

    Just released Satellite, a payload hosting and proxy software for red team operations. In the blog post, I discuss the feature set of Satellite as well as why an operator would choose it over Apache or Nginx.

    Prikaži ovu nit
    Poništi
  5. 21. sij

    Hey Defender friends. Turns out that removing those services with Unicode/non-printable characters is pretty hard, so I wrote you a tool to help with that. I'll be releasing the offensive PoC later this week or early next week.

    Poništi
  6. 17. sij

    Thankfully, you can remove them by deleting the keys with regedit, which is able to render Unicode characters.

    Prikaži ovu nit
    Poništi
  7. 17. sij

    Want to make service removal really fun? Create a service with a unicode name. The service will run but won't show in sc.exe, services.msc, or taskmgr.exe and will sometimes cause a critical error while trying to find it with PowerShell/WMI. Unicode wins again.🤦‍♂️

    Prikaži ovu nit
    Poništi
  8. 13. sij

    I want to sincerely thank for releasing Mimidrv. It is an invaluable resource for understanding how we can leverage kernel functions for offense 🥝❤️ 3/3

    Prikaži ovu nit
    Poništi
  9. 13. sij

    My intent with the post is to put out documentation for Mimidrv, but also show some of the specifics of why operating in the kernel is so powerful and demonstrate the practical application through existing tooling. 2/3

    Prikaži ovu nit
    Poništi
  10. proslijedio/la je Tweet
    10. pro 2019.
    Poništi
  11. proslijedio/la je Tweet
    5. pro 2019.
    Poništi
  12. proslijedio/la je Tweet
    25. stu 2019.

    Today I was able to release the first post of a series of blog posts about attacking FreeIPA, an open source alternative to Windows Active Directory inside of unix environments. This post covers authentication, and situational awareness.

    Poništi
  13. proslijedio/la je Tweet
    21. stu 2019.

    We are hosting a training event in Alexandria, VA. on January 27th - 30th. Both the Red Team Operations and Detection courses will be offered. Sign up here: Red Team Operations: Detection:

    Poništi
  14. proslijedio/la je Tweet
    16. sij 2019.

    Collection of (undocumented) Microsoft Windows kernel structures for various Windows versions

    Poništi
  15. proslijedio/la je Tweet
    17. lis 2019.

    Want to make your life reversing obfuscated .NET so much easier? Most obfuscated .NET malware I've seen loads a mostly deobfuscated version of itself w/ Assembly.Load(byte[]). Running the sample w/ .NET 4.8 permits in-mem assembly recovery with AMSI ETW.

    Poništi
  16. proslijedio/la je Tweet
    15. lis 2019.

    Assessing the Effectiveness of a New Security Data Source: Windows Defender Exploit Guard and were wizards at assessing and deploying this in the env! Event fields thoroughly documented here:

    Prikaži ovu nit
    Poništi
  17. proslijedio/la je Tweet
    4. lis 2019.

    Antimalware Scan Interface Detection Optics Analysis Methodology: Identification and Analysis of AMSI for WMI

    Prikaži ovu nit
    Poništi
  18. proslijedio/la je Tweet
    30. ruj 2019.

    Posted some VBA code for loading a DotNet assembly directly using mscorlib + Assembly.Load by manually accessing the VTable of the IUnknown. Hopefully it saves someone else some time, but it's not the cleanest approach I was hoping for.

    Poništi
  19. proslijedio/la je Tweet
    Odgovor korisnicima i sljedećem broju korisnika:

    There are an infinite number of ways to subvert Sysmon if you have admin privilege on the server. This is a cat and mouse game that's not winnable.

    Poništi
  20. 18. ruj 2019.

    Releasing a new tool to aide in Sysmon evasion, Shhmon () with an associated blog post including defensive recommendations

    Poništi

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·