Josh
@passthehashbrwn
Adversarial Simulation at IBM, tweets are mine etc.
Me and the homies are dropping browser exploits on the red team engagement 😎. Find out how to bypass WDAC + execute native shellcode using this one weird trick -- exploiting the V8 engine of a vulnerable trusted application. ibm.com/think/x-force/…
While you guys were arguing about SharePoint and FireBase I biked 400 miles on a tandem
Bypassing AMSI with your own custom COM interfaces inside CLR process - an excellent piece by Joshua Magri (@passthehashbrwn). The custom implementation allows to allocate and load assemblies from memory and invoke Load_2() method instead of typical call to Load_3(). This…
Azure Arc is Microsoft's solution for managing on-premises systems in hybrid environments. My new blog covers how it can it be identified in an enterprise and misconfigurations that could allow it to be used for out-of-band execution and persistence. ibm.com/think/x-force/…
Being a doctor is easy, just do heart transplants on any ol guy and get praise
Red Team is easy, find any flaw anywhere, exploit it and get praise. Blue Team is hard, try to fix every flaw in an enterprise and monitor those you can’t fix for exploit. (And that’s ignoring the thankless politics of it)
I love when people who are trying to sell you courses post stuff like this
Serious question for the collective genius minds of infosec: who’s actually responsible for cleanup after a red team op? Me, mid-exfil, deleting payloads like a janitor with a C2? Or is that someone else’s job? Just tryna do it right before I get yelled at again
Security is when you tell your users to kick rocks if they want to run a program other than Edge. Also our productivity is way down does anyone have any tips?
Oh cool a hit infosec tweet, is it: A) an existing technique rewritten in a useless language B) a "new" EDR killer C) a "new" byte patch D) engagement farming account reposting old blogs
> look inside > byte patch
Stumbled over this new AMSI bypass. It works by manipulating the COM RPC communication used by AMSI to talk to AV engines. By hooking NdrClientCall3 which handles the RPC calls we can intercept AMSI scan requests before they reach the AV engine. I wrote a simplified version that…
I am thrilled to be presenting new research on attacking ML training infrastructure at @WEareTROOPERS this summer. Stay tuned for a blog post and lots of updates to MLOKit closer to the conference!
RemoteMonologue - A Windows credential harvesting attack that leverages the Interactive User RunAs key and coerces NTLM authentications via DCOM. Remotely compromise users without moving laterally or touching LSASS. Hope you enjoy the blog & tool drop 🤟 ibm.com/think/x-force/…
As promised... this is Loki Command & Control! 🧙♂️🔮🪄 Thanks to @d_tranman for his work done on the project and everyone else on the team for making this release happen! github.com/boku7/Loki
Unified Platforms for Adversary Emulation and Red Team Operations to the moon
Hey @domchell, I told you Cobalt Strikes are up and Nighthawks are down the other day. My deepest apologies, turns out VIPERS are up and all other C2s are down.
Please buy my red teaming course so you can learn 7 useless derivatives of indirect syscalls from someone who has never red teamed
We'll tell you a secret. Not very many people know this. Most malware development courses and papers cover the same material: process injection, persistence, basic anti-reverse engineering techniques, etc This doesn't scratch the surface of what malware or malware research is.