Casey Smith

@subTee

Joined August 2011
470 Photos and videos Photos and videos

Tweets

You blocked @subTee

Are you sure you want to view these Tweets? Viewing Tweets won't unblock @subTee

  1. Pinned Tweet
    6 Jul 2015

    True Vendor Call Our software protects you from buffalo overflows. Me:Excuse me, What? o_O Buffalo Overflows. Me: OK

    71 replies 1,742 retweets 1,694 likes
  2. Retweeted
    20 hours ago

    Another instance where encourages us to rethink our views on digital signature validation.

    92 retweets 156 likes
  3. Retweeted
    Dec 21
    Replying to and

    I don't know that it's possible to authentically simulate the best APT groups. You can target the same victims and data, but they have nation state funding to innovate. You can get as close as yesterday.

    4 replies 15 retweets 25 likes
  4. Retweeted
    Dec 20
    Replying to

    FYI: 17 years into my career, still trying to become an expert at something! While I've still got stuff to learn, and still need to get better at things, the effort/process/learnings all take me to wonderful places and meeting with great people. Attitude and aptitude are key!

    2 replies 8 retweets 38 likes
  5. Retweeted
    Dec 20

    Periodic reminder: all non-trivial platforms have had serious, exploitable vulnerabilities found in them from time to time. Having a vulnerability discovered in your product isn’t in and of itself shameful. But responding badly by lashing out when one is found definitely is.

    11 replies 377 retweets 841 likes
  6. Retweeted
    Dec 20

    ASLRA: Statistical tool specially designed to measure all parameters that determine quality of ASLR [patches for paxtest ; see also OpenBSD KARL but "how would do you sign such a kernel"?]

    1 reply 27 retweets 37 likes
  7. Retweeted
    Dec 19

    Take a look at ShmooCon Labs. We've rebooted things a bit with a much larger focus on operations and analysis. If you want to learn more about security operations, malware analysis, and incident response, take a look at Labs.

    If you've got your barcode, here's some of what you can do at Shmoo.
    2 replies 29 retweets 28 likes
  8. Retweeted
    Dec 19

    We've open sourced our framework for developing alerting and detection strategies for incident response. We have also included several internal strategies as examples to spur greater sharing and collaboration with defenders.

    10 replies 245 retweets 456 likes
  9. Dec 19

    My "scrap" or junk code as an experiment. This was me writing a quick PoC hook to grab TLS Req/Resp from PowerShell memory, instead of with a proxy Take a look, experimental PoC only. May be helpful/interesting. Feedback Welcome. Still more to do...

    1 reply 34 retweets 65 likes
  10. Retweeted
    Dec 19

    Makes me wonder what the "average security team" Detect Ops look like.

    "The average security team typically examines less than 5 percent of the alerts flowing into them every day" < more monitoring can't be the answer to security challenge
    1 reply 4 retweets 7 likes
  11. Retweeted
    Dec 18
    Replying to

    I can attest to RWX standing out. We got to run 's Get-InjectedThread at scale recently! 😀

    3 replies 1 retweet 13 likes
  12. Dec 18

    Fixed a minor x86, x64 issue.

    1 reply 8 retweets 30 likes
    Show this thread
    Show this thread
  13. Dec 18

    Oh Wow, this was a blast to write. In Memory SSL Intercept ;-). Thanks again mavinject! All your Encrypted PowerShell WebRequests Are Belong To Us ;-) Have Fun!

    3 replies 315 retweets 533 likes
    Show this thread
    Show this thread
  14. Dec 18

    [Good Read] Windows Inline Function Hooking

    1 reply 111 retweets 180 likes
  15. Dec 18

    Simple DLL Inject UserMode Hook Example: Nice Complimentary pairing with mavinject.exe 🍷 In this example, we hook CreateProcess and prevent cmd.exe/taskmgr.exe PoC only, but you get the idea. More interesting would be to hook sspicli!EncryptMessage ;-)

    3 replies 165 retweets 302 likes
  16. Retweeted
    Dec 18

    My book's finally here, just in time for Xmas. Thanks to and for all their time and effort as well as my friend for doing the forward. Hope anyone who's bought it are seeing final copies arriving. And it's a dog on the cover BTW 🙂

    64 replies 263 retweets 1,023 likes
  17. Retweeted
    Dec 15
    Replying to

    Is there any possibility of Windows moving sensitive logging into a hypervisor-protected container? I don’t know how that would even work, just curious.

    2 replies 3 retweets 11 likes
  18. Dec 15

    Sysmoney! Thanks mavinject.exe! Details probably never.

    2 replies 47 retweets 110 likes
  19. Retweeted
    Dec 14

    This evening's post on diary, , provides more well deserved attention for 's Chris Long's () Detection Lab with: Windows 2016 DC Windows 2016 WEF/WEC server Win10 non-server endpoint Ubuntu 16.04 logger A lab for defenders!

    2 replies 19 retweets 55 likes
  20. Dec 14

    Yeah, was looking at this over a year ago.

    related
    Show this thread
    1 reply 2 retweets 8 likes
  21. Retweeted
    Dec 14

    Using MavInject32.exe (Microsoft Corp Signed) to load any dll in a running process. > "C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe" <PID> /INJECTRUNNING <PATH DLL> cc:

    21 replies 838 retweets 1,181 likes
    Show this thread
    Show this thread

@subTee hasn't Tweeted yet.

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

    You may also like

    ·