Alice Climent-Pommeret
@AliceCliment
Followers
3K
Following
3K
Media
333
Statuses
2K
Malware and EDR stuff @harfanglab 🤓 || PTC || Sister of @h313n_0f_t0r & @lauriewired || https://t.co/fqvyNQ57ET
xchg eax, eax
Joined November 2018
Curious about what's happening in the Windows Kernel after a Syscall? . I just wrote this post following the worfkflow from the Syscall instruction to the target kernel routine ⬇️. Thanks again to @Set_hyx for the proofreading!.
4
249
574
🤩🔥🔥🔥🤩.
Windows Rootkits and Bootkits Guide is available in an eye-friendly design and colors 🕶️🎆🎄
0
0
1
a registry key, they are able to remove any AV/EDR on a Windows machine. BYOVD Style ( but without interacting directly with the driver though 😅). If I found the time I'll write a blog post about this vuln.
0
0
3
without any tools. The PoC is using the driver indirectly (via specificaly crafted data in registry keys) to remove ANY files or registry keys after a reboot. So yes, it adds new capabilities for the attackers to damage the system. Because with just the driver load and data in.
1
1
2
related registry keys. Even with administrator privileges on a machine, you usually (if the AV/EDR is a good one and/or correctly configured) can't remove essential files and registry keys related to the agent. If so any attacker with admin priv would be able to shoot AV/EDR.
1
0
2
I just realized something. The advisory says:. "This issue does not add additional capabilities to an attacker with administrative privileges to damage the attacked system.". Well, that's not true. The PoC allows an attacker to remove EDR/AV files (exe, dll, drivers) and.
The vulnerability I've found last year in @kaspersky AV is nows patched 🥳.
2
0
14
RT @hasherezade: In case if you wonder what broke #ProcessHollowing on Windows 11 24H2, I have something for you:
hshrzd.wordpress.com
Process Hollowing (a.k.a. RunPE) is probably the oldest, and the most popular process impersonation technique (it allows to run a malicious executable under the cover of a benign process). It is us…
0
291
0
RT @Unit42_Intel: #HeartCrypt, a new #PaaS, packs malicious code with legitimate binaries. Advertised on Telegram and elsewhere, the low co….
0
15
0
✨💅🔥.
🏆 Femme Cyber Espoir - FRANCE. 👏 Bravo à Joséphine DELAS pour avoir reçu le trophée de Femme Cyber Espoir, décerné par Frédérique LEBRUN ! Votre talent remarquable et votre engagement dans le domaine de la cybersécurité tracent la voie de l’avenir ! 🌟🏆.#ecwd
0
0
3
RT @BlackInCyberCo1: 🚀Contribute to our organization as we provide tools for success, development cohorts and infrastructure for community….
0
9
0
RT @YoursSto: @BrHackeuses are finally on Twitter❤️🔥Don't hesitate to follow their account to keep up with the community's activities and….
0
3
0
RT @lauriewired: Think of it like ordering a pizza. MOV is like ordering a pizza and receiving the actual pizza itself, whereas LEA is like….
0
3
0
RT @elasticseclabs: Updated #GHOSTPULSE research from our #ElasticSecurityLabs team reveals a spooky new obfuscation method for defense eva….
elastic.co
The updated GHOSTPULSE malware has evolved to embed malicious data directly within pixel structures, making it harder to detect and requiring new analysis and detection techniques.
0
14
0
🤩😍🤩.
My Windows User Space Emulator is now open source. Feel free to check out out ⬇️.
0
0
3
A new blog post just dropped!. If you want to know more about malicious code-signing certificate hunt go check it out!. A special S/O to @securechicken and @ArielJT for the proofreading!.
harfanglab.io
Our telemetry has revealed a significant increase in Lumma Stealer malware deployments via the HijackLoader malicious loader.
1
26
71