Matt Graeber

@mattifestation

Father, husband, Navy vet, all around n00b. Security realist and optimist. Security Researcher

Bouvetøya
exploit-monday.com
Joined April 2009
325 Photos and videos Photos and videos

Tweets

You blocked @mattifestation

Are you sure you want to view these Tweets? Viewing Tweets won't unblock @mattifestation

  1. 22 hours ago

    How sure are you that "(Verified) Microsoft Windows" refers to a program that actually originates from Microsoft? Code Signing Certificate Cloning Attacks and Defenses

    2 replies 192 retweets 330 likes
  2. Dec 21

    My OCD is triggering really hard that I can't specify that a specific set of Sysmon RegistryEvent rules only fire when the EventType is SetValue.

    5 replies 1 retweet 14 likes
  3. Retweeted
    Dec 21

    [Get-Doppelgangers] - Powershell script to detect process and dll doppelganging thx for the poc!

    162 retweets 253 likes
  4. Retweeted
    Dec 21

    UPDATE: If you clean install RS4+ and have compatible hardware VBS/HVCI is now automatically enabled!! This means the Windows kernel now enforces by default: Kernel code integrity, runtime ACG, and control flow integrity via VBS. Huge for Windows security. Checkout WIP builds!

    This is HUGE. Kernel Control Flow Guard, HVCI, Hyper Guard and bunch of other goodness are now available on non-Enterprise Windows SKUs. Turn it on, now.
    Show this thread
    9 replies 173 retweets 270 likes
  5. Retweeted
    Dec 20

    Shellcode running cleanly in kernel mode on a Windows 10 machine from a 0day vuln I found. Some serious PagedPool shaping involved. Come check out my talk to hear all about it!

    50 retweets 111 likes
  6. Dec 20

    Another seriously amazing agenda this year. I can't wait to present on my expanded research into code signing attacks and defense!

    The wait is over! Registration for 2018 is now open. Places are limited so register today!
    9 retweets 26 likes
  7. Dec 19

    Holy crap I'm looking forward to the result of this project.

    Replying to @daniel_bilar
    I've spent 1500+ hrs over the past year trying to identify the most useful accounts on twitter for transferring institutional knowledge in different areas of infosec. Many potential applications—but, primary one is to help get newbies up to speed quickly via immersion.
    1 reply 1 retweet 30 likes
  8. Dec 19

    You'll have a hard time finding a more mature methodology for developing _robust_ detections than and his colleagues at .

    We've open sourced our framework for developing alerting and detection strategies for incident response. We have also included several internal strategies as examples to spur greater sharing and collaboration with defenders.
    6 retweets 30 likes
  9. Dec 19

    Does anyone know if MSFT publishes a canonical list of what it considers to be weak crypto algorithms. Reference: CERT_CHAIN_POLICY_SSL_F12 in CertVerifyCertificateChainPolicy ()

    2 replies 3 likes
  10. Dec 19

    Why do computers work?

    23 replies 8 retweets 25 likes
  11. Dec 19

    And yes, I'm starting to take advantage of the 280 char limit by posting anticipated responses to tweets. 😉

    1 reply 5 likes
    Show this thread
    Show this thread
  12. Dec 19

    Not being much of a Python guy, I was super impressed by malware decrypting and running modules entirely in-mem with marshal.load. "Bro, I've been talking about this for years. Check out my sweet Python RAT."

    1 reply 1 retweet 21 likes
    Show this thread
    Show this thread
  13. Dec 19

    Many of our professional lives revolve around the defense of systems that were never designed to be defensible. As such, a massive industry exists to fill that void.

    If both win10+ and macOS went to a walk-garden-only-signed-code-can-run iOS and chromeOS model the AV/threat-hunting/EDR/term-of-the-week industry would dry up in a few years and save businesses millions of dollars annually.
    2 replies 11 retweets 39 likes
  14. Retweeted
    Dec 18
    Replying to

    I think most people forget that avoiding detection usually creates artifacts that you were attempting to avoid detection. I like creating a logging/detection scenario where the attacker avoiding detection acts as an actionable signal whether through logs or other sensors.

    8 replies 23 retweets 83 likes
  15. Dec 18

    Attackers love executing PowerShell at the command line and regardless of PS version used, the free command line logging you get in "Windows PowerShell" EID 400 is the gift that keeps on giving. "But I can easily bypass that!" "Yes, I know you can..."

    4 replies 29 retweets 110 likes
  16. Retweeted
    Dec 18

    Wrote a quick thing about setting up 's DetectionLab. TL;DR - It's very cool. Read the README.

    54 retweets 95 likes
  17. Dec 18

    The most pragmatic offensive security researchers spend time considering the impact of their research and spend time developing usable detection/prevention strategies.

    2 replies 8 retweets 33 likes
    Show this thread
    Show this thread
  18. Dec 18

    The most pragmatic security managers don't resort to fear and blame when new attack research comes out. They view it simply as a task item to improve their posture. They manage security. They acknowledge that security is not a problem to be solved.

    7 replies 77 retweets 223 likes
    Show this thread
    Show this thread
  19. Retweeted
    Dec 18

    My book's finally here, just in time for Xmas. Thanks to and for all their time and effort as well as my friend for doing the forward. Hope anyone who's bought it are seeing final copies arriving. And it's a dog on the cover BTW 🙂

    64 replies 263 retweets 1,023 likes
  20. Retweeted
    Dec 17

    Browser/mitigation people, I feel you. Cc

    5 replies 33 retweets 92 likes

@mattifestation hasn't Tweeted yet.

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

    You may also like

    ·