Kurosh Dabbagh
@_Kudaes_
nt authority\kurosh http://github.com/Kudaes http://kudaes.medium.com
This is so much! 🔥🔥😎 Found two new Potato triggers just today. Not only Potato but can also be used for LPE as remote auth is done which could be relayed to LDAP without Signing enabled. Or relayed to ADCS for a certificate. github.com/warpnet/MS-RPC…
Who doesn't love a sequel? Part one our series on secure #enclaves for #offensive operations highlighted how enclaves work and how to develop your own. Part two is out now and shares what we discovered while digging into enclave internals: outflank.nl/blog/2025/06/1…
I'm excited to share 𝗥𝘂𝘀𝘁𝗶𝗰𝟲𝟰. A Modern 64-bit 𝗣𝗼𝘀𝗶𝘁𝗶𝗼𝗻-𝗜𝗻𝗱𝗲𝗽𝗲𝗻𝗱𝗲𝗻𝘁 Shellcode Template for 𝗪𝗶𝗻𝗱𝗼𝘄𝘀, written 𝗶𝗻 𝗥𝘂𝘀𝘁! #rustlang #CyberSecurity #redteam github.com/safedv/Rustic64
Windows 11 24H2 broke a popular malware evasion technique! The Lloyd Labs self-deletion method now fails because of NTFS changes, so I spent time with kernel debugging to figure out why and how to fix it. Full technical breakdown: tkyn.dev/2025-6-8-The-N…
Im happy to announce Neo4LDAP — a query and visualization tool focused on Active Directory environments. It combines LDAP syntax with graph-based data analysis in Neo4j, offering an alternative approach to tools like BloodHound. youtube.com/watch?v=5V22K3… 🧵: 1/4
hOw Do I lEaRn MaLwArE StUfF If you're new to malware stuff, and want to learn malware stuff, go to our paper collection. If you read 10% of our malware analysis paper collection (took notes, seriously understood it), you'd be a fuckin' monster. If you know how to code…
Malware paper statistic breakdown: Windows malware development papers: 721 papers Malware analysis papers: 12,293 papers Linux malware development papers: 65 papers ICS/SCADA malware papers: 94 papers
Attacks against AD CS are de rigueur these days, but sometimes a working attack doesn’t work somewhere else, and the inscrutable error messages are no help. Jacques replicated the most infuriating and explains what’s happening under the hood in this post sensepost.com/blog/2025/divi…
If you're into WinDbg and debugging, check out my GitHub repository! I’ve put together content on getting started, practicing with kernel memory dumps, analyzing user-mode dumps with exploits, and more. github.com/DebugPrivilege…
I've just released Eclipse, a PoC of what I call Activation Context Hijack. This technique redirects any application to load an arbitray DLL, allowing to inject code into any trusted process. More info available on Github. github.com/Kudaes/Eclipse
I didn't realize that LoadLibrary allows UNC paths, meaning you can load a dll from a remote share without writing it to the current host. Doesn't this directly bypass some static/sandbox analysis performed by some security products? 🤔
Analyzing Procmon stack trace is always a great source of knowledge. Today it showed me that in current versions of Windows win32u.dll performs syscalls in a legitimate way. Idk if its needed, but I guess it can be used as an alternative to ntdll to perform indirect syscalls🙃
Project Zero Blogpost recap for the month: googleprojectzero.blogspot.com/2024/10/the-wi… — @j00ru doing another deep dive into the Windows Registry googleprojectzero.blogspot.com/2024/10/effect… — Nick Galloway's dav1d fuzzing case study (new) googleprojectzero.blogspot.com/2024/10/from-n… — an update on using LLMs to find vulns Enjoy! 🎉
I created a tool designed to simplify the generation of proxy DLLs (i know, a bit late to the game) while addressing common conflicts related to windows.h when it comes to redefining an existing function when performing proxy DLL. It was a fun project 😁 github.com/Krypteria/Prox…
Disponibles en Twitch todas las conferencias de la Sala CrowdStrike de #NN12ED 🖤💛 Día 1: twitch.tv/videos/2266422… Día 2: twitch.tv/videos/2267218… Día 3: twitch.tv/videos/2268060… Todas disponibles en: twitch.tv/navajanegra
I resisted using @_Kudaes_ dinvoke_rs while learning rust and how to build implants, so I wrote this library for dynamically locating API function addresses and loading dlls. github.com/Teach2Breach/n…
It's always such a great feeling to receive this kind of messages. Indeed, an enormous amount of hours have been invested in the Dinvoke_rs project. It started as a small side project to learn Rust and it ended up being the core of all my other tools😅
@_Kudaes_ I’m playing with writing a new github.com/Teach2Breach/T… agent using your github.com/Kudaes/DInvoke… . Really nice so far. Thanks for sharing. I know a lot of work went in this!
Somebody asked if you can run a dll directly without rundll32 as you would do with an exe. You just need to remove the IMAGE_FILE_DLL flag from IMAGE_FILE_HEADER->Characteristics, which can be done with the option -e of github.com/Kudaes/CustomE…. Don't see much use for it tho ^^
