Finally, the first printed copy of the script for my 4-day in-person workshop "Endpoint Security Insights: Shellcode Loaders & Evasion Fundamentals". In about 1000 pages, students learn step-by-step and in a very practical way how to build and debug various types of evasive

I’m currently transferring the learning material for Chapter 13, "Mapped Memory," into the handout script for my upcoming in-person workshop, "𝐄𝐧𝐝𝐩𝐨𝐢𝐧𝐭 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐈𝐧𝐬𝐢𝐠𝐡𝐭𝐬: 𝐒𝐡𝐞𝐥𝐥𝐜𝐨𝐝𝐞 𝐋𝐨𝐚𝐝𝐞𝐫𝐬 & 𝐄𝐯𝐚𝐬𝐢𝐨𝐧 𝐅𝐮𝐧𝐝𝐚𝐦𝐞𝐧𝐭𝐚𝐥𝐬," taking.

In-person workshop announcement: "Endpoint Security Insights: Shellcode Loaders & Evasion Fundamentals". See the link below for full details. Course details in german. Course details in english . #redteam #itsec #infosec

I believe I've recently made progress in reverse engineering within the context of a specific EDR. Using IDA, I identified an exclusion rule that prevents an entire detection chain, which relies on specific EDR DLLs, from being triggered. By assigning the "correct" name to a

Not 100% sure yet, but it looks like "bad EDR" is preparing or doing some string manipulation on ntdll.dll, maybe to give ntdll.dll a new special "HaCk1nG" name, who knows? 😉

It has been a while since I set up a DNS Listener in Cobalt Strike. So I have documented it step by step in this blog post. Available in English and German, just switch from EN to DE on the website. If there is anything wrong or not explained correctly, please let me know.

I was interested in better understanding a specific detection mechanism of an EDR, focusing on fake DLLs, page guard hooking, PEB manipulation, and vectored exception handling - techniques inspired by the game hacking community. I'm not a reverse engineer, but in this blog post

If there are any mistakes or if something is not described correctly, please let me know.

I wanted to learn more about using content delivery networks (CDNs) in Azure in conjunction with an Nginx reverse proxy in the context of using Cobalt Strike as a C2 framework. As a result, I've written the following blog post. #redteam.

RT @7etsuo: 🧵1/n Jerry Cain from Stanford University explains pointers and structs in C, showing a clever way to access struct fields. This….

RT @zodiacon: Creating a Kernel Object type part 2:.

RT @TJ_Null: Ever wanted to spin up a GOAD environment in VMware ESXi? . Well I decided to dig into it and I wrote a step-by-step guide to….

If you are interested in learning more about EDRs, malware research, detection engineering, call stack analysis, etc. I highly recommend checking out the blog from @saab_sec blog, which is full of great detailed posts on these topics. #redteam.

RT @TrainSec: CrowdStrike and the Formidable BSOD – Pavel Yosifovich (.

RT @sh4dy_0011: Here’s the second part of my blog series on Compiler and LLVM internals, where I’ve explained the following concepts:. 1. B….

RT @BalthasarMartin: Today at #Troopers24 we released Certiception – the ADCS honeypot we always wanted to have. Blog: .

In the context of a red team engagement and the preparation of your loader to gain initial access, file aging could play a crucial role in successful evasion (evasion in this context being defined as avoiding prevention and detection without triggering an active alert).

Microsoft Defender's use of a specific Attack Surface Reduction (ASR) rule to block executables such as .exe, .dll or .scr based on prevalence or trusted list criteria is quite interesting. #redteam

Compared to other conferences this is not a given, I appreciate it and it may help me to improve my submission next year. In any case, congratulations to all the other speakers who made it and I wish you a super cool time at Troopers 2024.