Nick Landers

@monoxgas

Security research, exploits, malware dev, training.

Utah
Joined October 2010
8 Photos and videos Photos and videos

Tweets

You blocked @monoxgas

Are you sure you want to view these Tweets? Viewing Tweets won't unblock @monoxgas

  1. Retweeted
    Nov 11

    Interesting Fact: The core implant uses a multi-stage approach with exportable DLL ordinals for near each step of the deployment. Seems like approach is fairly threat representative. Plan on doing some RE of the loader next week.

    1 reply 2 retweets 9 likes
    Show this thread
    Show this thread
  2. Retweeted
    Oct 11

    Yet another Ruler vector - CVE-2017-11774 shell Outlook via the home page. New Ruler and NotRuler available:

    11 replies 261 retweets 357 likes
  3. Retweeted
    Oct 10

    Blog post - Hunting for .NET in-memory techniques

    80 retweets 113 likes
  4. Sep 26

    Always in our hearts, SBS doesn't forget.

    1 retweet 2 likes
  5. Sep 21

    The best days for blue teams are sometimes the toughest for red teams. Great job MS! Time to get back to work researching Outlook.

    And it's confirmed. Custom form script is disabled by default across all Outlook versions (if you've patched):
    7 retweets 8 likes
  6. Retweeted
    Sep 13

    KB4011091 for Outlook 2016 seems to block VBScript in forms! If so, well played MSFT! Can't find mention of it in the update description

    3 replies 23 retweets 43 likes
  7. Retweeted
    Aug 29

    Exploiting Code Injection Vulnerabilities to Bypass Constrained Language Mode

    5 replies 247 retweets 312 likes
  8. Retweeted
    Aug 24

    [Blog] UMCI vs Internet Explorer: Exploring CVE-2017–8625

    5 replies 223 retweets 266 likes
  9. Retweeted
    Aug 23

    New blog post by ! Check out the latest for in-memory malware -> sRDI (Shellcode reflective DLL injection)

    84 retweets 122 likes
  10. Retweeted
    Aug 17

    New, but short blog post is up! XSS Using Active Directory Automatic Provisioning -

    19 retweets 39 likes
  11. Aug 9

    SyncAppVPublishingServer kickin' on Windows 7 with PowerShell v3.

    5 replies 26 retweets 75 likes
  12. Aug 8

    Need a signed alternative to Powershell.exe? SyncAppvPublishingServer in Win10 has got you covered.

    18 replies 545 retweets 793 likes
  13. Jul 29
    Replying to

    Big credits to

    1 reply 1 like
  14. Jul 29

    Shellcode Reflective DLL Injection (sRDI). Convert DLLs to position independent shellcode. Inject all the things!

    10 replies 271 retweets 398 likes
  15. Jul 25

    Thanks for the love man. We will shoot for a public release soon

    class from sRDI (shellcode reflective DLL injection) dropped!@inguardians game changer.
    1 reply 1 retweet 3 likes
  16. Jul 22

    Proof that Outlook abuse is in the wild, put this on your radars!

    New blog on advanced exploit. Don't miss this critical read: Using Outlook Forms for Lateral Movement & Persistence
    2 retweets 4 likes
  17. Retweeted
    Jul 22

    Looking forward to Dark Side Ops 1 and 2 training at !!

    4 replies 57 retweets 15 likes
  18. Jul 6

    Office 365 with Outtook 2013/16 now limits dangerous outlook rules. KB3191883 and KB3191938

    38 retweets 46 likes
  19. Retweeted
    Jul 5

    Anyone up for beta testing "NotRuler"? Pulls out VBScript containing forms and endpoints from rules.

    3 replies 5 retweets 10 likes
  20. Jul 3

    Everyone stay up to date on this tool. Will be a much needed step for detecting Outlook abuse.

    Very hacky but detection of client-side rules and extraction of UNC paths working for malicious rules
    1 reply 6 retweets 11 likes

@monoxgas hasn't Tweeted yet.

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

    You may also like

    ·